Change in User-Agent header triggering forms authentication

Question

I've got an app built using ASP.NET MVC 3.0. It uses asp.net's built in forms authentication, without session state, and cookies on the browser to identify the user making requests.

Now, when I'm testing the app using IE9, the typical HTML request sends this user-agent in the header, and everything works fine.

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

However, we have one page in the app that has an ActiveX container that hosts Microsoft Word in the browser. The purpose of this ActiveX container is to allow you to make modifications to the word document, click on a button to POST that word document with your changes to our server so it can be saved.

There is a method in the ActiveX control--Office Viewer Component from www.ocxt.com--called HttpPost() that POSTs the contents of the viewed document to the server.

When you call HttpPost(), it sends all the same cookies properly, but uses a different User-Agent string.

User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)

The UserAgent using MSIE 5.5 string appears to cause ASP.NET or MVC to not send the request to the appropriate controller, but instead sends a redirect response to the Login page even though the cookie is correct for the session. I did a test with Fiddler, and tried using MSIE 6.0, 7.0, 8.0 and those seem to work fine, so specifically, 5.5 causes part of the server stack to redirect to login page.

This page used to work fine, so I'm not sure if something has changed in recent versions of ASP.NET/MVC, or is it because I've moved up to IE9.0, but basically, I'd like to know if it is possible to tell ASP.NET to not take the User-Agent into account when determining if a session has been authenticated already or not.

Thanks.

Answer 1

IIRC there was a change in ASP.NET 4.0 where Forms Authentication uses the user agent to detect whether it supports cookies and if it is not a recognized or unsupported user agent it simply doesn't use the authentication cookie. You will need to change the User Agent of the HTTP request.

Answer 2

How to disable this default behavior for the webserver to check cookie support on the user agent in the web.config and force cookies for all browsers...

<system.web>
    <authentication mode="Forms">
        <forms cookieless="UseCookies" />
    </authentication>
</system.web>

What's annoying about this default setting is that some valid User-Agent headers on new browsers will cause cookies to be ignored.

this User-Agent's form auth cookie is NOT ignored...

Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3

this User-Agent's form auth cookie IS ignored...

Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_1 like Mac OS X; en-us) AppleWebKit/536.26 (KHTML, like Gecko) CriOS/23.0.1271.91 Mobile/10A523 Safari/8536.25

But adding the cookieless="UseCookies" attribute will tell ASP.NET to use the cookies from anything.