.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Forms Authentication CrossAppRedirects behavior

Posted By:      Posted Date: October 18, 2010    Points: 0   Category :ASP.Net

I am developing a Single Sing-On application. I followed the instructions to share/set the cookie to the parent domain, share machine keys, so, the applications (all under the same 4th level domain, the documents says this will only work for the 2nd, and 3rd level domains, but somehow, this approach works for our 4th level domain) will be able to share the authentication cookie.

The users suppose to hit one of the applications. In the web.config file for the apps, the loginUrl is set the the login page at the SSO website, enableCrossAppRedirects="true", and the defaultUrl is set to the welcome page at the app's website.

But, what happened is, ASP.NET ignores all the defaultUrl settings (at the SSO site and application site), it always redirects to the Default.aspx which is the default setting for the forms authenitcation. I tried to do a Reponse.Redirect in the Authenticaion event handler, but the SSO app won't listen to that command.

I have a work-around which is using the Default.aspx page in the SSO application and do a Response.Redirect in the code behind. But I do not understand why Microsoft have it done that way. Is there any security risks if not forcing the redirects back to the default.aspx? or is this a bug?

View Complete Post

More Related Resource Links

Explained: Forms Authentication in ASP.NET

This module explains how forms authentication works in ASP.NET version 2.0. It explains how IIS and ASP.NET authentication work together, and it explains the role and operation of the FormsAuthenticationModule class.

Using Forms Authentication in ASP.NET - Part 1

Classic ASP developers often had to "roll their own" authentication scheme, however, in ASP.NET much of the grunt work has been taken out. This article outlines how things have changed and how FormsAuthentication can be used to secure a Web site with a minimal amount of code.

ASP.NET Forms Authentication - Part 1

Often, in legacy Web applications, users authenticate themselves via a Web form. This Web form submits the user's credentials to business logic that determines their authorization level. Upon successful authentication, the application then submits a ticket in the form of a cookie, albeit a hard cookie or session variable. This ticket contains anything from just a valid session identification access token to customized personalization values.

ASP.NET forms authentication with roles

.A timeout is specified in minutes. This is "time since last request" not the "time since login". If a login is indicated to be persistent (described later) this is ignored.
.A protection method is specified for the cookie.
Next I wanted to specify a folder to which access is restricted to people who have logged in. To do this I entered the following code in the web.config file (beneath

Forms Authentication in ASP.NET

In this tutorial you will learn about Forms Authentication in ASP.NET 2.0 - Forms Authentication class, Cookie Domain, Forms Cookies, The Login Control, Signin, Signout, Authenticate, Redirect, Login Status, Login Name and Login View Controls.

Problems with Forms Authentication in DD 4 site


Hello,  I am seeing a strange problem with Forms Authentication in my DD site.   A user logs into and can view/edit/delete data all day, but when they execute a Custom Filter against data (for example , a control DynamicData/Filters/CustomerLastNameSearch.ascx ) then the site auth fails, and redirects to the log in screen.

in web.config I have

     <authentication mode="Forms">
            <forms name=".Star" loginUrl="~/Login.aspx" protection="All" defaultUrl="~/Default.aspx" path="/" timeout="43200" cookieless="UseCookies" />     

Offhand, I am thinking two things : that DynamicData/Filters path requires some special handling for some reason, or the control extension ascx is causing auth to get confused.   Has anyone else experienced this or have any suggestions?  Thanks!

Forms based users being prompted for windows authentication login for My Sites photos in user lists

Here's an issue I didn't see coming for our forms based authentication users. 

We have a web application extended to an external url to handle forms based authentication for users outside of our domain. Our setup looks like this...

Internal Users/Windows Authentication - moss.domain.com
External Users/Forms Based - mossext.domain.com
My Site for Internal Users - mysites.domain.com

When our forms based users are accessing user lists, or discussion pages that display user pictures, they are getting a windows authentication login for our internal users (mysites.domain.com) who have populated their my site with personal photo.

How do we fix this? 

403 Forbidden - Forms Authentication


Form template has cascading dropdown lists.  When item selected from first list, form code executes a FileQueryConnection to retrieve data from a list to populate 2nd listbox.  Getting 403 forbidden when explicitely attempting to retrieve data from code.  Form is using connections from a data connection library.  The template works perfectly when deployed to a windows authenticated site.  Fails when executed from the forms authenticated site.


Issue with Forms Authentication


 I'm in the middle of converting an intranet application to use forms authentication. The authentication process works fine for the core application and all the nested classic asp pages. However, my nested asp.net applications do not work. I have mapped their web.configs to the correct login url. If I attempt to access them after logging in, I am automatically redirected to the homepage of the intranet application. If I try to access them directly, I am redirected to the login screen, as I should be, and then the intranet homepage after the login process, instead of the page I need to access.

At first, I thought there might be some remnant of the security processes in the nested applications, but it does it for applications that have no security processes other than the one for the core intranet.

Since this is my first crack at using forms authentication, I'm assuming I've missed some step. Any ideas?

Here is the section of my web.config:

<authentication mode="Forms">

      <forms loginUrl="~/folder/loginpage.aspx" name="Cookie Name"></forms>


      <deny users="?" />
      <allow users="*"/>

Bizzare behavior of Digest authentication with HttpListener.


While trying to use Digest authentication with HttpListener, I expected it to act fairly close to how Basic does. Basic works fine with no surprises. With Digest, however: 

  1. HttpListener/http.sys driver takes on itself to authenticates user, without even passing request to my code (listener.GetContext() never gets unblocked) so ASP.NET application never has a chance to authenticate the user. I can see responses generated by "Microsoft-HTTPAPI/2.0" with WWW-Authenticate headers. I thought application should have a chance to authenticate the request with Digest user identity in the header. Is it possible to do?
  2. While insisting on Digest-authenticating users on its own, "Microsoft-HTTPAPI/2.0"/HttpListener/http.sys successfully authenticates domain users, but not computer users. I tried user name that includes computer name, realm name, computer name in the FQDN format - nothing works. Why such inconsistency?

Thank you,


Automatic expiration of forms authentication when user closes the browser windows without signing ou

Dear all, can u tell me how to automatically sign out a user if he/she closes the browser window without signing out. I'm using Forms Authentication.   Thanks 

Forms Authentication Add SQL Database Variable

I am using Forms Based Authentication I have extended the Forms Authentication Tables creating a custom table called Profile_Contact that holds the user's GUID, username, email address, and other information. I have another table called Profile_Account which holds company account information such as Company Name, address info, phone numbers etc. This table has a Key Field called IDProfileAccount. I include the IDProfileAccount field in the ProfileContact user table so I can associate the user with a specific Company.For the login page, I am using a basic login page created with using the Visual Studio login controls.When the user logs in, they are sent to the appropriate page as identified by the role the user has been given. This all works great. Now I need to extend the login page so that when the user logs in not only is the user's name and GUID placed in session, I would also like to have the IDProfileAccount record placed in session as well so that I can filter the records the user sees as only those records of the Company the user is associated with. I know how to add static variable to a session and how to retrieve them to filter data, what I need to know is how to retrieve the data from the SQL table on login and sending it to the session. I would think it would be something along these lines:Partial Class login Inherits System.Web.UI.Page Protected Sub Logi

Forms authentication and Active Directory? Help!

Hi, im new to sharepoint 2010. im in a situation whereby i would like to allow users that already have Active directory accounts log into sharepoint. The problem arises when i need to allow external users to log into the sharepoint site too and it will not be possible to add them into the active directory. Is there a way to resolve this problem? Appreciate all help given! Thanks! norphos

Strange Authentication Behavior...

I have an installation of SSRS 2008 that is exhibiting some very odd behavior with regards to authentication and permissions. I have SSRS installed on a box called SERVER1 and I'm a local admin on the box and an Administrator on the SSRS instance. This box has an IP address of When I go to the Report Manager URL, I see everything I should (Home, Site Settings, etc.) I'm able to go in and set up security and create folders and everything. What's odd is that if I use the IP address instead of the server name in the Report Manager URL, I get to the home page but there is nothing displayed, only Home, My Subscriptions, and Help. There are no report folders visible and the options available to admins aren't visible. One thing that may shed some light on things: if I do a ping -a on the IP address, it resolves to the host name. If I ping the host name, I get back a reply from ::1: I have no idea why permissions would differ between a host name and an IP address if they're the same server?? Any insight would be appreciated!A. M. Robinson

Active Directory user impersonation with forms authentication

I've written a small ASP.NET 3.5 application to allow users to update selected account attributes on their own. Everything works fine when I use Basic Authentication, but because the dialog that is presented is less than ideal, I'd like to use forms authentication to give the users more instruction on how to log in. My problem is that in order for the user to update their account information, I have to have the application impersonate them for the update actions. I've scoured the internet trying to find a solution to my issue, but nothing fits or works. I have tried setting the web.config:<identity impersonate="true" /> but that doesn't seem to work. I also have the C# code using the WindowsImpersonationContext class, but still no luck. protected void titleTextBox_TextChanged(object sender, EventArgs e) { TextBox tb = (TextBox)sender; string fieldTitle = "job title"; string fieldName = "title"; if (userDirectoryEntry == null) CaptureUserIdentity(); try { WindowsImpersonationContext impersonationContext = userWindowsIdentity.Impersonate(); if (String.IsNullOrEmpty(tb.Text)) userDirectoryEntry.Properties[fieldName].Clear();

Supporting forms authentication SharePoint sites

Hello, I am changing the type of authentication in SharePoint to Form authentication.I create a document Library and I choose as a Document Model (Microsoft Office Word 2007). The problem is : "I can't create a new Item Document Word". It disappear.   I am using this article (http://blogs.msdn.com/b/sharepoint/archive/2009/05/13/update-on-sharepoint-forms-based-authentication-fba-and-office-client.aspx ) to solve my problem. The problem is I don't find the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Internet\FormsBasedAuthSettings

forms authentication - self registration

Is there a reasonably standardised solution that allows external users to register on a forms/authenticated site? The codeplex Forms Based Authentication project (http://www.codeplex.com/fba) provided this for SP2007 but I have not seen any indication of a SP2010 solution yet. Andrew Wiles - www.it-workplace.com - MDX made simple
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend