Login security for a form

More info:

It appears the the url obtained from FormsAuthentication.GetRedirectUrl is
not a fully qualified url. It is a relative url. Is there a way for fully
qualify it? If I put http://www.microsoft.com in the Response.Redirect
method, the redirect occurs.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:v38Zb.564404$X%5.377677@pd7tw2no...

I have a form that will prompt for a user name/password. In VS.NET, I have
the protected form in a folder named Admin. I have a Web.config file in that folder as well. It contains the following section:

<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

In the root folder where the other forms are located I have a Web.config
file with the following section:

<authentication mode="Forms">
<forms loginUrl="LoginPage.aspx?DB=Photos" timeout="10080" />
</authentication>

In LoginPage.aspx, I have a user name and password edit box and a Login
button. When clicked it executes the following code:

private void Login_Click(object sender, System.EventArgs e)
{
if (Authenticated (UserName.Text, Password.Text))
{
string userData = "";
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
UserName.Text,
System.DateTime.Now,
System.DateTime.Now.AddMinutes(30),
Persistent.Checked,
userData,
FormsAuthentication.FormsCookiePath);

// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);

// Create the cookie.
Response.Cookies.Add(new
HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
Response.Redirect (FormsAuthentication.GetRedirectUrl(UserName.Text, Persistent.Checked));
}
else
Message("Invalid login");
}

If I specify an invalid login combination, the Message statement executes.
This is good. If I specify a good combination, the form never moves from the login page. The forms are running in a frame on the page that presents them. Why would the page not be redirected when authentication is valid?

Even more info:

It seems that the Redirect is working fine, but it is redirecting back to
the login page even though the url does not contain LoginPage.aspx. It
contains the url to the aspx page that is in the protected folder. Now I
really don't know what is happening now. It's as if the authentication
succeeds, but it redirects me back to the same login page anyway.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:lo8Zb.564544$X%5.156411@pd7tw2no...

More info:

It appears the the url obtained from FormsAuthentication.GetRedirectUrl is
not a fully qualified url. It is a relative url. Is there a way for fully
qualify it? If I put http://www.microsoft.com in the Response.Redirect
method, the redirect occurs.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:v38Zb.564404$X%5.377677@pd7tw2no...

I have a form that will prompt for a user name/password. In VS.NET, I have the protected form in a folder named Admin. I have a Web.config file in

that

folder as well. It contains the following section:

<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

In the root folder where the other forms are located I have a Web.config
file with the following section:

<authentication mode="Forms">
<forms loginUrl="LoginPage.aspx?DB=Photos" timeout="10080" />
</authentication>

In LoginPage.aspx, I have a user name and password edit box and a Login
button. When clicked it executes the following code:

private void Login_Click(object sender, System.EventArgs e)
{
if (Authenticated (UserName.Text, Password.Text))
{
string userData = "";
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1,
UserName.Text,
System.DateTime.Now,
System.DateTime.Now.AddMinutes(30),
Persistent.Checked,
userData,
FormsAuthentication.FormsCookiePath);

// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);

// Create the cookie.
Response.Cookies.Add(new
HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
Response.Redirect

(FormsAuthentication.GetRedirectUrl(UserName.Text,

Persistent.Checked));
}
else
Message("Invalid login");
}

If I specify an invalid login combination, the Message statement executes. This is good. If I specify a good combination, the form never moves from

the

login page. The forms are running in a frame on the page that presents

them.

Why would the page not be redirected when authentication is valid?

If its redirecting to the login page it sounds like either the cookie
isn't persisting properly or the login isn't successful.

Can I ask why you have two web.config files? I thought (and I could
be wrong) that a Web Application has only one web.config file that it
loads up when running so am a little unclear about why you have the
second one. If you want a timeout value - you would set that on the
cookie you create.

I have this in my web.config file:

<authentication mode="Forms">
<forms name="demoReport"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>

I set the start page to be report.aspx and when I run it it send me to
login.aspx to authenticate me. I'm actually authenticating against
active directory in a custom method but my code for the ticket is:

if (sec.authenticateUser(txtUsername.Text.Trim(),
txtPassword.Text.Trim(), "Domain"))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(txtUsername.Text.Trim(),
cbPersistCookie.Checked, 30);

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "/";

// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}

and this works for me. Have you checked that the authenticated method
you're using is returning true (sorry to ask a stupid question).

Hope this helps!! I've only just got this working so am pretty
excited about it :)

Jen
po*******@hotmail.com

"David W. Simmonds" <da***@simmonds.ca> wrote in message news:<wB8Zb.568446$ts4.160273@pd7tw3no>...

Even more info:

It seems that the Redirect is working fine, but it is redirecting back to
the login page even though the url does not contain LoginPage.aspx. It
contains the url to the aspx page that is in the protected folder. Now I
really don't know what is happening now. It's as if the authentication
succeeds, but it redirects me back to the same login page anyway.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:lo8Zb.564544$X%5.156411@pd7tw2no...

More info:

It appears the the url obtained from FormsAuthentication.GetRedirectUrl is
not a fully qualified url. It is a relative url. Is there a way for fully
qualify it? If I put http://www.microsoft.com in the Response.Redirect
method, the redirect occurs.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:v38Zb.564404$X%5.377677@pd7tw2no...

I have a form that will prompt for a user name/password. In VS.NET, I have the protected form in a folder named Admin. I have a Web.config file in that folder as well. It contains the following section:

<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

In the root folder where the other forms are located I have a Web.config
file with the following section:

<authentication mode="Forms">
<forms loginUrl="LoginPage.aspx?DB=Photos" timeout="10080" />
</authentication>

In LoginPage.aspx, I have a user name and password edit box and a Login
button. When clicked it executes the following code:

private void Login_Click(object sender, System.EventArgs e)
{
if (Authenticated (UserName.Text, Password.Text))
{
string userData = "";
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1,
UserName.Text,
System.DateTime.Now,
System.DateTime.Now.AddMinutes(30),
Persistent.Checked,
userData,
FormsAuthentication.FormsCookiePath);

// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);

// Create the cookie.
Response.Cookies.Add(new
HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
Response.Redirect (FormsAuthentication.GetRedirectUrl(UserName.Text, Persistent.Checked));
}
else
Message("Invalid login");
}

If I specify an invalid login combination, the Message statement executes. This is good. If I specify a good combination, the form never moves from the login page. The forms are running in a frame on the page that presents them. Why would the page not be redirected when authentication is valid?

I have two. One resides in a "protected" folder. Any page in that folder
will use the web.config file and that file says to go to the loginpage.aspx.

"Jen" <po*******@hotmail.com> wrote in message
news:75**************************@posting.google.c om...

If its redirecting to the login page it sounds like either the cookie
isn't persisting properly or the login isn't successful.

Can I ask why you have two web.config files? I thought (and I could
be wrong) that a Web Application has only one web.config file that it
loads up when running so am a little unclear about why you have the
second one. If you want a timeout value - you would set that on the
cookie you create.

I have this in my web.config file:

<authentication mode="Forms">
<forms name="demoReport"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>

I set the start page to be report.aspx and when I run it it send me to
login.aspx to authenticate me. I'm actually authenticating against
active directory in a custom method but my code for the ticket is:

if (sec.authenticateUser(txtUsername.Text.Trim(),
txtPassword.Text.Trim(), "Domain"))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(txtUsername.Text.Trim(),
cbPersistCookie.Checked, 30);

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "/";

// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}

and this works for me. Have you checked that the authenticated method
you're using is returning true (sorry to ask a stupid question).

Hope this helps!! I've only just got this working so am pretty
excited about it :)

Jen
po*******@hotmail.com

"David W. Simmonds" <da***@simmonds.ca> wrote in message

news:<wB8Zb.568446$ts4.160273@pd7tw3no>...

Even more info:

It seems that the Redirect is working fine, but it is redirecting back to the login page even though the url does not contain LoginPage.aspx. It
contains the url to the aspx page that is in the protected folder. Now I
really don't know what is happening now. It's as if the authentication
succeeds, but it redirects me back to the same login page anyway.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:lo8Zb.564544$X%5.156411@pd7tw2no...

More info:

It appears the the url obtained from FormsAuthentication.GetRedirectUrl is not a fully qualified url. It is a relative url. Is there a way for fully qualify it? If I put http://www.microsoft.com in the Response.Redirect
method, the redirect occurs.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:v38Zb.564404$X%5.377677@pd7tw2no...
> I have a form that will prompt for a user name/password. In VS.NET, I

have

> the protected form in a folder named Admin. I have a Web.config file

in that

> folder as well. It contains the following section:
>
> <authorization>
> <deny users="?" />
> <allow users="*" />
> </authorization>
>
> In the root folder where the other forms are located I have a

Web.config > file with the following section:
>
> <authentication mode="Forms">
> <forms loginUrl="LoginPage.aspx?DB=Photos" timeout="10080" />
> </authentication>
>
> In LoginPage.aspx, I have a user name and password edit box and a Login > button. When clicked it executes the following code:
>
> private void Login_Click(object sender, System.EventArgs e)
> {
> if (Authenticated (UserName.Text, Password.Text))
> {
> string userData = "";
> FormsAuthenticationTicket ticket = new

FormsAuthenticationTicket(

> 1,
> UserName.Text,
> System.DateTime.Now,
> System.DateTime.Now.AddMinutes(30),
> Persistent.Checked,
> userData,
> FormsAuthentication.FormsCookiePath);
>
> // Encrypt the ticket.
> string encTicket = FormsAuthentication.Encrypt(ticket);
>
> // Create the cookie.
> Response.Cookies.Add(new
> HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
> Response.Redirect

(FormsAuthentication.GetRedirectUrl(UserName.Text,

> Persistent.Checked));
> }
> else
> Message("Invalid login");
> }
>
> If I specify an invalid login combination, the Message statement

executes.

> This is good. If I specify a good combination, the form never moves

from the

> login page. The forms are running in a frame on the page that

presents them.

> Why would the page not be redirected when authentication is valid?
>
>

The authentication is working fine. If I put http://www.microsoft.com into
the redirect method, it redirects everytime.

Also, as far as the multiple web.config files, some of my web pages do not
require authentication. It's only the administrative pages that do. They are
put into another folder with another web.config file. Then the login page
runs for them.

If I change my Privacy settings (Tools -> Internet Options -> Privacy) to
Low or Accept All Cookies, then everything works fine. Is there something I
can do to leave it at Medium?

"Jen" <po*******@hotmail.com> wrote in message
news:75**************************@posting.google.c om...

If its redirecting to the login page it sounds like either the cookie
isn't persisting properly or the login isn't successful.

Can I ask why you have two web.config files? I thought (and I could
be wrong) that a Web Application has only one web.config file that it
loads up when running so am a little unclear about why you have the
second one. If you want a timeout value - you would set that on the
cookie you create.

I have this in my web.config file:

<authentication mode="Forms">
<forms name="demoReport"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>

I set the start page to be report.aspx and when I run it it send me to
login.aspx to authenticate me. I'm actually authenticating against
active directory in a custom method but my code for the ticket is:

if (sec.authenticateUser(txtUsername.Text.Trim(),
txtPassword.Text.Trim(), "Domain"))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(txtUsername.Text.Trim(),
cbPersistCookie.Checked, 30);

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "/";

// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}

and this works for me. Have you checked that the authenticated method
you're using is returning true (sorry to ask a stupid question).

Hope this helps!! I've only just got this working so am pretty
excited about it :)

Jen
po*******@hotmail.com

"David W. Simmonds" <da***@simmonds.ca> wrote in message

news:<wB8Zb.568446$ts4.160273@pd7tw3no>...

Even more info:

It seems that the Redirect is working fine, but it is redirecting back to the login page even though the url does not contain LoginPage.aspx. It
contains the url to the aspx page that is in the protected folder. Now I
really don't know what is happening now. It's as if the authentication
succeeds, but it redirects me back to the same login page anyway.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:lo8Zb.564544$X%5.156411@pd7tw2no...

More info:

It appears the the url obtained from FormsAuthentication.GetRedirectUrl is not a fully qualified url. It is a relative url. Is there a way for fully qualify it? If I put http://www.microsoft.com in the Response.Redirect
method, the redirect occurs.

"David W. Simmonds" <da***@simmonds.ca> wrote in message
news:v38Zb.564404$X%5.377677@pd7tw2no...
> I have a form that will prompt for a user name/password. In VS.NET, I

have

> the protected form in a folder named Admin. I have a Web.config file

in that

> folder as well. It contains the following section:
>
> <authorization>
> <deny users="?" />
> <allow users="*" />
> </authorization>
>
> In the root folder where the other forms are located I have a

Web.config > file with the following section:
>
> <authentication mode="Forms">
> <forms loginUrl="LoginPage.aspx?DB=Photos" timeout="10080" />
> </authentication>
>
> In LoginPage.aspx, I have a user name and password edit box and a Login > button. When clicked it executes the following code:
>
> private void Login_Click(object sender, System.EventArgs e)
> {
> if (Authenticated (UserName.Text, Password.Text))
> {
> string userData = "";
> FormsAuthenticationTicket ticket = new

FormsAuthenticationTicket(

> 1,
> UserName.Text,
> System.DateTime.Now,
> System.DateTime.Now.AddMinutes(30),
> Persistent.Checked,
> userData,
> FormsAuthentication.FormsCookiePath);
>
> // Encrypt the ticket.
> string encTicket = FormsAuthentication.Encrypt(ticket);
>
> // Create the cookie.
> Response.Cookies.Add(new
> HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
> Response.Redirect

(FormsAuthentication.GetRedirectUrl(UserName.Text,

> Persistent.Checked));
> }
> else
> Message("Invalid login");
> }
>
> If I specify an invalid login combination, the Message statement

executes.

> This is good. If I specify a good combination, the form never moves

from the

> login page. The forms are running in a frame on the page that

presents them.

> Why would the page not be redirected when authentication is valid?
>
>

Hi David,
Thanks for posting in the community!
From your description, you used FormsAuthentication in its Asp.net web
application, you found when the user has been authenticated and call the
Response.Redirect(FormsAuthentication.GetRedirectU rl..) to redirect
user to the fomer requested page, it didn't work, the user is still
redirect back to the login page, yes?
If there is anything I misunderstood, please feel free to let me know.

I've viewed the other messages in this thread and as you mentioned that it
works ok when you turned the IE's cookie privacy to "low" or allow all
cookie, yes? So I suspect that the problem is due to the Authentication
cookie is failed to be store in clientside. That means thought the user has
been authenticated , his authentication cookie(the token) hasn't been
stored into client's cookie that's why when he is still redirect to login
page after authenticated. To confirm it , would you please try out the
following items:(let the browser's cookie privacy as meduim by default)
1. Try manually redirecting the user to a protected page(via hard code url
address rather than get via GetRedirectUrl method) after setting the
authenticate cookie to see whether the problem still remains.

2. Try using the FormsAuthentication.RedirectFromLoginPage to see whether
this works.

3. If all the above not work, I think you may have a check to see whether
the authentication cookie is correctly store to the client. Turn on the
page's trace and check the Request and Response's cookie collection
,whether the Authenctiona cookie is in cookie collecdtion.

4. Also, try add a normal cookie variable into the response.cookies
collecdtion and then retrieve it again in another page to see whether
normal cookie can work well.

Please try out the above items. If you got any progresses, please feel free
to post here.
Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

I used this code instead:

private void Login_Click(object sender, System.EventArgs e)
{
if (Authenticated (UserName.Text, Password.Text))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(UserName.Text, Persistent.Checked, 20);
string strEncrypted = FormsAuthentication.Encrypt(ticket);
string strURL = FormsAuthentication.GetRedirectUrl(UserName.Text,
Persistent.Checked);
if (strURL.IndexOf("?") == -1)
{
strURL += "?" + FormsAuthentication.FormsCookieName + "=" +
strEncrypted;
}
else
{
strURL += "&" + FormsAuthentication.FormsCookieName + "=" +
strEncrypted;
}
Response.Redirect(strURL);
}
else
Message("Invalid login");
}

Now it doesn't matter what the Privacy setting is.
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:i8**************@cpmsftngxa07.phx.gbl...

Hi David,
Thanks for posting in the community!
From your description, you used FormsAuthentication in its Asp.net web
application, you found when the user has been authenticated and call the
Response.Redirect(FormsAuthentication.GetRedirectU rl..) to redirect
user to the fomer requested page, it didn't work, the user is still
redirect back to the login page, yes?
If there is anything I misunderstood, please feel free to let me know.

I've viewed the other messages in this thread and as you mentioned that it
works ok when you turned the IE's cookie privacy to "low" or allow all
cookie, yes? So I suspect that the problem is due to the Authentication
cookie is failed to be store in clientside. That means thought the user has been authenticated , his authentication cookie(the token) hasn't been
stored into client's cookie that's why when he is still redirect to login
page after authenticated. To confirm it , would you please try out the
following items:(let the browser's cookie privacy as meduim by default)
1. Try manually redirecting the user to a protected page(via hard code url
address rather than get via GetRedirectUrl method) after setting the
authenticate cookie to see whether the problem still remains.

2. Try using the FormsAuthentication.RedirectFromLoginPage to see whether
this works.

3. If all the above not work, I think you may have a check to see whether
the authentication cookie is correctly store to the client. Turn on the
page's trace and check the Request and Response's cookie collection
,whether the Authenctiona cookie is in cookie collecdtion.

4. Also, try add a normal cookie variable into the response.cookies
collecdtion and then retrieve it again in another page to see whether
normal cookie can work well.

Please try out the above items. If you got any progresses, please feel free to post here.
Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Hi David,
Thanks for your followup. From the code you provided in the last reply,
you're using cookieless FormAuthentication now, store the Authentication
token in url querystring rather than in client cookie? But I think the
former problem we meet still remains on the cookie, have you tried out the
suggestions in my last reply? Please try them out and let me know if you
need any further help. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Ok, I did steps 1 and 2. All that happens is that it just goes back to the
login page.

I am unclear as to how to do steps 3 and 4. Please advise.

"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:i8**************@cpmsftngxa07.phx.gbl...

Hi David,
Thanks for posting in the community!
From your description, you used FormsAuthentication in its Asp.net web
application, you found when the user has been authenticated and call the
Response.Redirect(FormsAuthentication.GetRedirectU rl..) to redirect
user to the fomer requested page, it didn't work, the user is still
redirect back to the login page, yes?
If there is anything I misunderstood, please feel free to let me know.

I've viewed the other messages in this thread and as you mentioned that it
works ok when you turned the IE's cookie privacy to "low" or allow all
cookie, yes? So I suspect that the problem is due to the Authentication
cookie is failed to be store in clientside. That means thought the user has been authenticated , his authentication cookie(the token) hasn't been
stored into client's cookie that's why when he is still redirect to login
page after authenticated. To confirm it , would you please try out the
following items:(let the browser's cookie privacy as meduim by default)
1. Try manually redirecting the user to a protected page(via hard code url
address rather than get via GetRedirectUrl method) after setting the
authenticate cookie to see whether the problem still remains.

2. Try using the FormsAuthentication.RedirectFromLoginPage to see whether
this works.

3. If all the above not work, I think you may have a check to see whether
the authentication cookie is correctly store to the client. Turn on the
page's trace and check the Request and Response's cookie collection
,whether the Authenctiona cookie is in cookie collecdtion.

4. Also, try add a normal cookie variable into the response.cookies
collecdtion and then retrieve it again in another page to see whether
normal cookie can work well.

Please try out the above items. If you got any progresses, please feel free to post here.
Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

I turned on Trace in the Login page. Here is what I saw:

ASP.NET_SessionId axoagw55qmcq5l55m5ctskfp 42
Then I added the "testcookie" bit into another page, turned the trace on it
as well. I saw this in that page.

ASP.NET_SessionId f5utpgfelv2ndh45zooqsk55 42
testcookie testcookie_value 27
Then I went back to the Login page and all I saw was the ASP.NET_SessionId.
I don't understand what I am seeing though.

"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:GE****************@cpmsftngxa06.phx.gbl...

Hi David,
Thanks for your followup. As for the step3 and 4, here is the detailed
steps:
# How to turn on the page's trace, just add Trace="true" in the aspx
page's @page directive, forexample:
<%@ Page language="c#" Codebehind="WebForm1.aspx.cs"
AutoEventWireup="false" Trace="true" .....>

Then, you can lookup the Cookie or Session or some other useful infos of
the page on its display screen.
And By default there has a cookie named "ASPNET_SessionID" which represent
the id of the ServerSide SesssionState
If you used FormAuthentication, there'll has another cookie named as the
name value you specify in the web.config such as:
<forms name=".ASPNET_FORM_NAME" .....>

# As for the testing cookie as I mentioned in the step 4 last time, you can just add the following code:
##Please also test when using Windows Authentication instead
formsAuthentication
In page one:
HttpCookie cookie = new HttpCookie("testcookie","testcookie_value");
cookie.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(cookie);

Then in another page(turn on the trace to see whether the added cookie
appears in the cookie collection).

In addtion, I've attached two screen shot on the above condition I've
mentioned, please refer to them if you feel anything unclear. Also, if you
still have any questions, please feel free to post here.
Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Hi David,

Thanks for your reply. From your test result. It seems that your
application is ok to write normal cookie onto the client side machine(for
you have seen the "ASPNET_SessionID" cookie in the trace report). Then, if
you turn on the FormsAuthentication, do you see another cookie in the
Cookie collection? Its name is the same as you set in the
machien.config such as
<forms name=".ASPNET_FORM_NAME" .....>

If not, the problem why Formauthentication failed when store token in
cookie may be something with the Web Application's cookie privacy setting.
In IE 6 under default privacy policy(meduim) all third party cookies that
do not have a compact policy are blocked. If your asp.net web application
is in a different domain
from the page the contains the iframe, it is considered as third party
context and the cookie is blocked. Since the cookie is not set you are
always redirected to the login page.
Do your pages set in a frame or iframe? Or you may try creating a very
simple web app which just has two pages , one login page, another protected
page and using FormsAuthentication, if this application can work well with
cookiebased formauthentication, I think the problem is focus on your
application (it may contains some third-party cookie like behavior ).
If this does be the cause of the problem, you need to allow the third party
cookies you need to develop a compact
policy.

Here are some kb articles on the IE cookie privacy setting and IIS
third-party cookie policy setting, you may have a look if you feel
necessary:

#HOW TO: Configure IIS To Use Platform for Privacy Preferences (P3P)
http://support.microsoft.com/?id=324013

Also, there has the weblinks to some other web reference such as on

#The Default Privacy Settings for Internet Explorer 6
http://support.microsoft.com/?id=293222

"how to create the full privacy policy, policy reference, and compact codes"
http://www.w3.org/P3P

and "information about full privacy policy, policy reference, and compact
codes"
http://msdn.microsoft.com/library/de...curity/privacy
/overview/createprivacypolicy.asp

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx