Archive

Archive for January, 2009

Conflict in Form Authentication between two web sites

January 8, 2009 amiraryani Leave a comment

 

I faced a problem with authentication which sounds like conflicting between  user identity between two web sites.

Problem description: Two ASP.Net 2 web sites were deployed to the  production environment and both use Form Authentication. If a user access these  sites from two tabs of an explorer window, as soon as he login in the second web  site it reset the authentication on the first web site, i.e, change  Request.IsAuthenticated to False and Me.Page.User.Identity.Name to BLANK in the  first web site.

In both web sites:

set in the web.config:

<authentication mode="Forms">

And there is login page which authenticate the user with a code such as


Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As
  System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate  

  If Login1.UserName = "U1" And Login1.Password = "PASS" Then  

    FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)  

    e.Authenticated = True
  End If
End Sub

These websites individually work fine and  Request.IsAuthenticated hold its value with no problem. The problem only occurs  if the other website accesses trhough a different tab of the same browser. Also I tested these websites work if they installed on different  Servers.

I posted this problem to Microsft ASP.Net Forum where I found the cause and the solution of the problem.

Solution:

This problem occures  because no unique name assigned to the Authentication element. The Authentication element should contain a Forms subelement and Forms has the Name attribute which should be unique for each website.

Example:

<system .web>
  <authentication mode="Forms">
     <forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH"></forms>
  </authentication>
</system>

In my case the problem could be fixed by changing the Web.config as follow.

Website 1:


</authentication><authentication mode="Forms">
<forms name ="App1Cookie" loginUrl="login.aspx"
  defaultUrl="default.aspx" timeout="20"></forms>
</authentication>

Website2


<authentication mode="Forms">  

<forms name ="App2Cookie " loginUrl="login.aspx" 
 defaultUrl="default.aspx" timeout="20"></forms>
</authentication>

Reference: http://msdn.microsoft.com/en-us/library/xdt4thhy.aspx

Categories: ASP.NET