Tuesday, March 14, 2006

New FormsAuthentication.SignOut behavior in ASP.NET 2.0

ComputerZen.com - Scott Hanselman - New FormsAuthentication.SignOut behavior in ASP.NET 2.0

Calling FormsAuthentication.SignOut() removes the FormsAuthentication cookies in ASP.NET 1.1. Sometimes folks call it from their Login page, like this:

if (!Page.IsPostBack)
{
FormsAuthentication.SignOut();
}

This says, "If this is a fresh load of this page, clear out the authentication cookies."

If this seems like a reasonable thing, that's because it is. However, if you run an ASP.NET 1.1 site under ASP.NET 2.0 without recompiling, as a number of dasBlog users do, you may get some odd behavior.

You'll visit the Login.aspx page and redirect to the Login.aspx page forever in a loop...it will make your URL look like this:

/Blog/login.aspx?ReturnUrl=%2fBlog%2flogin.aspx%3fReturnUrl%3d%252fBlog%252flogin.aspx%
253fReturnUrl%253d%25252fBlog%25252flogin.aspx%25253fReturnUrl%25253d%2525252fBlog%
525252flogin.aspx%2525253fReturnUrl%2525253d%252525252fBlog%252525252flogin.aspx%
52525253fReturnUrl%252525253d%25252525252fBlog%25252525252flogin.aspx%25252525253fReturnUrl%
5252525253d%2525252525252fBlog%2525252525252flogin.aspx%2525252525253fReturnUrl%2525252525253d%
52525252525252fBlog%252525252525252flogin.aspx%252525252525253fReturnUrl%252525252525253d%
5252525252525252fBlog%25252525252525252flogin.aspx%25252525252525253fReturnUrl%25252525252525253d%
525252525252525252fBlog%2525252525252525252flogin.aspx%2525252525252525253fReturnUrl%
525252525252525253d%252525252525252525252fBlog%252525252525252525252fLogin.aspx

Why? Because ASP.NET 2.0 add this code inside SignOut():

if (FormsAuthentication.CookieMode != HttpCookieMode.UseCookies)
{
Response.Redirect(FormsAuthentication.GetLoginPage(null), false);
}

That's pretty interesting. If you call SignOut() it redirects you to the Login page, but only if your CookieMode isn't set to UseCookies. This is because ASP.NET 2.0 added support for cookieless FormsAuthentication. They store the auth information in the URL, and they redirect you because they want to clear the authentication info. Makes sense.

What doesn't make sense is why HttpCookieMode doesn't default to UseCookies. It defaults to Cookieless. Which is lovely under ASP.NET 2.0, but not under 1.1. It stays that way and confuses the system.

So, if you see this kind of infinite redirect with FormsAuthentication while running ASP.NET 1.1 applications under ASP.NET 2.0, you can add cookieless="UseCookies" to your element in web.config:

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)