« Weird Timeouts with custom ASP.NET Forms... | Main | I'm in love with FinePrint »

New FormsAuthentication.SignOut behavior in ASP.NET 2.0

Posted 2005-07-11 10:59 PM in ASP.NET | DasBlog.

Calling FormsAuthentication.SignOut() removes the FormsAuthentication cookies in ASP.NET 1.1. Sometimes folks call it from their Login page, like this:

if (!Page.IsPostBack)
{
    FormsAuthentication.SignOut();
}

This says, "If this is a fresh load of this page, clear out the authentication cookies."

If this seems like a reasonable thing, that's because it is. However, if you run an ASP.NET 1.1 site under ASP.NET 2.0 without recompiling, as a number of dasBlog users do, you may get some odd behavior.

You'll visit the Login.aspx page and redirect to the Login.aspx page forever in a loop...it will make your URL look like this:

/Blog/login.aspx?ReturnUrl=%2fBlog%2flogin.aspx%3fReturnUrl%3d%252fBlog%252flogin.aspx%
253fReturnUrl%253d%25252fBlog%25252flogin.aspx%25253fReturnUrl%25253d%2525252fBlog%
525252flogin.aspx%2525253fReturnUrl%2525253d%252525252fBlog%252525252flogin.aspx%
52525253fReturnUrl%252525253d%25252525252fBlog%25252525252flogin.aspx%25252525253fReturnUrl%
5252525253d%2525252525252fBlog%2525252525252flogin.aspx%2525252525253fReturnUrl%2525252525253d%
52525252525252fBlog%252525252525252flogin.aspx%252525252525253fReturnUrl%252525252525253d%
5252525252525252fBlog%25252525252525252flogin.aspx%25252525252525253fReturnUrl%25252525252525253d%
525252525252525252fBlog%2525252525252525252flogin.aspx%2525252525252525253fReturnUrl%
525252525252525253d%252525252525252525252fBlog%252525252525252525252fLogin.aspx

Why? Because ASP.NET 2.0 add this code inside SignOut():

if (FormsAuthentication.CookieMode != HttpCookieMode.UseCookies)
{
    Response.Redirect(FormsAuthentication.GetLoginPage(null), false);
}

That's pretty interesting. If you call SignOut() it redirects you to the Login page, but only if your CookieMode isn't set to UseCookies. This is because ASP.NET 2.0 added support for cookieless FormsAuthentication. They store the auth information in the URL, and they redirect you because they want to clear the authentication info. Makes sense.

What doesn't make sense is why HttpCookieMode doesn't default to UseCookies. It defaults to Cookieless. Which is lovely under ASP.NET 2.0, but not under 1.1. It stays that way and confuses the system.

So, if you see this kind of infinite redirect with FormsAuthentication while running ASP.NET 1.1 applications under ASP.NET 2.0, you can add cookieless="UseCookies" to your <forms> element in web.config:

<forms cookieless="UseCookies" name=".DASBLOGAUTH" protection="All" timeout="60" path="/"/>

And then I went to sleep.

Now playing: Counting Crows - Angels of the Silences

Tracked by:
"Readme Version 1.8+" (DasBlog Beta Documentation Unofficial) [Trackback]
"Release Notes 1.8 (Readme)" (DasBlog Documentation Beta ) [Trackback]
"Compiling the latest DasBlog Source Code (aka the HEAD)" (DasBlog Documentation... [Trackback]
"Re-Post of "Compiling the DasBlog Source Code" from DasBlog.info" (RoboSapient.... [Trackback]
"Features 1.9" (DasBlog Documentation) [Trackback]
"Is dit lang genoeg ?" (André Kamman) [Trackback]
"Deze dan ?" (André Kamman) [Trackback]
"Test" (André Kamman) [Trackback]
"Compiling the latest DasBlog Source Code (aka the HEAD)" (DasBlog Documentation... [Trackback]


Monday, July 11, 2005 10:08:59 PM (Pacific Standard Time, UTC-08:00)
The loooooong URL above makes the page be about 10,000 pixels wide.
George V. Reilly
Tuesday, July 12, 2005 6:22:27 AM (Pacific Standard Time, UTC-08:00)
Is it just me or does anyone else think this line is weird?

cookieless="UseCookies"
Jiho Han
Tuesday, July 12, 2005 6:28:39 AM (Pacific Standard Time, UTC-08:00)
Great FormsAuthentication double-dip today, Scott. I gotta go revisit some code right away!
Sergio Pereira
Friday, July 15, 2005 11:52:32 AM (Pacific Standard Time, UTC-08:00)
Why do you say it's lovely that ASP.NET 2.0 defaults to cookieless?
Bob Uva
Friday, July 15, 2005 11:55:29 AM (Pacific Standard Time, UTC-08:00)
It's sarcasm. It's NOT lovely when running a 1.1 app because of this blog post.
Scott Hanselman
Friday, September 09, 2005 7:57:58 AM (Pacific Standard Time, UTC-08:00)
cookieless="UseCookies" ... yes thats a little strange, not sure why it wouldnt be cookieless="false"; but hey, it works, so what do i care? *shrugs* Thanks Scott!
Micah
Comments are closed.

Contact

  • Scott Hanselman

Sponsors

Hosting By

Dedicated Windows Server Hosting by ORCS Web
Silverlight Store

Hot Topics

Tags

Africa (92) Agile (4) Arcade (8) ASP.NET (642) ASP.NET Ajax (5) ASP.NET Dynamic Data (21) ASP.NET MVC (76) BabySmash (18) Back to Basics (16) BCL (1) Bugs (169) Channel9 (13) Cloud (1) CodeRush (21) Coding4Fun (39) Corillian (26) DasBlog (131) Deployment (1) DevCenter (1) DevDays (5) Diabetes (61) DLR (4) eFinance (14) Gaming (115) Home Server (1) HttpHandler (16) HttpModule (21) Identity (3) IIS (16) INETA (8) Internationalization (44) IOC (1) Javascript (71) Learning .NET (114) LINQ (16) Longhorn (11) Microsoft (82) Mix (17) Mobile (2) Mono (2) Movies (44) MSBuild (1) MSDN (4) Musings (506) Nant (39) NCover (12) NDC (11) NDoc (6) NerdDinner (4) NotNorthwind (2) NUnit (47) Open Source (24) PDC (65) Personal (2) PHP (3) Podcast (204) PowerShell (62) Programming (251) Python (3) Remote Work (9) Reviews (142) Ruby (61) Screencasts (22) Silverlight (37) Source Code (61) Speaking (191) Subversion (15) TechEd (127) Thabo (3) Tools (425) VB (8) ViewState (19) Vista (2) VS2010 (2) Watir (21) Web Services (433) Win7 (16) Windows Client (50) WPF (36) XML (292) XmlSerializer (32) Zenzo (38)

Calendar

<November 2009>
SunMonTueWedThuFriSat
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345
Posts in timeline
Posts in Large Calendar

Archives

November, 2009 (5)
October, 2009 (19)
September, 2009 (11)
August, 2009 (12)
July, 2009 (21)
June, 2009 (26)
May, 2009 (16)
April, 2009 (13)
March, 2009 (17)
February, 2009 (17)
January, 2009 (18)
December, 2008 (32)
November, 2008 (17)
October, 2008 (22)
September, 2008 (16)
August, 2008 (14)
July, 2008 (25)
June, 2008 (19)
May, 2008 (17)
April, 2008 (17)
March, 2008 (26)
February, 2008 (21)
January, 2008 (28)
December, 2007 (19)
November, 2007 (17)
October, 2007 (31)
September, 2007 (39)
August, 2007 (37)
July, 2007 (43)
June, 2007 (37)
May, 2007 (32)
April, 2007 (38)
March, 2007 (29)
February, 2007 (46)
January, 2007 (31)
December, 2006 (27)
November, 2006 (31)
October, 2006 (32)
September, 2006 (39)
August, 2006 (34)
July, 2006 (40)
June, 2006 (18)
May, 2006 (31)
April, 2006 (34)
March, 2006 (30)
February, 2006 (38)
January, 2006 (44)
December, 2005 (19)
November, 2005 (34)
October, 2005 (24)
September, 2005 (37)
August, 2005 (20)
July, 2005 (24)
June, 2005 (33)
May, 2005 (16)
April, 2005 (22)
March, 2005 (34)
February, 2005 (15)
January, 2005 (37)
December, 2004 (28)
November, 2004 (30)
October, 2004 (34)
September, 2004 (22)
August, 2004 (34)
July, 2004 (18)
June, 2004 (64)
May, 2004 (49)
April, 2004 (21)
March, 2004 (29)
February, 2004 (29)
January, 2004 (36)
December, 2003 (25)
November, 2003 (24)
October, 2003 (59)
September, 2003 (42)
August, 2003 (24)
July, 2003 (44)
June, 2003 (29)
May, 2003 (21)
April, 2003 (30)
March, 2003 (27)
February, 2003 (47)
January, 2003 (50)
December, 2002 (31)
November, 2002 (38)
October, 2002 (44)
September, 2002 (15)
May, 2002 (2)
April, 2002 (4)

Google Ads