4

Here is my forms authentication section from my web.config

<authentication mode="Forms">
  <forms name="security" path="/" loginUrl="default.aspx" protection="All" timeout="360" />
</authentication>

<authorization>
  <deny users="?" />
</authorization>

For some reason after change to .net 4 as my target, people have to login twice before my form authentication redirects now. Has anyone else run into this.

Also my login is in the homepage so I tried the below thinking I just need to make my login page public, but it did not work. Anyone else have this problem?

Also I noticed that soon as I visit my homepage I get this in the url default.aspx?ReturnUrl=%2f, if I remove the ReturnUrl parameter, it then works to login first time. But if ReturnUrl is in querystring I have to login twice the first time visiting the site.

default.aspx?ReturnUrl=%2f

So I added the page to public access in my locations and this didn't help.. 

<location path="default.aspx">
<system.web>
  <authorization>
    <allow users="*" />
    <deny users="?" />
  </authorization>
</system.web>

moto_geek
  • 510
  • 5
  • 14
  • In general, you should not need to setup a location tag for the login page that is specified in the Forms Auth tag. With that said, do you have a page that you can setup that can output things like User.Identity.IsAuthenticated to see if the user is actually authenticated? Is your issue just that you arn't getting redirected to the correct URL after login? or that you arn't getting logged in? – Nick Bork Dec 01 '11 at 15:27
  • %2f = url encoded form of '/'. Do yo have somewhere a returnURL specified or are you using URL rewriting? – Pleun Dec 01 '11 at 16:21
  • That brings to attention that the default page probably should be the same page as your login page. – Nick Bork Dec 01 '11 at 16:49

2 Answers2

2

When your URL is this: default.aspx?ReturnUrl=%2f, after logging in, it redirects back to the default page, which is the default page. If you added code to the default page:

If (this.User.Identity.IsAuthenticated)
{
    Response.Redirect("somepage.aspx");
}

This problem will go away. It's not because they have to login twice, it's because they keep coming back to the default page.

Brian Mains
  • 50,520
  • 35
  • 148
  • 257
1

IIS server manager settings had the default document as the Login.aspx page. Forms tag in the web.config had the defaulturl set to the Default page. I removed the login page as the default on my IIS server manager and the issue went away. It appears to me like the IIS manager should update that tag in the web.config file looks like a bug. Rather then redirect on page load I would go with this fix instead to me it's more secure.

So in this case you would change your loginurl= login.aspx and defaulturl=pageafterlogin.aspx and without default on your server no issues.

vikingben
  • 1,632
  • 2
  • 24
  • 37