302 Infinite Loop

Question

I have a web application that is stuck in an infinite loop, and I have no idea where to look next. This is an intranet site, so there is no link I can share, but I've listed as many details as I can think of below. I would appreciate any ideas or suggestions. Anyone has.

The details:

IIS 7
.Net 4.0
Windows 2008
Default document is Login.aspx
No HTTP redirect set on app or Login.aspx in IIS
Fiddler shows Login.aspx using status code of 302 and redirecting to Login.aspx

If I open my site, it points to Login.aspx and gets stuck in a 302 loop. If I open the site but point to register.aspx, Fiddler shows register.aspx going to Login.aspx which of course redirects to Login.aspx.

What I've done:

Run the webapp from Visual Studio -- everything works fine
Check web.config for redirect commands -- there are none
Check IIS for redirect commands -- there are none
Look at Fiddler for another page in the loop -- there are none, just Login.aspx to Login.aspx
Check Login.aspx for redirect commands -- there are none
Check Login.aspx code behind for redirect commands -- there are none
Run the app on my box using the web.config from the server -- everything works
Check Login.aspx for redirect commands -- there are none
Cleared Cache -- problem still persists
Republished -- problem still persists
Republished and cleared Cache -- problem still persists
Disabled Default Document in IIS

Are you running behind a load balancer by any chance? Are you sure your redirects are exactly the same (i.e. not http versus https)? — Paddy, Jul 02 '12 at 14:53
the redirects are exactly the same. No https. I don't think I am behind a load balancer. — Johnie Karr, Jul 02 '12 at 14:56
Does your site use some sort of redirect on, say, session expiration to Login.aspx? — Ross, Jul 02 '12 at 15:04
Thanks for comment @Ross. I found a code block that I completley missed, which turned out to be the problem. — Johnie Karr, Jul 02 '12 at 15:42

Paddy · Answer 1 · 2021-12-16T08:30:23.113

5

Will share this just in case it is an answer, as it sounds like a problem we had.

ASP.net MVC site with [RequiresHttps] attribute on our login action.
Behind a load balancer that was doing SSL acceleration (resulting in the request that actually hits the server side code being already decoded and effectively under http).
Server code thinks this is an issue and redirects back to itself using https.
Rinse and repeat.

Been quite a long time since this was answered, and my comment below here to 'not use RequireHttps' is probably a bit out of date.

Anyone looking at this answer and thinking that it answers their problem would probably be well advised to look into configuring their load balancer to use X-Forwarded-Proto headers:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

And then setting up their MVC site to be able to read these and still think they are under HTTPS at the border of your environment:

https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0

edited Dec 16 '21 at 08:30

answered Jul 02 '12 at 14:55

Paddy

33,309
15
79
114

Thanks for sharing, but I don't think this is my issue. I'm not using MVC, SSL, or load balancing. – Johnie Karr Jul 02 '12 at 15:01
1

Mmm, so not identical, but it might be worth looking for any base classes/global code that are doing redirects, to see if you can spot anything there. – Paddy Jul 02 '12 at 15:08
@Paddy - I have EXACTLY this problem behind a rackspace cloud load balancer. Did you manage to solve it? – Chris Wallis Aug 13 '12 at 15:41
1

Well, the answer was to not use the 'RequiresHttps' attribute and instead roll our own SSL redirection in the global.asax. – Paddy Aug 14 '12 at 07:58

Johnie Karr · Accepted Answer · 2012-07-02T15:41:33.933

Found the problem. Found this logic in the MasterPage:

Dim strPage As String = Request.Url.AbsolutePath.Replace("/", "")
    'Check that user is logged in
    If Not strPage = "Login.aspx" And Not strPage = "Register.aspx" Then
        If Session("intUserId") Is Nothing Then
            Response.Redirect("~/Login.aspx", True)
        End If
    End If

Evidently, strPage does not equal Login.aspx when browsing to Login.aspx on the server.

I should have cought this when I was investigating it. Thanks Ross for your comment, it helped me to find this!

score 1 · Answer 3 · edited Jun 30 '17 at 22:44

1

I had encountered a similar bug. But mine was a typo with two Response.Redirect back to back.

If (conditon1){
    Response.Redirect("Page1.aspx");
}
If (conditon2){
    Response.Redirect("Page2.aspx");
}

And the fix was to simply put the other if in the else block.

edited Jun 30 '17 at 22:44

Sᴀᴍ Onᴇᴌᴀ

8,218
8
36
58

answered Jun 30 '17 at 22:42

Brikesh Kumar

149
1
12

Same problem, also due to conflicting conditions within our own code. The page was allowed to redirect to itself under one condition, but the code to correct the condition didn't fire, resulting in an infinite redirect. Thought it was an IIS issue, but no, we shot ourselves in the foot... – Daniel Bragg Mar 07 '19 at 18:56

302 Infinite Loop

3 Answers3