How to prevent 302 error dropping the .ASPXFORMSAUTH Cookie

Question

User-1735313474 posted

I have a .Net 4.0 web app running Forms Authentication, running on IIS 7.5

      <forms loginUrl="Default.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH" timeout="60000" slidingExpiration="true" cookieless="UseCookies" />

I have a strange issue where if I attempt to hit a page that has missing image it gives a 302 error but it overwrites my cookie and therefore causes session to drop. I cannot put my finger on where or how this is happening

example Request

GET /Lottery/media/LotteryMediaLibrary/IWG/Gold_Fish_Toon.jpg HTTP/1.1
Accept: */*
Referer: http://lottery/Play-Online/Instant-Win-Games/1-Euro-Fish-for-Gold?subgameid=1000136
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E; BIZ!)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: lottery
Cookie: CMSPreferredCulture=en-IE; cookie_decision=true; CMSPreferredUICulture=en-gb; CMSCookieLevel=1000; VisitorStatus=21059204509; CMSSplitMode=0|ga-IE|Vertical|1; ASP.NET_SessionId=2khfudsvwzqpk421vdc1domd; .ASPXFORMSAUTH=F6FE2449DBD1CF7EDC144A8C8E36C4C59D9FFF9A7414EA2BC4201C39129BD7FA93D0CD8D8B7DE06AA4FDEA7DE37A1DE3D1954EC89486857865F9E87AF7F016B3E4C95896D0D3CD409E16569276CFC04E2928FA8C0246D48F0F2F4EE9076CC984EDF40CD8ABF8A37C408F0DF6C34FAB7C5ED8031476B2873FB6427BE26D9B2FE5C6783E9B5D0EA6BCFC7F58C1C2D4119E

Response Header

HTTP/1.1 302 Found
Cache-Control: private
Location: /Lottery/media/LotteryMediaLibrary/IWG/Gold_Fish_Toon.jpg
Server: Microsoft-IIS/7.5
X-Frame-Options: SAMEORIGIN
Set-Cookie: .ASPXFORMSAUTH=; expires=Mon, 11-Oct-1999 23:00:00 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Sat, 22 Nov 2014 16:29:29 GMT
Content-Length: 174

I can see it is doing a Set-Cookie but cant workout how to either prevent this, or pass my current cookie back

 

Any help is greatly appreciated.

 

Cheers,
Craig

Answer 1

User753101303 posted

Hi,

Do you have some kind of processing in place for 404 errors? Where it is supposed to redirect?

I would have expected a 404 so for now it looks like there is some kind of custom handling for this "image  not found" condition that would cause this issue as an unexpected consequence.

What happens if you are trying to reach the same image location directly by typing the path in your browser address bar?

Answer 2

User-1151753377 posted

Hi Gambit，

About your issue, I think the links below maybe helpful for you, you could have a look at it.

http://support.microsoft.com/kb/910439

http://forums.asp.net/t/2021744.aspx?Session+Timeout+problem+in+asp+net+#5816386

Best Regards,

Summer

Answer 3

User-1607019229 posted

Hi @Craig, I am facing the same issue. I wonder if you ever found a solution for this issue? This is a really annoying issue, I can see different references of it around internet but no solution. I would really appreciate if you have something to add in this regards.

Answer 4

User-474980206 posted

the browser is asking for

  http://lottery/Lottery/media/LotteryMediaLibrary/IWG/Gold_Fish_Toon.jpg

and redirect to the same url is returned with a deleted cookie. I assume it’s a different vdir than the calling page

    http://lottery/Play-Online/Instant-Win-Games/1-Euro-Fish-for-Gold?subgameid=1000136

and it clears the cookie because it can not decode it. Both sites appear to set the cookie path to the root rather than their vdir.