1

I have a Web Server:

Windows Server 2008 R2 X64

IIS version : 7.5.7600.16385

(By this link We checked) installed .net on our machine is: 4.7 (460805)

Our website has been developed on .net 4.7 and MVC 5 and we use ASP.NET Forms Authentication to authenticate our clients.

On the loading of login page, we write a simple test cookie:

 HttpCookie cookie = new HttpCookie("test", "123"); 
 cookie.Expires = DateTime.UtcNow.AddYears(1);
 Response.Cookies.Add(cookie);

when user click on the login button we read that cookie and count all cookies:

  if (Request.Cookies["test"] == null)
        {
           if (Request.Cookies.Count > 0)
                {
                    for(int i=0;i< Request.Cookies.Count;i++)
                        Loger.PointLoger.LogIt("Cookies:" + 
                        Request.Cookies[i].Name 
                       +"   Value: "+ Request.Cookies[i].Value);
                }

              HttpBrowserCapabilitiesBase bc = Request.Browser;
         ...//Some codes to log 
      }

By this way we can be sure, writing cookies are enable and we can write our authentication cookie. If we can not read that test cookie we redirect user to another page and ....

Some our users reported, they can not login to our website and our server logs shows that we can not write cookie on their devices , the important thing is writing cookies are enable on their devices.

After doing some testes we found that writing cookies are randomly or something like that and one time its OK and another time its not.

By this codes we collected some information of out users:

   HttpBrowserCapabilitiesBase bc = Request.Browser;
                ...
        "IsMobileDevice:" + bc.IsMobileDevice
         "-Browser:" + bc.Browser
                ...

For example :

Cookies.Count: 2

Cookies:_ga   Value: GA1.2.163980100.1507000247
Cookies:_gid   Value: GA1.2.1373100693.1518900032

 IsMobileDevice:True
-Browser:Chrome
-Beta:False
-Platform:Unknown
-Type:Chrome47
-Version:47.0
-MobileDeviceModel:Unknown
-MobileDeviceManufacturer:Unknown
-GatewayMajorVersion:0
-MinorVersion:0
-MinorVersionString:0
-MajorVersion:47
-GatewayVersion:None
-Id:chrome
-HasBackButton:True
-Cookies:True
-ClrVersion: 0.0
-InputType:keyboard

Whey these cookies ( _gid and _ga) have been written but our test cookie not?

I read some posts like :

Asp.Net Forms Authentication when using iPhone UIWebView

ASP MVC Cookies not persisting

C# Login code not work on safari

Strange problem with cookies in Safari and Asp.net

Now the question is that: IS THAT A BUG ON .NET 7 ? IF YES WHAT IS THE SOLUTION?

I past here some codes of our project and because of security I replaced some codes with "....." :

On Web.config:

<authentication mode="Forms">
  <forms domain=".mysite.com" name="abc"  cookieless="UseCookies"
    enableCrossAppRedirects="true" loginUrl="/Accounts/Login" 
    timeout="2880" requireSSL="false" path="/" />
   </authentication>

 <machineKey compatibilityMode="Framework45" validationKey="C121487......" 
 decryptionKey="7E43716E4C97....." validation="SHA1" decryption="AES" />

    <sessionState mode="InProc" customProvider="DefaultSessionProvider" cookieless="UseCookies"  cookieName="debnf">
      <providers>
        <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf38...." connectionStringName="DefaultConnection" />
      </providers>
    </sessionState>

In App_Browsers :

 <browsers>
    <browser refID="Default">
      <capabilities>
      <capability name="cookies" value="true" />
      </capabilities>
   </browser>
 </browsers>

UPDATE:

This is my main codes :

I write this test cookie here 

public ActionResult Login()
{     
  HttpCookie cookie = new HttpCookie("test", "123");
  cookie.Expires = DateTime.UtcNow.AddHours(1);
   Response.Cookies.Add(cookie);
  return View();
 }

and when user click login I check that cookie here:

 [HttpPost]
 public ActionResult Login(LoginModel loginModel)
  {
    if (Request.Cookies["test"] == null)
      {
     .....

      } 

  }
motevalizadeh
  • 5,244
  • 14
  • 61
  • 108
  • Per [How to: Write a Cookie](https://msdn.microsoft.com/en-us/library/78c837bd.aspx): `You must create cookies before the ASP.NET page is rendered to the client. For example, you can write a cookie in a Page_Load event handler but not in a Page_Unload event handler.` Also, there is some weird behavior (if I recall correctly) where you write a cookie and it won't actually be posted back to the server until the *following request*. Tip: That request may be an image or AJAX on the same page. I suggest you study the docs carefully - it takes some work to get cookies to function right. – NightOwl888 Feb 18 '18 at 16:20
  • nightowl888, thanks for your interesting , but if we write cookie on the wrong place, why some users are ok and have no problem? – motevalizadeh Feb 18 '18 at 16:25
  • Did you change the code on the server? User may have an old cookie that still work while other are new a didn't get a cookie before the server code changed. Have clients delete cookies and try again. – jdweng Feb 18 '18 at 16:31
  • jdweng , yes I'm sure about it and rename the cookie name before test it – motevalizadeh Feb 18 '18 at 16:35
  • 1
    @motevalizadeh - I suspect because those users have visited the site before and have the cookie, but those who load the page straight away don't send the cookie back to the server. Also, cookies can be not supported by browsers, disabled by users, or blocked by firewalls. MS has official documentation about [Determining Whether a Browser Accepts Cookies](https://msdn.microsoft.com/en-us/library/ms178194.aspx#sectionToggle15). Note the redirect to get it to function by making a second request to the server. – NightOwl888 Feb 18 '18 at 17:04
  • @NightOwl888 - I'm so confused, you believe that absolutely it can not be a bug? what you say about downgrading to .net 4.61 or upgrading to .net 4.7.1? – motevalizadeh Feb 18 '18 at 18:01
  • 1
    @motevalizadeh - The cookie code is really old and very unlikely to be changing between versions at this point. It makes no difference which .NET Framework you use. If there is a bug, it is most likely with your code. Like I said, it takes some work to develop a good solution for detecting cookie support. I suggest you use MS's working example as a starting point and then experiment with finding a way to make your login cookie check work. If all else fails, make your login page write a cookie and then redirect to itself with a query parameter to stop it from redirecting in a loop. – NightOwl888 Feb 18 '18 at 18:31
  • @NightOwl888 - I updated my question, can you take a look at my Update section and let me know what is your idea, thanks for your time – motevalizadeh Feb 19 '18 at 06:35

0 Answers0