Why is ASP.NET FormsAuthentication cookie not authenticating user?

Question

I have a site that uses the default SqlMembershipProvider and FormsAuthentication. I can use the built-in Login Controls and/or programmatically call all the methods to authenticate a user and get the same result - the user is authenticated and a cookie is created, but the cookie does not appear to be valid since I can't get into any page that requires authentication.

There is no real code to show for the default Login Control since it should just "work", but here is the custom code I tried:

protected void ctrlLogin_Authenticate(object sender, AuthenticateEventArgs e)
{
   if (Membership.ValidateUser(ctrlLogin.UserName, ctrlLogin.Password))
   {
      FormsAuthentication.RedirectFromLoginPage(ctrlLogin.UserName, ctrlLogin.RememberMeSet);
      /*
       * I also tried this:
      FormsAuthentication.SetAuthCookie(ctrlLogin.UserName, ctrlLogin.RememberMeSet);
      if (!String.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
         Response.Redirect(Request.QueryString["ReturnUrl"]);
      Response.Redirect("/index.aspx");
       */
   }
   else
   {
      ctrlLogin.FailureText = "Invalid Username/Password Combination";
   }
}

With this code, Membership.ValidateUser() succeeds, and both FormsAuthentication.RedirectFromLoginPage() and FormsAuthentication.RedirectFromLoginPage() successfully set a cookie - that cookie just doesn't work to verify my authentication. I have confirmed this by deleting all my cookies and watching them get created again with FireCookie. The cookie name matches what I have in my web.config, the domain is "/", and the expiration date is as expected (see below).

Here are the relevant sections of my web.config:

<authentication mode="Forms">
  <forms loginUrl="~/login/index.aspx" name=".SoeAuth" protection="All"
    slidingExpiration="true" timeout="525599" domain=""></forms>
</authentication>
<membership defaultProvider="SqlMembershipProvider">
  <providers>
    <add connectionStringName="[MY_CS]" applicationName="[MY_APPNAME]"
      minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
      enablePasswordReset="true" passwordFormat="Hashed" requiresUniqueEmail="true"
      name="SqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"
      requiresQuestionAndAnswer="false"/>
  </providers>
</membership>

It should be noted that I also added a machineKey entry in my web.config file based on a suggestion from a very similar question here (which didn't solve my problem). Also, for reference, the timeout=525599 above is 1 minute less than a year for my persistent cookies.

I know ValidateUser doesn't actually set a cookie. My point in mentioning that is that is is required when programmatically authenticating a user, and it proves that I'm not just typing the wrong username or password. The code above shows the full process. — Rick, Sep 16 '11 at 21:12
What is `IsAuthenticated` set to when you revisit after logging in? I don't think RedirectFromLoginPage sets the auth cookie either, except in specific circumstances. — TheCodeKing, Sep 16 '11 at 21:12
Try setting path to / in your forms config and it might work as is. The cookie is only set when `CookiesSupported || IsPathWithinAppRoot(current, returnUrl))`, otherwise just call SetAuthCookie explicitly before redirecting. — TheCodeKing, Sep 16 '11 at 21:17
is your cookie sent over in the next request (use fiddler and check the request header) and for giggle, lower your timeout to say 600 for testing. Also remove the domain="" - you arent setting it so remove it. — Adam Tuliper, Sep 17 '11 at 05:42
I tried removing the domain="" and also setting it to "/". No change. My browser supports cookies, and the path is within the current application. I also tried the SetAuthCookie() method as seen in my sample code above. — Rick, Sep 19 '11 at 12:28
@Adam Yes, the cookie is sent in all requests after it is set. — Rick, Sep 19 '11 at 13:31

score 4 · Accepted Answer · edited Jul 25 '13 at 15:42

4

I found the problem:

Since I was able to create a simple working test project with the exact same source code, I determined that the problem was in the web.config file.

Going through each section, I discovered in the 'system.web / httpModules' section I had a <clear/> element. This removed the <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/> module defined in machine-level web.config file. Adding it back in instantly fixed the problem.

It sure would have been nice to get an error message when I tried to use the FormsAuthentication methods and that module wasn't even loaded...

edited Jul 25 '13 at 15:42

Richard Ev

52,939
59
191
278

answered Sep 19 '11 at 15:08

Rick

1,863
2
19
46

how did you added it ? as I face the same problem – Nad Nov 28 '14 at 13:22
Either remove the or add the element below it. – Rick Dec 10 '14 at 15:39
2

Spent ages trying to figure out why it wasn't authenticating. In newer versions it may be a element . Upvoting answer – RADXack Feb 15 '16 at 23:48

Why is ASP.NET FormsAuthentication cookie not authenticating user?

1 Answers1

Linked