Authentication loss with IE8 and MVC FileContentResult

Question

ASP.NET MVC2
.NET 3.5
FormsAuthentication
URL: domain.com/myapp
Problem area: Dynamically created PDFs returned as FileContentResult

Everything was working fine until IE8. With IE8, when the user opens a PDF and then returns to the app, he has lost his authentication. I added an expiry on the forms auth cookie and the problem appeared to be resolved. However, I later discovered that the same problem occurs in the parent app. With the persistent cookie, when the user continues in my app (domain.com/myapp), everything is fine, but when he returns to the parent app (domain.com) window he has lost his authentication. The parent app uses a proprietary authentication and authorization architecture that relies on session state.

So my understanding of the problem is that the FileSystemResult does not carry any session information and thus the session is lost. I understand that by adding an expiration to the cookie, the cookie is persisted and that enables the authorization to persist in my app, even when docs were opened.

~~I don't quite understand why adding an expiry to my cookie transferred the problem to the parent app.~~ So, I was wrong, this has been happening all along in the parent. Interestingly, when I hooked up Fiddler to watch what was going on, the problem went away.

Do you have suggestions to resolve this? I can't think of anything other than something really ugly like writing the file to the server and returning a page with a link to open the file directly.

Based on this question I think I am hosed.

How is the user returning to the app? Back button? Close PDF viewer? — Shiraz Bhaiji, Aug 03 '11 at 20:28
@Shiraz: the window stays open. The PDF download presents an Open-Save-Cancel download dialog box. — Les, Aug 03 '11 at 20:35
@Shiraz: also, the parent app opens the child in a new window — Les, Aug 03 '11 at 20:36
@TheCodeKing I'm not using session in my app. I inherited the parent app and, believe me, session being insecure is the LEAST of its problems. — Les, Sep 03 '11 at 13:38
I just referring to the statement: `The parent app uses a proprietary authentication and authorization architecture that relies on session state`. — TheCodeKing, Sep 03 '11 at 13:45

score 1 · Answer 1 · answered Sep 03 '11 at 02:00

1

There's some changes to the way IE8 handles persistance cookies which could be the route of your problems. There's an interesting post here that describes a possible solution.

The solution took us quite a while to find online believe it or not, and when we found it we wanted to kick ourselves for not finding it sooner. It all stems from the domain attribute of the forms authentication settings within the web.config file of your application. We typically left that attribute blank in our apps to make it easier to develop. Further, none of the other browsers above cared about that setting and functioned just fine. However, that changed in IE8 and now that attribute is required.

answered Sep 03 '11 at 02:00

TheCodeKing

19,064
3
47
70

Thanks for this information. It does explain why some users had log in problems that were resolved by their IT folks changing browser security settings. Unfortunately it does not change the behavior in the parent app - users are still logged out of the parent after viewing the PDFs in my app. If they don't view any PDFs they can continue in the parent without logging in again. – Les Sep 06 '11 at 14:16
Try turning off session state in the PDF child application. Difficult to know what's happening if the parent implementation is proprietary. Use fiddler to monitor the cookies as you click the link. Does this open the `self`? Is it on the same domain? – TheCodeKing Sep 06 '11 at 14:24

Authentication loss with IE8 and MVC FileContentResult

1 Answers1