By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,853 Members | 930 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,853 IT Pros & Developers. It's quick & easy.

Forms Authentication Problem

P: n/a
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested
page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get
it, once the user is authenticated, to redirect to the new page. It ALWAYS
refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the user
there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never redirects
the page

The machine.config points to the correct path for the WebUIValidation.js
file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I
missing?
Nov 17 '05 #1
Share this Question
Share on Google+
11 Replies


P: n/a
are you sure ValidUser is returning "true" ?

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested
page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get
it, once the user is authenticated, to redirect to the new page. It ALWAYS
refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the user there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never redirects
the page

The machine.config points to the correct path for the WebUIValidation.js
file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I
missing?

Nov 17 '05 #2

P: n/a
Yes - I'm sure - absolutely positive

"Seaside" <ss@hotmail.com> wrote in message
news:ez**************@tk2msftngp13.phx.gbl...
are you sure ValidUser is returning "true" ?

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get it, once the user is authenticated, to redirect to the new page. It ALWAYS refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the

user
there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never redirects the page

The machine.config points to the correct path for the WebUIValidation.js
file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I
missing?


Nov 17 '05 #3

P: n/a
Thanks - I checked it out - - all the code listings links don't go to the
code at all....nice article, but it doesn't tell me where my problem is.
BTW - If I remove the deny users part - - - - it bypasses the login.aspx
file altogether. I at least had that working
"S. Justin Gengo" <sj*****@aboutfortunate.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Elmo,

When you use a database with forms authentication you need to remove the
deny users attribute in the web.config file. You then have to create a
method that does the validation for you.

Here's a good article about using a database with form authentication:
http://www.zdnet.com.au/builder/prog...0274191,00.htm
Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get it, once the user is authenticated, to redirect to the new page. It ALWAYS refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the

user
there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never redirects the page

The machine.config points to the correct path for the WebUIValidation.js
file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I
missing?


Nov 17 '05 #4

P: n/a
see S.Justin Gengo's reply

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:Oi**************@TK2MSFTNGP12.phx.gbl...
Yes - I'm sure - absolutely positive

"Seaside" <ss@hotmail.com> wrote in message
news:ez**************@tk2msftngp13.phx.gbl...
are you sure ValidUser is returning "true" ?

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get it, once the user is authenticated, to redirect to the new page. It ALWAYS refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the
user
there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never redirects the page

The machine.config points to the correct path for the

WebUIValidation.js file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I missing?



Nov 17 '05 #5

P: n/a
Elmo,

It may be redirecting to the page, then redirecting right back to the login
page when it's found that the user isn't authenticated.

The question will be "why isn't the user authenticated when I think he
should be?" Answers I've seen include:

1) Because the cookie is set up wrong and Forms Authentication never sees
it. Check on the domain, path and expiration of the cookie. In particular,
make sure the cookie domain matches your domain. localhost has a blank
domain, BTW.
2) Because the login page and the page you're redirecting to have different
values in the <machineKey> entry in machine.config or web.config.
3) The user _is_ authenticated, but not authorized. Maybe URL authorization
has a typo in a role name, or roles aren't being applied in global.asax.

It sounds like it's time for you to look one layer deeper. In particular,
try turning on tracing in web.config:

<trace enabled="true" requestLimit="100" pageOutput="false"
traceMode="SortByTime" localOnly="true" />

Then reproduce the problem and navigate to
http://localhost/yourSite/trace.axd. It may be instructive.
--
John Saunders
Internet Engineer
jo***********@surfcontrol.com

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested
page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get
it, once the user is authenticated, to redirect to the new page. It ALWAYS
refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the user there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never redirects
the page

The machine.config points to the correct path for the WebUIValidation.js
file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I
missing?

Nov 17 '05 #6

P: n/a
Hmmm,

That website must be having some pretty big link problems! I had bookmarked
it a long time ago. It looks like all their articles file links aren't
working.

Here's a line of code from a different article that I think pertains to you:

If blnIsAuthenticated Then
FormsAuthentication.RedirectFromLoginPage(strUser,
chkPersistLogin.Checked)
End If

This article is using an xml file instead of a database to store usernames
and passwords but the concept is the same. Here's the link:
http://www.15seconds.com/issue/020305.htm

Sincerecly,
--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:eS**************@TK2MSFTNGP11.phx.gbl...
Thanks - I checked it out - - all the code listings links don't go to the
code at all....nice article, but it doesn't tell me where my problem is.
BTW - If I remove the deny users part - - - - it bypasses the login.aspx
file altogether. I at least had that working
"S. Justin Gengo" <sj*****@aboutfortunate.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Elmo,

When you use a database with forms authentication you need to remove the
deny users attribute in the web.config file. You then have to create a
method that does the validation for you.

Here's a good article about using a database with form authentication:

http://www.zdnet.com.au/builder/prog...0274191,00.htm

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get it, once the user is authenticated, to redirect to the new page. It ALWAYS refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the
user
there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never redirects the page

The machine.config points to the correct path for the

WebUIValidation.js file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I missing?



Nov 17 '05 #7

P: n/a
Actually - I have had Tracing on & off several times - -
I see that the cookie is set - - but the weird thing is how it's showing - -
I went to the temporary internet files directory to watch when the cookie
shows up.

I run a page on the site in IE, get referred to the login page, login, and,
as usual, it does NOT redirect me to the original page....
Keep in mind, still no cookie in the directory -- then I close IE - - -
still no cookie.
THEN - when I start IE AGAIN, only going to its default page - - the cookie
shows up in the directory - - I don't get how this behavior works, at all.

Still - the same login scenario happens - - no redirect.

You said:
Maybe URL authorization has a typo in a role name, or roles aren't being
applied in global.asax.

I don't have any roles in play here - this scenario, at this point is
supposed to check against a database table for authorization - - if
there - - validuser is true, else it's false
if it's true, I have it set like this:
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) and again -
here's where it doesn't work. It DOES, however, set the cookie, named the
same as in the web.config file.

Anything else?? Nothing shows up as

"John Saunders" <jo***********@surfcontrol.com> wrote in message
news:OL**************@TK2MSFTNGP11.phx.gbl...
Elmo,

It may be redirecting to the page, then redirecting right back to the login page when it's found that the user isn't authenticated.

The question will be "why isn't the user authenticated when I think he
should be?" Answers I've seen include:

1) Because the cookie is set up wrong and Forms Authentication never sees
it. Check on the domain, path and expiration of the cookie. In particular,
make sure the cookie domain matches your domain. localhost has a blank
domain, BTW.
2) Because the login page and the page you're redirecting to have different values in the <machineKey> entry in machine.config or web.config.
3) The user _is_ authenticated, but not authorized. Maybe URL authorization has a typo in a role name, or roles aren't being applied in global.asax.

It sounds like it's time for you to look one layer deeper. In particular,
try turning on tracing in web.config:

<trace enabled="true" requestLimit="100" pageOutput="false"
traceMode="SortByTime" localOnly="true" />

Then reproduce the problem and navigate to
http://localhost/yourSite/trace.axd. It may be instructive.
--
John Saunders
Internet Engineer
jo***********@surfcontrol.com

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any

requested page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get it, once the user is authenticated, to redirect to the new page. It ALWAYS refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the

user
there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never redirects the page

The machine.config points to the correct path for the WebUIValidation.js
file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I
missing?


Nov 17 '05 #8

P: n/a
Yeah - - that's what I'm using exactly - - that's what doesn't work
correctly
I'm totally lost here......I guess I'll just have to roll my own
authentication system - - I've been at this over a week and I could have had
it all done, if I had manually created it.

Thanks for the help - - if you think of something else - - - post back,
please.

"S. Justin Gengo" <sj*****@aboutfortunate.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
Hmmm,

That website must be having some pretty big link problems! I had bookmarked it a long time ago. It looks like all their articles file links aren't
working.

Here's a line of code from a different article that I think pertains to you:
If blnIsAuthenticated Then
FormsAuthentication.RedirectFromLoginPage(strUser,
chkPersistLogin.Checked)
End If

This article is using an xml file instead of a database to store usernames
and passwords but the concept is the same. Here's the link:
http://www.15seconds.com/issue/020305.htm

Sincerecly,
--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:eS**************@TK2MSFTNGP11.phx.gbl...
Thanks - I checked it out - - all the code listings links don't go to the
code at all....nice article, but it doesn't tell me where my problem is.
BTW - If I remove the deny users part - - - - it bypasses the login.aspx file altogether. I at least had that working
"S. Justin Gengo" <sj*****@aboutfortunate.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Elmo,

When you use a database with forms authentication you need to remove the deny users attribute in the web.config file. You then have to create a
method that does the validation for you.

Here's a good article about using a database with form authentication:

http://www.zdnet.com.au/builder/prog...0274191,00.htm

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
> I tried on the Security newgroup, as well as other places, and haven't > gotten an answer yet - - I'm pulling my hair out over this one.
>
> I'm trying to get Forms Authentication working.....I can get any

requested
> page to automatically go to the Login.aspx page, AND, the ReturnURL
> querystring is correct in the address bar, but no matter what, I can't
get
> it, once the user is authenticated, to redirect to the new page. It

ALWAYS
> refreshes the Login.aspx page!
>
> My database has all the users - - I query the database and validate the user
> there. This part works - - I've totally verified this.
> Then - - I've got this:
> if ValidUser="True" then
> FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
> <-------this is the part that DOES NOT work at all - - it never

redirects
> the page
>
> The machine.config points to the correct path for the WebUIValidation.js > file....I'm using MSIE, as are all the other users who are going to
be > hitting this app. - - Scripting is allowed.
>
> in the Web.Config, I've got:
> <authentication mode="Forms">
> <forms name=".MyApp"
> loginUrl="login.aspx"
> protection="All"
> timeout="480"
> path="/"
> />
> </authentication>
> <authorization>
> <deny users ="?" />
> </authorization>
> And I'm importing the Web.Security Namespace on each page.
> Does Each subsequent page need anything else in it to make this work? > Please help - - I've been working on this for over a week now! What

am I > missing?
>
>



Nov 17 '05 #9

P: n/a
Elmo,

Let's be sure we understand each other. Here's a sequence of events to
reproduce:

1) Close _all_ of your browsers
2) Start up IE (preferably with your home page set to about:blank).
3) Navigate to a page which requires you to be authenticated
4) You should be redirected to the login page
5) Check for the cookie it should be absent.
6) Log in. It should attempt to redirect you to the original page.
7) Whether or not it redirected you, check for the cookie again. If it's
there, post the details, in particular, the path, domain and expiration.

BTW, I don't know how you're seeing the cookie at all. Session cookies
aren't displayed in IE's "View Files" dialog. You'd do better to use a tool
like ProxyTrace from http://pocketsoap.com, which will allow you to see the
actual Set-Cookie header(s).
--
John Saunders
Internet Engineer
jo***********@surfcontrol.com
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:eX**************@TK2MSFTNGP10.phx.gbl...
Actually - I have had Tracing on & off several times - -
I see that the cookie is set - - but the weird thing is how it's showing - - I went to the temporary internet files directory to watch when the cookie
shows up.

I run a page on the site in IE, get referred to the login page, login, and, as usual, it does NOT redirect me to the original page....
Keep in mind, still no cookie in the directory -- then I close IE - - -
still no cookie.
THEN - when I start IE AGAIN, only going to its default page - - the cookie shows up in the directory - - I don't get how this behavior works, at all.
Still - the same login scenario happens - - no redirect.

You said:
>Maybe URL authorization has a typo in a role name, or roles aren't being
applied in global.asax.

I don't have any roles in play here - this scenario, at this point is
supposed to check against a database table for authorization - - if
there - - validuser is true, else it's false
if it's true, I have it set like this:
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) and again -
here's where it doesn't work. It DOES, however, set the cookie, named the
same as in the web.config file.

Anything else?? Nothing shows up as

"John Saunders" <jo***********@surfcontrol.com> wrote in message
news:OL**************@TK2MSFTNGP11.phx.gbl...
Elmo,

It may be redirecting to the page, then redirecting right back to the

login
page when it's found that the user isn't authenticated.

The question will be "why isn't the user authenticated when I think he
should be?" Answers I've seen include:

1) Because the cookie is set up wrong and Forms Authentication never sees
it. Check on the domain, path and expiration of the cookie. In particular, make sure the cookie domain matches your domain. localhost has a blank
domain, BTW.
2) Because the login page and the page you're redirecting to have

different
values in the <machineKey> entry in machine.config or web.config.
3) The user _is_ authenticated, but not authorized. Maybe URL

authorization
has a typo in a role name, or roles aren't being applied in global.asax.

It sounds like it's time for you to look one layer deeper. In particular, try turning on tracing in web.config:

<trace enabled="true" requestLimit="100" pageOutput="false"
traceMode="SortByTime" localOnly="true" />

Then reproduce the problem and navigate to
http://localhost/yourSite/trace.axd. It may be instructive.
--
John Saunders
Internet Engineer
jo***********@surfcontrol.com

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get it, once the user is authenticated, to redirect to the new page. It ALWAYS refreshes the Login.aspx page!

My database has all the users - - I query the database and validate
the user
there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
<-------this is the part that DOES NOT work at all - - it never

redirects the page

The machine.config points to the correct path for the

WebUIValidation.js file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I missing?



Nov 17 '05 #10

P: n/a
Here are my steps
1. Delete existing cookie, starting from scratch
2. Run a page on web server - - redirects me to login page
3. Login, hoping to go to url in querystring
4. It does NOT redirect me to the correct page - -
in the Trace details, it shows the cookie with the correct name (from
Web.Config Name = section)
5. However, I don't see the cookie in the Temporary Internet Files dir
yet - - close IE -no cookie
6. Start IE (goes to default site which is NOT the web site in question) -
Cookie shows up
7. Details - - - in the directory list (Windows Explorer):
Name: Cookie:myname@testWebserver/ --- this is correct --
Internet Address - same as Name: - TXT file
Expires: 8/5/2053
Last Modified/Last Accessed/Last Checked - - all the same time/date (today)

8. Try running a page on the web server again - - redirects me to login
page, with the originally requested page, correctly, in the querystring
(ReturnUrL) - - cookie shows up with the name given to it, in my Web.config
file.

Does this show you anything?

"John Saunders" <jo***********@surfcontrol.com> wrote in message
news:uG**************@TK2MSFTNGP11.phx.gbl...
Elmo,

Let's be sure we understand each other. Here's a sequence of events to
reproduce:

1) Close _all_ of your browsers
2) Start up IE (preferably with your home page set to about:blank).
3) Navigate to a page which requires you to be authenticated
4) You should be redirected to the login page
5) Check for the cookie it should be absent.
6) Log in. It should attempt to redirect you to the original page.
7) Whether or not it redirected you, check for the cookie again. If it's
there, post the details, in particular, the path, domain and expiration.

BTW, I don't know how you're seeing the cookie at all. Session cookies
aren't displayed in IE's "View Files" dialog. You'd do better to use a tool like ProxyTrace from http://pocketsoap.com, which will allow you to see the actual Set-Cookie header(s).
--
John Saunders
Internet Engineer
jo***********@surfcontrol.com
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:eX**************@TK2MSFTNGP10.phx.gbl...
Actually - I have had Tracing on & off several times - -
I see that the cookie is set - - but the weird thing is how it's showing - -
I went to the temporary internet files directory to watch when the cookie
shows up.

I run a page on the site in IE, get referred to the login page, login,

and,
as usual, it does NOT redirect me to the original page....
Keep in mind, still no cookie in the directory -- then I close IE - - -
still no cookie.
THEN - when I start IE AGAIN, only going to its default page - - the

cookie
shows up in the directory - - I don't get how this behavior works, at

all.

Still - the same login scenario happens - - no redirect.

You said:
>>>Maybe URL authorization has a typo in a role name, or roles aren't being
applied in global.asax.

I don't have any roles in play here - this scenario, at this point is
supposed to check against a database table for authorization - - if
there - - validuser is true, else it's false
if it's true, I have it set like this:
FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) and again -
here's where it doesn't work. It DOES, however, set the cookie, named

the same as in the web.config file.

Anything else?? Nothing shows up as

"John Saunders" <jo***********@surfcontrol.com> wrote in message
news:OL**************@TK2MSFTNGP11.phx.gbl...
Elmo,

It may be redirecting to the page, then redirecting right back to the

login
page when it's found that the user isn't authenticated.

The question will be "why isn't the user authenticated when I think he
should be?" Answers I've seen include:

1) Because the cookie is set up wrong and Forms Authentication never sees it. Check on the domain, path and expiration of the cookie. In particular, make sure the cookie domain matches your domain. localhost has a blank
domain, BTW.
2) Because the login page and the page you're redirecting to have

different
values in the <machineKey> entry in machine.config or web.config.
3) The user _is_ authenticated, but not authorized. Maybe URL

authorization
has a typo in a role name, or roles aren't being applied in global.asax.
It sounds like it's time for you to look one layer deeper. In particular, try turning on tracing in web.config:

<trace enabled="true" requestLimit="100" pageOutput="false"
traceMode="SortByTime" localOnly="true" />

Then reproduce the problem and navigate to
http://localhost/yourSite/trace.axd. It may be instructive.
--
John Saunders
Internet Engineer
jo***********@surfcontrol.com

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
> I tried on the Security newgroup, as well as other places, and haven't > gotten an answer yet - - I'm pulling my hair out over this one.
>
> I'm trying to get Forms Authentication working.....I can get any

requested
> page to automatically go to the Login.aspx page, AND, the ReturnURL
> querystring is correct in the address bar, but no matter what, I can't get
> it, once the user is authenticated, to redirect to the new page. It

ALWAYS
> refreshes the Login.aspx page!
>
> My database has all the users - - I query the database and validate the user
> there. This part works - - I've totally verified this.
> Then - - I've got this:
> if ValidUser="True" then
> FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) '
> <-------this is the part that DOES NOT work at all - - it never

redirects
> the page
>
> The machine.config points to the correct path for the WebUIValidation.js > file....I'm using MSIE, as are all the other users who are going to
be > hitting this app. - - Scripting is allowed.
>
> in the Web.Config, I've got:
> <authentication mode="Forms">
> <forms name=".MyApp"
> loginUrl="login.aspx"
> protection="All"
> timeout="480"
> path="/"
> />
> </authentication>
> <authorization>
> <deny users ="?" />
> </authorization>
> And I'm importing the Web.Security Namespace on each page.
> Does Each subsequent page need anything else in it to make this work? > Please help - - I've been working on this for over a week now! What

am I > missing?
>
>



Nov 17 '05 #11

P: n/a
Yeah, Elmo, that's what I figured from your detailed post. Your Forms
Authentication page may be using the same cookie name as being used by that
"classic ASP" page. Choose another name!

You're not _supposed_ to be able to see session cookies in Temporary
Internet Files! The fact that you saw it there suggested that it wasn't from
ASP.NET, and the fact that you saw it after going to the "default" page
suggested that you were getting that cookie from the default page.

--
John Saunders
Internet Engineer
jo***********@surfcontrol.com
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:u8**************@tk2msftngp13.phx.gbl...
I didn't notice until I sent the last message, that you said to 'blank' out the start page....
The weirdest thing happened - - previously, my start page was one of the
other intranet's login page in our company (classic asp/different
login/different server/completely different physical location) - - -

AS SOON as I dumped that page from my default page in IE - the whole Forms
Authentication worked perfectly - just like it was supposed to.

"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:ew*************@TK2MSFTNGP12.phx.gbl...
Here are my steps
1. Delete existing cookie, starting from scratch
2. Run a page on web server - - redirects me to login page
3. Login, hoping to go to url in querystring
4. It does NOT redirect me to the correct page - -
in the Trace details, it shows the cookie with the correct name (from
Web.Config Name = section)
5. However, I don't see the cookie in the Temporary Internet Files dir
yet - - close IE -no cookie
6. Start IE (goes to default site which is NOT the web site in question) -
Cookie shows up
7. Details - - - in the directory list (Windows Explorer):
Name: Cookie:myname@testWebserver/ --- this is correct --
Internet Address - same as Name: - TXT file
Expires: 8/5/2053
Last Modified/Last Accessed/Last Checked - - all the same time/date (today)

8. Try running a page on the web server again - - redirects me to login
page, with the originally requested page, correctly, in the querystring
(ReturnUrL) - - cookie shows up with the name given to it, in my

Web.config
file.

Does this show you anything?

"John Saunders" <jo***********@surfcontrol.com> wrote in message
news:uG**************@TK2MSFTNGP11.phx.gbl...
Elmo,

Let's be sure we understand each other. Here's a sequence of events to
reproduce:

1) Close _all_ of your browsers
2) Start up IE (preferably with your home page set to about:blank).
3) Navigate to a page which requires you to be authenticated
4) You should be redirected to the login page
5) Check for the cookie it should be absent.
6) Log in. It should attempt to redirect you to the original page.
7) Whether or not it redirected you, check for the cookie again. If it's there, post the details, in particular, the path, domain and expiration.
BTW, I don't know how you're seeing the cookie at all. Session cookies
aren't displayed in IE's "View Files" dialog. You'd do better to use a

tool
like ProxyTrace from http://pocketsoap.com, which will allow you to see
the
actual Set-Cookie header(s).
--
John Saunders
Internet Engineer
jo***********@surfcontrol.com
"ElmoWatson" <sp**********@yahoo.com> wrote in message
news:eX**************@TK2MSFTNGP10.phx.gbl...
> Actually - I have had Tracing on & off several times - -
> I see that the cookie is set - - but the weird thing is how it's
showing - -
> I went to the temporary internet files directory to watch when the

cookie
> shows up.
>
> I run a page on the site in IE, get referred to the login page,
login, and,
> as usual, it does NOT redirect me to the original page....
> Keep in mind, still no cookie in the directory -- then I close

IE - - - > still no cookie.
> THEN - when I start IE AGAIN, only going to its default page - - the
cookie
> shows up in the directory - - I don't get how this behavior works, at all.
>
> Still - the same login scenario happens - - no redirect.
>
> You said:
> >>>>Maybe URL authorization has a typo in a role name, or roles aren't being
> applied in global.asax.
>
> I don't have any roles in play here - this scenario, at this point is > supposed to check against a database table for authorization - - if
> there - - validuser is true, else it's false
> if it's true, I have it set like this:
> FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) and again - > here's where it doesn't work. It DOES, however, set the cookie, named the
> same as in the web.config file.
>
> Anything else?? Nothing shows up as
>
> "John Saunders" <jo***********@surfcontrol.com> wrote in message
> news:OL**************@TK2MSFTNGP11.phx.gbl...
> > Elmo,
> >
> > It may be redirecting to the page, then redirecting right back to the > login
> > page when it's found that the user isn't authenticated.
> >
> > The question will be "why isn't the user authenticated when I
think he > > should be?" Answers I've seen include:
> >
> > 1) Because the cookie is set up wrong and Forms Authentication
never sees
> > it. Check on the domain, path and expiration of the cookie. In
particular,
> > make sure the cookie domain matches your domain. localhost has a

blank > > domain, BTW.
> > 2) Because the login page and the page you're redirecting to have
> different
> > values in the <machineKey> entry in machine.config or web.config.
> > 3) The user _is_ authenticated, but not authorized. Maybe URL
> authorization
> > has a typo in a role name, or roles aren't being applied in

global.asax.
> >
> > It sounds like it's time for you to look one layer deeper. In
particular,
> > try turning on tracing in web.config:
> >
> > <trace enabled="true" requestLimit="100" pageOutput="false"
> > traceMode="SortByTime" localOnly="true" />
> >
> > Then reproduce the problem and navigate to
> > http://localhost/yourSite/trace.axd. It may be instructive.
> > --
> > John Saunders
> > Internet Engineer
> > jo***********@surfcontrol.com
> >
> >
> >
> > "ElmoWatson" <sp**********@yahoo.com> wrote in message
> > news:%2****************@TK2MSFTNGP11.phx.gbl...
> > > I tried on the Security newgroup, as well as other places, and

haven't
> > > gotten an answer yet - - I'm pulling my hair out over this one.
> > >
> > > I'm trying to get Forms Authentication working.....I can get any
> requested
> > > page to automatically go to the Login.aspx page, AND, the ReturnURL > > > querystring is correct in the address bar, but no matter what, I

can't
> get
> > > it, once the user is authenticated, to redirect to the new page. It > ALWAYS
> > > refreshes the Login.aspx page!
> > >
> > > My database has all the users - - I query the database and validate the
> > user
> > > there. This part works - - I've totally verified this.
> > > Then - - I've got this:
> > > if ValidUser="True" then
> > > FormsAuthentication.RedirectFromLoginPage(txtUID.t ext, True) ' > > > <-------this is the part that DOES NOT work at all - - it never
> redirects
> > > the page
> > >
> > > The machine.config points to the correct path for the
WebUIValidation.js
> > > file....I'm using MSIE, as are all the other users who are going

to
be
> > > hitting this app. - - Scripting is allowed.
> > >
> > > in the Web.Config, I've got:
> > > <authentication mode="Forms">
> > > <forms name=".MyApp"
> > > loginUrl="login.aspx"
> > > protection="All"
> > > timeout="480"
> > > path="/"
> > > />
> > > </authentication>
> > > <authorization>
> > > <deny users ="?" />
> > > </authorization>
> > > And I'm importing the Web.Security Namespace on each page.
> > > Does Each subsequent page need anything else in it to make this

work?
> > > Please help - - I've been working on this for over a week now!

What
am
I
> > > missing?
> > >
> > >
> >
> >
>
>



Nov 17 '05 #12

This discussion thread is closed

Replies have been disabled for this discussion.