This is a very strange one for me and I've been battling with it for a while now. I really hope someone can help.
I have a fairly typical MVC 3 Website and I only seem to be getting this problem in IE and Firefox. Chrome plays along nicely. Lucky for me, the majority of our company's clients uses Chrome at the moment.
Problem is at a seemingly random point in time, the browser will automatically redirect me to the Account/LogOff action when I click on a link, and from there it will obviously go back to the Login page. This link will then continue with the same behavior.
I say "seemingly random" because today that link will work, tomorrow it won't and all other (or the majority - I have never had more than on problem link giving this problem at a time) links will be fine. Sometimes restarting the server/dev environment will
take care of the problem, other times it won't. The browser will just keep redirecting to LogOff.
I have tried looking at the Referrer URL, but the controller/action being referred to will never be reached. (If I place a breakpoint in the action, it is missed and the next point reached would be the LogOff action)
If I look at the stacktrace when in the LogOff Action, I can't see any info from where the application has come from. I have also tried what was suggested in this page: Posting
the Stack Trace on ASP.NET MVC, but I cannot see why I am being redirected to the LogOff action.
The only place I seem to be able to have a breakpoint get hit before hitting LogOff, is Application_BeginRequest in the Global.asax, but can't see where it is going from there on.
My guess is that somewhere along the line, ASPNET Auth decides the user isn't authenticated any more and redirects to the LogOff action. Problem is that the cookies associated with ASPNET Auth all still exist, have data in them and they haven't expired yet.
Anyway, I hope I have given enough info on the problem.
LogOff should be POST instead of GET. May be someone, put LogOff action in a img, link, script or sending a ajax request to LogOff. There is also a possibly that from another site have this tag, <img src="http://yousite/LogOff" />, So when you browse the
other site page you will be logged off. So, recommended way is to use POST.
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Unfortunately I am experiencing the problem not just on my production and beta site, but also in my dev environment, so Cross Site Scripting and Forgery should not be a problem. (I have also double checked and the LogOff action is not referenced elsewhere
in my solution - especially not in javascript somewhere.)
Admittedly my LogOff action is a GET at the moment as it is the standard LogOff event given in the MVC project and if I change it to a POST, I simply just get an error that the LogOff action can't be found.
What changes do I need to make to change the LogOff action to POST? (Besides just decorating the action with POST.)
I have been wondering if it is simply not just an issue of the ASPAUTH cookie getting lost when it needs to be sent to the server? I have checked and double checked the cookies on the client side and they persist. So if it is the cookie being lost, it doesn't
make sense to me. The other peculiar thing, why is this happening on specific links?
Admittedly my LogOff action is a GET at the moment as it is the standard LogOff event given in the MVC project and if I change it to a POST, I simply just get an error that the LogOff action can't be found.
You need a standerd html form instead of link for POST.
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
OK, so I might have gotten a step closer. I came across
this post and looked to see what is happening in my Application_AuthenticateRequest in my global.asax.
I am not quite sure why, by when I click on a link, Application_AuthenticateRequest gets accessed 3 times. When a link works (as in I can follow it and it doesn't log me out), the value of the .ASPAUTH cookie stays the same. I checked this by adding a breakpoint
and a watch over
When the link does not work, the first time the cookie has a value, then the other two times it is null. Thus, because the ASPXAUTH cookie is null, the system automatically redirects to the LogOut action.
If I consider the solution they posted in the link, I am not sure if this applies to me. As far as I can tell, the encrypted cookie is still small (as in a few hundred characters long) and not close to 4096 bytes. Also, I have only 3 cookies going at the
time I when tested the broken link and I have a maximum of 5 cookies at any given time.
I have noticed another thing, not sure if it is related:
In the global asax I wanted to check the Expiration Date on the cookie when it hit the Application_BeginRequest. When the method is hit the first time, the Expiry Date is set to 01/01/0001 00:00:00, even thought I have a timeout specified in the web.config.
I thought this was odd, so added this code to Application_BeginRequest to make sure the cookie has an Expiration Date:
I am not sure why it's happening with you. Try to increase the form authentication time out size. Note: there are actually 2 expiration date come into play. One is default cookie expiration date, which is used by browsers to decide whether the cookie is
expired or not. Other expiration date is embeded inside the cookie value. You can play with
this property. Here is a great old
resource about form authentication internal work.
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Mr.Thursday
0 Points
6 Posts
MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 23, 2012 10:37 AM|LINK
This is a very strange one for me and I've been battling with it for a while now. I really hope someone can help.
I have a fairly typical MVC 3 Website and I only seem to be getting this problem in IE and Firefox. Chrome plays along nicely. Lucky for me, the majority of our company's clients uses Chrome at the moment.
Problem is at a seemingly random point in time, the browser will automatically redirect me to the Account/LogOff action when I click on a link, and from there it will obviously go back to the Login page. This link will then continue with the same behavior.
I say "seemingly random" because today that link will work, tomorrow it won't and all other (or the majority - I have never had more than on problem link giving this problem at a time) links will be fine. Sometimes restarting the server/dev environment will take care of the problem, other times it won't. The browser will just keep redirecting to LogOff.
I have tried looking at the Referrer URL, but the controller/action being referred to will never be reached. (If I place a breakpoint in the action, it is missed and the next point reached would be the LogOff action)
If I look at the stacktrace when in the LogOff Action, I can't see any info from where the application has come from. I have also tried what was suggested in this page: Posting the Stack Trace on ASP.NET MVC, but I cannot see why I am being redirected to the LogOff action.
The only place I seem to be able to have a breakpoint get hit before hitting LogOff, is Application_BeginRequest in the Global.asax, but can't see where it is going from there on.
My guess is that somewhere along the line, ASPNET Auth decides the user isn't authenticated any more and redirects to the LogOff action. Problem is that the cookies associated with ASPNET Auth all still exist, have data in them and they haven't expired yet.
Anyway, I hope I have given enough info on the problem.
Thanks in advance.
ignatandrei
All-Star
134533 Points
21582 Posts
Moderator
MVP
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 23, 2012 11:41 AM|LINK
if you could reproduce on a project, we can have a look at.
Mr.Thursday
0 Points
6 Posts
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 23, 2012 12:25 PM|LINK
That would be a bit difficult and take a bit of time. I am experiencing the problem in a project that is quite large.
I'll see what I can do.
Where would I send the project to, to have it looked at once I have finised?
ignatandrei
All-Star
134533 Points
21582 Posts
Moderator
MVP
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 23, 2012 12:32 PM|LINK
put a zip somewhere on internet
imran_ku07
All-Star
45785 Points
7698 Posts
MVP
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 26, 2012 06:20 PM|LINK
LogOff should be POST instead of GET. May be someone, put LogOff action in a img, link, script or sending a ajax request to LogOff. There is also a possibly that from another site have this tag, <img src="http://yousite/LogOff" />, So when you browse the other site page you will be logged off. So, recommended way is to use POST.
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Mr.Thursday
0 Points
6 Posts
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 27, 2012 05:09 AM|LINK
Hi Imran,
Unfortunately I am experiencing the problem not just on my production and beta site, but also in my dev environment, so Cross Site Scripting and Forgery should not be a problem. (I have also double checked and the LogOff action is not referenced elsewhere in my solution - especially not in javascript somewhere.)
Admittedly my LogOff action is a GET at the moment as it is the standard LogOff event given in the MVC project and if I change it to a POST, I simply just get an error that the LogOff action can't be found.
What changes do I need to make to change the LogOff action to POST? (Besides just decorating the action with POST.)
I have been wondering if it is simply not just an issue of the ASPAUTH cookie getting lost when it needs to be sent to the server? I have checked and double checked the cookies on the client side and they persist. So if it is the cookie being lost, it doesn't make sense to me. The other peculiar thing, why is this happening on specific links?
imran_ku07
All-Star
45785 Points
7698 Posts
MVP
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 27, 2012 05:24 AM|LINK
You need a standerd html form instead of link for POST.
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Mr.Thursday
0 Points
6 Posts
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 27, 2012 10:38 AM|LINK
OK, so I might have gotten a step closer. I came across this post and looked to see what is happening in my Application_AuthenticateRequest in my global.asax.
I am not quite sure why, by when I click on a link, Application_AuthenticateRequest gets accessed 3 times. When a link works (as in I can follow it and it doesn't log me out), the value of the .ASPAUTH cookie stays the same. I checked this by adding a breakpoint and a watch over
When the link does not work, the first time the cookie has a value, then the other two times it is null. Thus, because the ASPXAUTH cookie is null, the system automatically redirects to the LogOut action.
If I consider the solution they posted in the link, I am not sure if this applies to me. As far as I can tell, the encrypted cookie is still small (as in a few hundred characters long) and not close to 4096 bytes. Also, I have only 3 cookies going at the time I when tested the broken link and I have a maximum of 5 cookies at any given time.
Any idea?
Mr.Thursday
0 Points
6 Posts
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 27, 2012 12:35 PM|LINK
I have noticed another thing, not sure if it is related:
In the global asax I wanted to check the Expiration Date on the cookie when it hit the Application_BeginRequest. When the method is hit the first time, the Expiry Date is set to 01/01/0001 00:00:00, even thought I have a timeout specified in the web.config. I thought this was odd, so added this code to Application_BeginRequest to make sure the cookie has an Expiration Date:
HttpCookie _cookie = HttpContext.Current.Request.Cookies.Get(".ASPXAUTH"); if (_cookie != null) { _cookie.Expires = DateTime.Now.AddDays(30); HttpContext.Current.Request.Cookies.Set(_cookie); }The second and third time is hit, the cookie is null.
Again, this only happens in FF and IE, but not Chrome. Also in Chrome, the Application_BeginRequest method is only ever hit once.
Is the cookie being seen as having expired and thus the application is redirected to the LogOff action?
imran_ku07
All-Star
45785 Points
7698 Posts
MVP
Re: MVC 3/ASPNET Auth - Almost Randomly Redirecting To Account/LogOff
Nov 27, 2012 03:20 PM|LINK
I am not sure why it's happening with you. Try to increase the form authentication time out size. Note: there are actually 2 expiration date come into play. One is default cookie expiration date, which is used by browsers to decide whether the cookie is expired or not. Other expiration date is embeded inside the cookie value. You can play with this property. Here is a great old resource about form authentication internal work.
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD