Why FormsAuthentication.SetAuthCookie doesn't work in the IE

Question

I was using Form Authentication in my test. And also have some test user name .But found a weird problem for a specified name. That is all of test names except only one named amybeyond can works in the test.

Please help to review my code in my test.

LoginTest.aspx (This is a login form for user name and password input.)

public partial class LoginTest : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {

        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            //after succeed validating user. then redirect to LoginSuccess.aspx page. 
            bool bValidate=Membership.ValidateUser("amybeyond", "11111111");
            if (bValidate)
            {
                FormsAuthentication.SetAuthCookie("AmyBeyond", false);
                Response.Redirect("LoginSuccess.aspx");
            }

        }
    }

LoginSuccess.aspx (In this page, just simply test if current request is authenticated after redirecting.)

public partial class LoginSuccess : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            //the HttpContext.Current.Request.IsAuthenticated always false in the IE.
            if (HttpContext.Current.Request.IsAuthenticated)
            {
                Response.Write("ok, you login successfully.");
            }
        }
    }

I am sure the Membership.ValidateUser is successfully executed and return true. The problem is it can't know the authenticated status after successfully redirecting.

I didn't know if I miss something or did something wrong. If there is . Please help to tell me .thanks.

Added

I read the source code of FormsAuthentication.SetAuthCookie. and add the cookieless="UseCookies" in the Forms element of the Web.config. Hope to make sure the cookie is added to the Response(This is done by the source code HttpContext.Current.Response.Cookies.Add(cookie)). Still doesn't work.

public static void SetAuthCookie(string userName, bool createPersistentCookie, string strCookiePath)
{
    Initialize();
    HttpContext current = HttpContext.Current;
    if (!current.Request.IsSecureConnection && RequireSSL)
    {
        throw new HttpException(SR.GetString("Connection_not_secure_creating_secure_cookie"));
    }
    bool flag = CookielessHelperClass.UseCookieless(current, false, CookieMode);
    HttpCookie cookie = GetAuthCookie(userName, createPersistentCookie, flag ? "/" : strCookiePath, !flag);
    if (!flag)
    {
        HttpContext.Current.Response.Cookies.Add(cookie);
        current.CookielessHelper.SetCookieValue('F', null);
    }
    else
    {
        current.CookielessHelper.SetCookieValue('F', cookie.Value);
    }
}

Added

The http capturing detail shows below. in the LoginTest.aspx there is a cookie named FwLoginCookie , after redirect to LoginSuccess.aspx this cookie is lost. please help to review it .

enter image description here

For a single user? Sounds to me like cookies are disabled... — Simon Whitehead, Dec 18 '13 at 01:45
Yes. Just for a single user. the issue is there doesn't exist a cookie for successfully authenticated in the redirect page (LoginSuccess.aspx) when I inspect the detail by IE developer tool of IE. thanks. — Joe.wang, Dec 18 '13 at 01:50
And What make me confused is other users' name doesn't have this problem! :P — Joe.wang, Dec 18 '13 at 01:51
Have this user check their security settings in IE. It's clearly not saving cookies.. — Simon Whitehead, Dec 18 '13 at 01:54
I am sorry I didn't put it clearly. I meaned all of the user names were tested in a same computer. — Joe.wang, Dec 18 '13 at 01:56
Is your user name case sensitive? Looks like you are validating lower case, but setting the cookie in proper case. — Brian Rogers, Dec 18 '13 at 05:10
@BrianRogers I change them to lowercase . still have the same problem. thanks. — Joe.wang, Dec 18 '13 at 05:39

Joe.wang · Accepted Answer · 2013-12-18T07:26:40.243

2

Finally got why did this weird thing happen! It is because there is an another cookie named ACA_USER_READ_ANNOUNCEMENT sent to response. It is so large size (more than 5800bytes) that the browser (in my test it is IE) would ignore all the cookies include the Form authentication cookie(about 300bytes). But other browser like chrome/firefox is not the same behavior with IE when encounter this case (huge cookie size.).

If it is not right . Please kindly correct me . Thanks.

edited Dec 18 '13 at 07:26

answered Dec 18 '13 at 06:44

Joe.wang

11,537
25
103
180

See this about cookie size, looks like you can't count on more than 4096 bytes https://discussions.apple.com/message/18820657#18820657 – ta.speot.is Dec 18 '13 at 07:00
I was thinking if there some other mechanism to store data in the client (browser) storage. especially for the large data. thanks. – Joe.wang Dec 18 '13 at 09:25
Store it in the session, or iff the requirement to store >4KB is only for authenticated users and the session isn't long-lived enough then use the user's profile. – ta.speot.is Dec 18 '13 at 09:32
Session is not stored in the browser. It is stored in the server side not in the client side. thanks. – Joe.wang Dec 18 '13 at 10:26
You've probably solved this by now but if you want to store more data in the client you should have a look at [localstorage](http://www.w3schools.com/html/html5_webstorage.asp). The max size seams to be 10 MB according to this so post: http://stackoverflow.com/questions/2989284/what-is-the-max-size-of-localstorage-values. – Johan Gov Mar 18 '15 at 11:42
hm...But I am not sure it is only belonged to HTML5 browser? – Joe.wang Mar 19 '15 at 06:02

Why FormsAuthentication.SetAuthCookie doesn't work in the IE

1 Answers1