Conflict in Form Authentication between two web sites
I faced a problem with authentication which sounds like conflicting between user identity between two web sites.
Problem description: Two ASP.Net 2 web sites were deployed to the production environment and both use Form Authentication. If a user access these sites from two tabs of an explorer window, as soon as he login in the second web site it reset the authentication on the first web site, i.e, change Request.IsAuthenticated to False and Me.Page.User.Identity.Name to BLANK in the first web site.
In both web sites:
set in the web.config:
And there is login page which authenticate the user with a code such as
Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate If Login1.UserName = "U1" And Login1.Password = "PASS" Then FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False) e.Authenticated = True End If End Sub
These websites individually work fine and Request.IsAuthenticated hold its value with no problem. The problem only occurs if the other website accesses trhough a different tab of the same browser. Also I tested these websites work if they installed on different Servers.
I posted this problem to Microsft ASP.Net Forum where I found the cause and the solution of the problem.
This problem occures because no unique name assigned to the Authentication element. The Authentication element should contain a Forms subelement and Forms has the Name attribute which should be unique for each website.
<system .web> <authentication mode="Forms"> <forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH"></forms> </authentication> </system>
In my case the problem could be fixed by changing the Web.config as follow.
</authentication><authentication mode="Forms"> <forms name ="App1Cookie" loginUrl="login.aspx" defaultUrl="default.aspx" timeout="20"></forms> </authentication>
<authentication mode="Forms"> <forms name ="App2Cookie " loginUrl="login.aspx" defaultUrl="default.aspx" timeout="20"></forms> </authentication>