PRB: Forms Authentication Requests Are Not Directed to loginUrl Page (313116)
The information in this article applies to:
- Microsoft ASP.NET (included with the .NET Framework 1.1)
- Microsoft ASP.NET (included with the .NET Framework) 1.0
This article was previously published under Q313116 SYMPTOMS
When you use forms authentication, requests are not redirected to the page that is specified in the loginUrl attribute.
CAUSE
This problem occurs when more than one application on a server uses forms authentication and these configuration settings are identical:
- Cookie names
- Cookie paths
- Keys
Identical Cookie Names
Forms authentication primarily works off of the authentication cookie. An authentication cookie is placed in the HttpResponse.Cookies collection once a user is authenticated. When a request comes in, forms authentication retrieves the authentication cookie from the HttpRequest.Cookies collection.
If a valid cookie is not present, the user is redirected to the page that is specified in the loginUrl attribute. If a valid cookie is present, forms authentication considers the user authenticated.
The name attribute of the <forms> element in the .config files determines the name of the authentication cookie. By default, the name of the cookie is .ASPXAUTH. Therefore, if multiple applications on the same Web server use the name "authCookie" for the authentication cookie, a request that was authenticated in one application is considered authenticated in another application because the request contains a cookie named authCookie.
Identical Cookie Paths
Forms authentication primarily works off of the authentication cookie. The path attribute of the <forms> element determines which application the authentication cookie can be sent to on the Web server. The default value of the path attribute is a forward slash (/) so that the cookie can be sent to every application on the Web site.
Therefore, if multiple applications on the same Web site use the forward slash for the path of the authentication cookie, when a request is sent from one application to another application, the authentication cookie is sent to the other application.
Identical Keys
The <machineKey> element controls the encryption, the decryption, and the validation of the authentication cookie. The default configuration for the element is as follows:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />
If multiple applications use identical, explicit values for the <machineKey> element, an authentication cookie that is sent from one application is decrypted by another application successfully.
RESOLUTION
To resolve this problem, make sure that at least one of the three configuration settings (cookie name, cookie path, and key) is different for each application that uses forms authentication.
Different Cookie Names
If you use different cookie names for each application, you ensure that forms authentication only retrieves a cookie according to the name that is configured for that application.
For example:
- Application1 uses the name authCookie1.
- Application2 uses the name authCookie2.
- A request is made to Application2.
- Forms authentication tries to retrieve authCookie2 from the HttpRequest.Cookies collection, even though the authCookie1 cookie exists.
When forms authentication does not find an authentication cookie with the name authCookie2, the user is redirected to the page that is specified in the loginUrl attribute for Application2.
Different Cookie Paths
If you use a different cookie path, you ensure that the authentication cookie is sent only to the application in which the cookie originated.
For example:
- Application1 uses the path /application1.
- Application2 uses the path /application2.
- Forms authentication authenticates to Application1.
- A request is made to Application2. The browser does not send the authentication cookie from Application1 to Application2 because the cookie can be sent only to Application1.
NOTE: The path attribute is case sensitive. Therefore, if the you set the value of the path attribute to /application1, and if the application name is Application1, the authentication cookie path is /application1.
When the user is authenticated and redirected, the browser does not send the cookie with the /application1 path to the Application1 application. Essentially, the authentication cookie is not part of the HttpRequest.Cookies collection. As a result, the user is redirected to the page that is specified in the loginUrl attribute, even after authentication.
Microsoft recommends that you confine forms authentication cookies to areas of the site that are protected by Secure Sockets Layer (SSL) encryption.
Different Keys
If different applications use different, explicit values for the <machineKey> element, the encryption, the decryption, or the validation of the authentication cookie fails. As a result, the user is redirected to the page that is specified in the loginUrl attribute for the application. NOTE: Even in identical configurations, authorization rules still apply. In the examples to follow, if User1 is authenticated in Application1 and makes a request to Application2, the request is authenticated. However, because User1 is not one of the allowed users in the <authorization> section, the request is not authorized and is denied. Web.config in Application1
<configuration>
<system.web>
<authorization>
<allow users="User1,User2,User3" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Web.config in Application2
<configuration>
<system.web>
<authorization>
<allow users="User4,User5,User6" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
STATUSThis behavior is by design.REFERENCESFor additional information, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
308157 HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET
306590 INFO: ASP.NET Security Overview
313091 HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms Authentication
Modification Type: | Minor | Last Reviewed: | 7/8/2005 |
---|
Keywords: | kbConfig kbCookie kbprb kbSecurity KB313116 |
---|
|