Tuesday, November 18, 2008

ASP.NET Forms Authentication Disappearing Cookie

I have been developing the login for a secure asp.net web application.
The application requires Forms Authentication with a pass through to a Windows Identity (see How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0). To simplify matters I have been building up the security process in an empty web project.
having created a Forms Authentication web site (How To: Use Forms Authentication with Active Directory in ASP.NET 2.0) and implemented the Use Protocol Transition and Constrained Delegation (see link above) the login worked on the Visual Studio 2008 ASP.NET Development Server.

Next step was to release to a development server, the same Windows 2008 machine used to host the main application, following deployment the login failed.
Having searched a little I broke out Fiddler and discovered the Authentication Ticket/Cookie was set on login and then lost on redirect to the target secure page.

After a good nights sleep and fiddling around a little I verified the whole login process worked by placing the ticket on the URI, this however was not an acceptable solution.
Back to searching, this time I included IIS7 in my search and came up with this - I couldn't quite believe this was true, but it fixed my problem.

The test site I had created included an underscore in the URL, this was causing the cookie loss.

I have run this past a few colleagues and despite the use of an underscore in a URL not been common they knew of no real reason not to use one.

I hope this help someone out there.

home | www.purplepool.com