FormsAuthentication.SetAuthCookie doesn't [Authorize] in MVC 5

c# asp.net-mvc authentication authorization

33,138

Solution 1

from web.config remove:

<modules>
  <!--<remove name="FormsAuthenticationModule" />-->
</modules>

or simples remove the line in web.config

Solution 2

EDIT: I did not know MVC5 defaulted new projects to having Forms Authentication removed (the module is removed) so make sure you also check DSR's comment under your originial post in conjuncture with all of this.

Check your web.config and look for the authentication section, it should look something like this,

<authentication mode="Forms">
  <forms loginUrl="..." cookieless="UseCookies" />
</authentication>

http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.85%29.aspx

The default cookieless value is "UseDeviceProfile" which means that cookies are used if the browser reports that it supports cookies, otherwise cookies are not used and it uses values in the querystring to maintain an authenticated state (which need to be retained accross postbacks).

Secondly, make sure cookies are on in your browser. If the device/browser does not support cookies or they are turned off then SetAuthCookie will make changes to the url, but you have to redirect the browser after the call to SetAuthCookie using...

FormsAuthentication.RedirectFromLoginPage(String, Boolean)...

That method redirects the page to it's destination after authentication with SetAuthCookie. RedirectFromLoginPage will put the required attributes in the url query to maintain the login session accross postbacks. If you do your own redirects on the site here and there you will need to maintain that url query parameter accross postbacks your self by checking if the current user is authenticated with HttpContext.Current.User.Identity.IsAuthenticated.

In order to send your users to the login page you should be using

FormsAuthentication.RedirectToLoginPage()

That method will add a returnUrl parameter to the query string, which the later function "RedirectFromLoginPage" will redirect back to after being authenticated.

If you block access to users or roles with location elements in your web.config to paths and resources Forms Authentication handles the redirection to the login page automatically when an un-authenticated user attempts to access them.

  <location path="SomeFolderOnYourSite">
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow roles="Administrators"/>
      </authorization>
    </system.web>
  </location>

33,138

user655321

Updated on July 09, 2022

Comments

user655321 almost 2 years
I created a brand new ASP.NET MVC 5 project to test the [Authorize] attribute with FormsAuthentication.SetAuthCookie. I simply set a cookie in one action (in my Home controller):
```
    public ActionResult About()
    {
        FormsAuthentication.SetAuthCookie("someUser", false);
```
And I limit access to another:
```
    [Authorize]
    public ActionResult Contact()
    {
```
When I launch my web page and navigate to /home/contact, I am correctly redirected to a login page. Then I go to /home/about, get my cookie, and go back to the contact page. But I'm still redirected to the login page -- the cookie does not authenticate/authorize me.

In the debugger, HttpContext.User.Identity.IsAuthenticated == false when I load the About page multiple times (that is to say, it never sees me as being authenticated even after setting an auth cookie).

Is there some extra step that must be done here? I shouldn't need to set my own IPrincipal for basic authentication, should I?
- DSR over 9 years
  
  MVC5 no longer using forms authentication, check your web.config for <modules> <remove name="FormsAuthentication" /> </modules>. if you want to use it follow this article, you can use owin to handle it. blogs.msdn.com/b/webdev/archive/2013/07/03/…
- user655321 over 9 years
  
  After some research on OWIN, it seems this is the better option, seeing as how Microsoft is going in this direction for MVC 6. I used ASP.NET Identity Without A Database as an example for how to authenticate and authorize. It's a good deal more complex than a simple SetAuthCookie, but it seems more future-proof.
- Christine about 8 years
  
  Man, that's a bunch of doo doo. Why does Microsoft do that crap?
- Ikelie Cyril almost 6 years
  
  @DSR , I can't find <modules> <remove name="FormsAuthentication" /> </modules> in my web.config
Flea over 8 years

Saved my life and many hours that were almost wasted... thanks!!
Keith about 8 years

In my case this was <remove name="FormsAuthentication" />
Koshera about 8 years

Why is this not marked as the correct answer? Saved my life as well :)
Brad Bruce over 7 years

The time!!! It's gone forever. 8 hours to be precise. I'm glad I found this or more time gone. This fixed everything in under 2 minutes!
noobprogrammer over 4 years

It's so epic when experienced developers write 5-7 lines of code to solve the problem and then one person comes silently to destroy their answers. Haha! Wonderful Solution. You just saved my day man. Many thanks! :)
noobprogrammer over 4 years

Specifying wrong domain itself will not run the page. There will be run time error.
Josue Barrios about 3 years

Man you saved my life, I spent too many hours with this bug ... thank you so much!