ASP.NET authentication cookie disappears, only in IE, only from specific locations

Question

Internet explorer is not keeping my authentication cookie after one page redirect.

Here is the situation:

I have an ASP.NET 2.0 web application running on a shared iis7 hosting. The application uses forms authentication to handle login and user identity and writing a cookie (.ASPXFORMSAUTH) on the client machine for that purpose.

in IE (checked with version 8, 9), from some locations, the authentication cookie is not being kept after the first page. The observed behavior is:

1. User name and password are submitted in login form
2. User is succesfuly redirected to the first-after-login page (and fiddler shows that the .ASPXFORMSAUTH cookie exists)
3. After clicking another link or hitting F5 for refresh, the user is credirected to login, and the authentication cookie (according to fiddler) doesn't exist anymore. at the refresh / click, the authentication cookie is missing in the request headers.

This doesn't happen in Chrome / FF, and even in IE, it seems to be dependent on the location from which I am connected.

also, locally (using the internal dev server in VS2008), all works fine and reflects fine in fiddler as well.

I am banging my head at it for a few days now. Thought it may be some kind of a strange firewall problem, but couldn't determine anything conclusive.

Ideas will be appreciated.

Answer 1

IE suffers from a weird bug - for some reasons, if there are non-alphanumeric characters in the domain's name, IE won't persist cookies... and hence you'll have no persistent session between different calls.

Check if your domain has non-alphanumeric characters in it, such as test_domain or test-domain or the likes. Unfortunately, I don't know any fixes for this short of aliasing the incriminated domain or accessing it directly via the IP. The reason you've got no problems locally is that you're pointing to http://localhost, which is fine. As soon as you deploy to a non IE compliant domain you'll witness the problem.

Happened to me and it took hours to find out why. Hope this helps. Another reason to kill IE with fire.

Answer 2

My solution has been a combination of other solutions:

1. IE not saving asp.net authentication token / cookies
2. http://connect.microsoft.com/VisualStudio/feedback/details/662275/asp-net-user-agent-sniffing-and-ie10-internet-explorer-10
3. upgrade to .NET 4.0 adding the tag ticketCompatibilityMode="Framework40" in the web.xml: http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx

Note that the real final solution was the 3rd.

Last but not least: once I set this flag above I had to change the logout method in the code behind because the old one did not logout any more:

protected void LoginStatusLink_LoggedOut(object sender, EventArgs e) {
    // remove the authenticatation cookies from the browser
    FormsAuthentication.SignOut();

    // force a new 'expired' auth cookie
    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName);
    cookie.Expires = DateTime.Now.AddMonths(-1);
    Response.Cookies.Add(cookie);

    // delete roles cookie
    Roles.DeleteCookie();

    // clear and abandon session
    Session.Clear();
    Session.Abandon();

    // this line just to leave (forget) the current page
    this.Response.Redirect("~/");
}