Forms authentication cannot save Cookie under IE11
- 2020-12-09 00:49:06
- OfStack
Common practices in ASP.NET using Forms authentication are as follows:
1. Add authentication node to Web. config in the root directory of the website
2. Add Web. config file under manager subdirectory and add the following contents:
In this way, any page under the manager subdirectory visited by the user without Forms authentication will automatically jump to the manager/ Login.aspx page. If the authentication is successful, it goes back to the manager/ default.aspx page by default. The certification is valid for 60 minutes.
3. Add authentication code. Add the following code to the login button:
MD5 Encryption code:
After successful authentication, the user login information will be stored in the form of Cookie to the client by default, valid for 60 minutes. UserData is set to the user's role and is used to determine whether the user is logged in or not. The following code:
Above code in Visual Studio running 1 cut normal! However, after publishing the site to the server's IIS (which may be a lower version of IIS, such as IIS 6), the login function was found to be abnormal. After entering the user name and password, click the login button, but the page postback does not jump correctly, if you try to manually visit the protected page, it will automatically jump back to the login page. What's even more bizarre is that the problem only appears on the IE11 browser, and attempts to access the login using Firefox or Chrome work fine. Initial suspicion is that the IIS setting is the problem, but there is no setting related to Cookie on IIS 6. It seems to be remembered that there is this setting on IIS 7. But since only IE 11 has this problem, you can deny that there is anything wrong with the code itself.
There were also attempts to lower the security level of IE 11, reinstall.net framework on the server, and download the latest patches, which did not solve the problem. It turns out that we only need to modify the setting of authentication node in ES58en.config simply by adding the attribute cookieless="UseCookies" to forms.
To explicitly tell the server to use Cookie to save user authentication information. Problem solved!
1. Add authentication node to Web. config in the root directory of the website
<authentication mode="Forms">
<forms name="MyAuth" loginUrl="manager/Login.aspx" defaultUrl="manager/default.aspx" protection="All" timeout="60" />
</authentication>
2. Add Web. config file under manager subdirectory and add the following contents:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
In this way, any page under the manager subdirectory visited by the user without Forms authentication will automatically jump to the manager/ Login.aspx page. If the authentication is successful, it goes back to the manager/ default.aspx page by default. The certification is valid for 60 minutes.
3. Add authentication code. Add the following code to the login button:
if (!snCheckCode.CheckSN(txt_ValidateCode.Text))
{
snCheckCode.Create();
Utility.ShowMessage(" Check code error! ");
return;
}
string strUserName = txt_Username.Text.Trim();
string md5Pwd = Helper.MD5ForPHP(Helper.MD5ForPHP(txt_Password.Text));
lc_admin admin = null;
bool logined = false;
using (var context = new dbEntities())
{
admin = context.tb_admin.Where(n => n.username == strUserName).FirstOrDefault();
if (admin != null)
{
if (admin.checkadmin != "true")
{
snCheckCode.Create();
Utility.ShowMessage(" Sorry, this account is banned! ");
return;
}
if (admin.password == md5Pwd)
{
// Update Admin Info
admin.loginip = Request.UserHostAddress.ToString();
admin.logintime = CndingUtility.DateTimeToUnixTimeStamp(DateTime.Now);
context.SaveChanges();
logined = true;
}
}
}
if (logined)
{
// Login
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
admin.id.ToString(),
DateTime.Now,
DateTime.Now.AddMinutes(60),
false,
"Admin",
FormsAuthentication.FormsCookiePath
);
string hashTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie userCookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashTicket);
HttpContext.Current.Response.Cookies.Add(userCookie);
if (Request["ReturnUrl"] != null)
{
Response.Redirect(HttpUtility.HtmlDecode(Request["ReturnUrl"]));
}
else
{
Response.Redirect("/manager/default.aspx");
}
}
else
{
snCheckCode.Create();
CndingUtility.ShowMessage(" Incorrect user name or password! ");
}
MD5 Encryption code:
public static string MD5ForPHP(string stringToHash)
{
var md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
byte[] emailBytes = Encoding.UTF8.GetBytes(stringToHash.ToLower());
byte[] hashedEmailBytes = md5.ComputeHash(emailBytes);
StringBuilder sb = new StringBuilder();
foreach (var b in hashedEmailBytes)
{
sb.Append(b.ToString("x2").ToLower());
}
return sb.ToString();
}
After successful authentication, the user login information will be stored in the form of Cookie to the client by default, valid for 60 minutes. UserData is set to the user's role and is used to determine whether the user is logged in or not. The following code:
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
int adminId = -1;
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = identity.Ticket;
string userData = ticket.UserData;
if (userData == "Admin")
{
// To do something
}
}
Above code in Visual Studio running 1 cut normal! However, after publishing the site to the server's IIS (which may be a lower version of IIS, such as IIS 6), the login function was found to be abnormal. After entering the user name and password, click the login button, but the page postback does not jump correctly, if you try to manually visit the protected page, it will automatically jump back to the login page. What's even more bizarre is that the problem only appears on the IE11 browser, and attempts to access the login using Firefox or Chrome work fine. Initial suspicion is that the IIS setting is the problem, but there is no setting related to Cookie on IIS 6. It seems to be remembered that there is this setting on IIS 7. But since only IE 11 has this problem, you can deny that there is anything wrong with the code itself.
There were also attempts to lower the security level of IE 11, reinstall.net framework on the server, and download the latest patches, which did not solve the problem. It turns out that we only need to modify the setting of authentication node in ES58en.config simply by adding the attribute cookieless="UseCookies" to forms.
<authentication mode="Forms">
<forms name="MyAuth" cookieless="UseCookies" loginUrl="manager/Login.aspx" defaultUrl="manager/default.aspx" protection="All" timeout="60" />
</authentication>
To explicitly tell the server to use Cookie to save user authentication information. Problem solved!