User.Identity.IsAuthenticated False When Debugging in VS2012 Using IISExpress

StackOverflow https://stackoverflow.com/questions/19958801

Question

I have an older ASP.NET WebForms application that is trying to authenticate users. The application works perfectly in staging and production. However, when attempting to use IISExpress to debug locally, it doesn't.

There's a user control that is placed within a master page that contains a Login server control. The Login server control has a custom template and calls LoginControl_Authenticate during the OnAuthenticate event. There is one other server event called LoginControl_LoggedIn that is called during the OnLoggedIn event. Here's the code for those two methods:

Private Sub LoginControl_LoggedIn(ByVal sender As Object, ByVal e As System.EventArgs)
    Response.Redirect("~/VerifyAuthentication.aspx", True)
End Sub

Private Sub LoginControl_Authenticate(ByVal sender As Object, ByVal e As AuthenticateEventArgs)
    Dim loginCtrl As Login = CType(LoginContainer.FindControl("LoginControl"), Login)
    Dim username As String = loginCtrl.UserName
    Dim password As String = loginCtrl.Password
    e.Authenticated = Membership.ValidateUser(username, password)
End Sub

The VerifyAuthentication.aspx page is supposed to then validate the user and do some crazy profile population. On Page_Load, the first statement is to check User.Identity.IsAuthenticated. Again, locally, this is returning False every time. However, in production, it works as expected. Below is a snippet of this method:

Private Sub Page_Load(s as Object, e as EventArgs)
    If (User.Identity.IsAuthenticated = False) Then
        ...
    End If
    ...
End Sub

The web.config is configured as described below:

<system.web>
    <machineKey validationKey="..." decryptionKey="..." validation="SHA1"/>
    <authentication mode="Forms">
        <forms name=".ASPXAUTH" enableCrossAppRedirects="true" timeout="600" defaultUrl="/VerifyAuthentication.aspx" loginUrl="/" protection="All" slidingExpiration="true" domain="localhost" cookieless="UseDeviceProfile" />
    </authentication>
    <membership defaultProvider="DefaultSqlMembershipProvider">
        <providers>
            <clear/>
            <add name="DefaultSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LocalSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" passwordFormat="Encrypted" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="60" passwordStrengthRegularExpression=""/>
        </providers>
    </membership>
    ...
</system.web>

As a side note, IIS Express is running this application as localhost:1800.

EDIT (11.14.2013 10:00 AM EST)

At Scott's request, I did verify both the local and production versions in Fiddler. In both versions, the response being sent back is for Set-Cookie. However, only the production version is actually setting the cookie (meaning that the .ASPXAUTH cookie appears in the cookie collection for the public version).

EDIT (11/14/2013 11:30 AM EST) Yes. Here are the response and request headers:

Local Development

From the login:

Response sent 278 bytes of Cookie data:
            Set-Cookie: .ASPXAUTH=AE66DCD41A34991EA27494478D779955ECE7AE3195BC5FE4F19085E9DC3307AF754D540A3B04504DBE65F79F1CFB3FA57780E807D4FA4D8BBD79E09A30BBE40BE4A8D76D26EC3F4FDD335A3667770E3CF7C8D8ACDD3E08B3D5A6B4F076EE5E638B6913DA774A662D300F9E1B554147F9E50D7B65; domain=localhost; path=/; HttpOnly

From VerifyAuthentication.aspx

Request sent 42 bytes of Cookie data:

ASP.NET_SessionId=udyfmuy3xg5k3145khptvxer

Production

From the login:

Response sent 291 bytes of Cookie data:
            Set-Cookie: .ASPXAUTH=A34B5A519F2357269239544D4BFAE6DA30C9681F4F2C38D9574F747940C9F27F408AF2BB4A79437DFAB30E18E157D7C7291B1A4BFB98485C93F6427C6851737E8F3C35368A11C053BB5F9E48A0535D5178F10AB9E802C7956C80565F1B2CA042DE51228EF62CAB6B9E3AC748FDA87895B1C3D190; domain=mydomain.com; path=/; HttpOnly

From VerifyAuthentication.aspx

Request sent 286 bytes of Cookie data:

ASP.NET_SessionId=ex03esugzcdjuk55tevnfq3o; .ASPXAUTH=A34B5A519F2357269239544D4BFAE6DA30C9681F4F2C38D9574F747940C9F27F408AF2BB4A79437DFAB30E18E157D7C7291B1A4BFB98485C93F6427C6851737E8F3C35368A11C053BB5F9E48A0535D5178F10AB9E802C7956C80565F1B2CA042DE51228EF62CAB6B9E3AC748FDA87895B1C3D190
Was it helpful?

Solution

My guess is that it has to do with using “localhost” in .config for the cookie’s domain.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top