FormsAuthentication.SetAuthCookie not working in IE9 or Chrome

Question

Sorry if this has been covered, but I about to pull my hair out. My site is using forms authentication and works perfectly when I test on //localhost but when I publish to the web it does not work in IE9. I have followed all the steps outlined in tutorials but when using IE9 or Chrome FormsAuthentication.SetAuthCookie never creates the cookie. The kicker is when I use Firefox it works. Below is code from my web.config and my code behind in C#.

Basically, I collect the username and password from the user and authenticate against my SQL Server with a stored proc. Then return a temporary web key that the site uses to interact with the user's profile. The web key is stored in the FormsAuthentication cookie as the identity which I can retrieve to valildate the user being logged in.

Also, I know that the authentication cookie is never created because I have an asp:loginstatus control on the page that never changes.

web.config:

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" 
         protection="All"
         path="/" 
         slidingExpiration="true" 
         timeout="60"  
         cookieless="AutoDetect" />
 </authentication>
 <authorization>
  <deny users="?"/>
  <allow users= "*"/>
 </authorization>

in the code behind:

void LogUserIn(string UserEmail, string Pwd)
{
    conn = new SqlConnection(connstr);
    sql = new SqlCommand("exec usp_AuthLogin @Email, @Pwd", conn);
    sql.Parameters.AddWithValue("@Email", UserEmail);
    sql.Parameters.AddWithValue("@Pwd", Pwd);
    try
    {
        conn.Open();
        reader = sql.ExecuteReader();
        while (reader.Read())
        {
            Result = reader["Result"].ToString();  // value of webkey
        }
    }
    catch (Exception ex)
    {
    }
    finally
    {
        conn.Close();
    }
    // if successful log in and create cookie
    if (Result != "Denied")
    {
        FormsAuthentication.SetAuthCookie(Result, true);  // set cookie with webkey from sql server
        LoggedIn = true;
    }
    else
    {
        LoggedIn = false;
    }
}

Please help

Answer 1

I'm pretty sure you need to use the username as the first parameter in SetAuthCookie - it's how the FormsAuthentication module knows who the user is.

SetAuthCookie creates an auth ticket under the hood. Have you tried making your own auth ticket? It will let you store extra data on it.

It's explained here: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx#Y1368

basically you do this:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
    username,
    DateTime.Now,
    DateTime.Now.AddMinutes(30),
    isPersistent, //true or false
    webkey, //Custom data like your webkey can go here
    FormsAuthentication.FormsCookiePath);

// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);

// Create the cookie.
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));

This explains how you read the data back http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.userdata.aspx

FormsIdentity id = (FormsIdentity)User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;

string webkey = ticket.UserData;

Edit: Also, the auth cookie is httponly by default. You can use a firefox plugin like live headers to verify that it is created.