locked
How to prevent 302 error dropping the .ASPXFORMSAUTH Cookie RRS feed

  • Question

  • User-1735313474 posted

    I have a .Net 4.0 web app running Forms Authentication, running on IIS 7.5

          <forms loginUrl="Default.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH" timeout="60000" slidingExpiration="true" cookieless="UseCookies" />

    I have a strange issue where if I attempt to hit a page that has missing image it gives a 302 error but it overwrites my cookie and therefore causes session to drop. I cannot put my finger on where or how this is happening

    example Request

    GET /Lottery/media/LotteryMediaLibrary/IWG/Gold_Fish_Toon.jpg HTTP/1.1
    Accept: */*
    Referer: http://lottery/Play-Online/Instant-Win-Games/1-Euro-Fish-for-Gold?subgameid=1000136
    Accept-Language: en-GB
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E; BIZ!)
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    DNT: 1
    Host: lottery
    Cookie: CMSPreferredCulture=en-IE; cookie_decision=true; CMSPreferredUICulture=en-gb; CMSCookieLevel=1000; VisitorStatus=21059204509; CMSSplitMode=0|ga-IE|Vertical|1; ASP.NET_SessionId=2khfudsvwzqpk421vdc1domd; .ASPXFORMSAUTH=F6FE2449DBD1CF7EDC144A8C8E36C4C59D9FFF9A7414EA2BC4201C39129BD7FA93D0CD8D8B7DE06AA4FDEA7DE37A1DE3D1954EC89486857865F9E87AF7F016B3E4C95896D0D3CD409E16569276CFC04E2928FA8C0246D48F0F2F4EE9076CC984EDF40CD8ABF8A37C408F0DF6C34FAB7C5ED8031476B2873FB6427BE26D9B2FE5C6783E9B5D0EA6BCFC7F58C1C2D4119E
    

    Response Header

    HTTP/1.1 302 Found
    Cache-Control: private
    Location: /Lottery/media/LotteryMediaLibrary/IWG/Gold_Fish_Toon.jpg
    Server: Microsoft-IIS/7.5
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: .ASPXFORMSAUTH=; expires=Mon, 11-Oct-1999 23:00:00 GMT; path=/; HttpOnly
    X-Powered-By: ASP.NET
    Date: Sat, 22 Nov 2014 16:29:29 GMT
    Content-Length: 174


    I can see it is doing a Set-Cookie but cant workout how to either prevent this, or pass my current cookie back

     

    Any help is greatly appreciated.

     

    Cheers,
    Craig

    Saturday, November 22, 2014 11:36 AM

All replies

  • User753101303 posted

    Hi,

    Do you have some kind of processing in place for 404 errors? Where it is supposed to redirect?

    I would have expected a 404 so for now it looks like there is some kind of custom handling for this "image  not found" condition that would cause this issue as an unexpected consequence.

    What happens if you are trying to reach the same image location directly by typing the path in your browser address bar?

    Saturday, November 22, 2014 12:04 PM
  • User-1151753377 posted

    Hi Gambit

    About your issue, I think the links below maybe helpful for you, you could have a look at it.

    http://support.microsoft.com/kb/910439

    http://forums.asp.net/t/2021744.aspx?Session+Timeout+problem+in+asp+net+#5816386

    Best Regards,

    Summer

    Thursday, November 27, 2014 4:02 AM
  • User-1607019229 posted

    Hi @Craig, I am facing the same issue. I wonder if you ever found a solution for this issue? This is a really annoying issue, I can see different references of it around internet but no solution. I would really appreciate if you have something to add in this regards.

    Thursday, January 28, 2021 12:13 PM
  • User-474980206 posted

    the browser is asking for

      http://lottery/Lottery/media/LotteryMediaLibrary/IWG/Gold_Fish_Toon.jpg

    and redirect to the same url is returned with a deleted cookie. I assume it’s a different vdir than the calling page

        http://lottery/Play-Online/Instant-Win-Games/1-Euro-Fish-for-Gold?subgameid=1000136

    and it clears the cookie because it can not decode it. Both sites appear to set the cookie path to the root rather than their vdir.

    Sunday, February 7, 2021 2:31 AM