2

I am having a problem implementing Microsoft's latest Identity 2.0 in my ASP.net 4.5 Web Forms project. This is my scenario...

I have downloaded the latest Webforms.Samples code from https://aspnet.codeplex.com/SourceControl/latest and pretty much performed a straight port (for the purposes of testing) into my project.

In development, the code/implementation works correctly, when we move to our IIS 7.5 staging server, after a period of time (usually 3 or 4 hours, but varies) the test users experience the following problem...

When they login, the login process appears to run correctly and redirects them back to the specified return url, but the authorisation is not complete/recognised and they get immediately returned back to the login page.

I should say that the login page/process doesn't fail (no errors) and the underlying code return 'success' (as this is the only path that will invoke the redirect), but the actual mechanism appears to be passive. To prove this, I have created a test page that simply echoes the user's identity and even immediately after an apparently successful login, the user identity is anonymous.

The only way I have found of fixing the issue is to restart the web application and again it runs fun for a while.

Can anyone give me any pointers on where I can look to begin to debug this issue or what the cause might be?

Thanks.

Neilski
  • 4,385
  • 5
  • 41
  • 74
  • Don't download this, just create new empty asp.net application and install https://www.nuget.org/packages/Microsoft.AspNet.Identity.Samples – Imran Qadir Baksh - Baloch Apr 29 '14 at 11:29
  • Are you sure there's not an issue in your own code? Checking for some session variables that expired or something like that? – Luaan Apr 29 '14 at 12:28
  • Hi Luaan, I am fairly certain it's not anything in the code. The fact that no user Identity exists immediately after signing in seems to confirm this as the two pages in question are very basic straight from the VS templates. – Neilski Apr 29 '14 at 12:39
  • I will try the NuGet install and compare the code (as ultimately I need to be able deploy this into my existing projects) – Neilski Apr 29 '14 at 12:41
  • The problem with the NuGet package is that it is aimed at MVC and this project is WebForms based., but I will review the code to see if there are any differences at the implentation level. – Neilski Apr 29 '14 at 12:45
  • Possible duplicate of [ASP.NET\_SessionId + OWIN Cookies do not send to browser](http://stackoverflow.com/questions/20737578/asp-net-sessionid-owin-cookies-do-not-send-to-browser) – Albireo Dec 24 '15 at 19:59

2 Answers2

4

ASP.NET_SessionId + OWIN Cookies do not send to browser This page seems to provide a workaround to the issue by creating a session on application start up.

Community
  • 1
  • 1
jkaufman001
  • 56
  • 3
  • Thank you. This does indeed appear to be the same problem and I will try the workaround and comment back here if it helps in a few days. – Neilski Aug 01 '14 at 04:45
  • There is indeed a problem with ASP.net Identity and creating a Session. For anyone that wants to investigate this further, I have created a test project at https://github.com/Neilski/IdentityBugDemo Apparently Microsoft know of this problem (in the Katana module) but do not intend to fix it until vNext! – Neilski Aug 12 '14 at 16:08
4

Starting with this great analysis by @TomasDolezal, I had a look at both the Owin and the System.Web source.

The problem is that System.Web has its own master source of cookie information and that isn't the Set-Cookie header. Owin only knows about the Set-Cookie header. A workaround is to make sure that any cookies set by Owin are also set in the HttpContext.Current.Response.Cookies collection.

The workaround I created is now outdated: I've made a small middleware (source, nuget) that does exactly that, which is intended to be placed immediately above the cookie middleware registration.

Use Microsoft's suggestion of a SystemWebCookieManager instead.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • This helped me! Particularly Microsoft's workaround: https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues – Mark Good Jun 27 '20 at 22:58