ASP.NET Membership API not working on Win2008 server/IIS7

Posted by Program.X on Stack Overflow See other posts from Stack Overflow or by Program.X
Published on 2010-06-07T09:28:44Z Indexed on 2010/06/07 9:32 UTC
Read the original article Hit count: 560

I have a very odd problem. I have a web app that uses the .NET Membership API to provide login functionality.

This works fine on my local dev machine, using WebDev 4.0 server.

I'm using .NET 4.0 with some URL Rewriting, but not on the pages where login is required.

I have a Windows Server 2008 with IIS7

However, the Membership API seemingly does not work on the server. I have set up remote debugging and the LoginUser.LoggedIn event of the LoginUser control gets fired okay, but the MembershipUser is null. I get no answer about the username/password being invalid so it seems to be recognising it.

If I enter an invalid username/password, I get an invalid username/password response.

Some code, if it helps:

    <asp:ValidationSummary ID="LoginUserValidationSummary" runat="server" CssClass="validation-error-list" 
         ValidationGroup="LoginUserValidationGroup"/>
    <div class="accountInfo">
        <fieldset class="login">
            <legend>Account Information</legend>
            <p>
                <asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName">Username:</asp:Label>
                <asp:TextBox ID="UserName" runat="server" CssClass="textEntry"></asp:TextBox>
                <asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName" 
                     CssClass="validation-error" Display="Dynamic" ErrorMessage="User Name is required." ToolTip="User Name is required." 
                     ValidationGroup="LoginUserValidationGroup">*</asp:RequiredFieldValidator>
            </p>
            <p>
                <asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password">Password:</asp:Label>
                <asp:TextBox ID="Password" runat="server" CssClass="passwordEntry" TextMode="Password"></asp:TextBox>
                <asp:RequiredFieldValidator ID="PasswordRequired" runat="server" ControlToValidate="Password" 
                     CssClass="validation-error" Display="Dynamic" ErrorMessage="Password is required." ToolTip="Password is required." 
                     ValidationGroup="LoginUserValidationGroup">*</asp:RequiredFieldValidator>
            </p>
            <p>
                <asp:CheckBox ID="RememberMe" runat="server"/>
                <asp:Label ID="RememberMeLabel" runat="server" AssociatedControlID="RememberMe" CssClass="inline">Keep me logged in</asp:Label>
            </p>
        </fieldset>
        <p class="login-action">
            <asp:Button ID="LoginButton" runat="server" CommandName="Login" CssClass="submitButton" Text="Log In" 
                 ValidationGroup="LoginUserValidationGroup"/>
        </p>

and the code behind:

protected void Page_Load(object sender, EventArgs e)
    {
        LoginUser.LoginError += new EventHandler(LoginUser_LoginError);
        LoginUser.LoggedIn += new EventHandler(LoginUser_LoggedIn);
    }

    void LoginUser_LoggedIn(object sender, EventArgs e)
    {
        // this code gets run so it appears logins work
        Roles.DeleteCookie(); // this behaviour has been removed for testing - no difference
    }

    void LoginUser_LoginError(object sender, EventArgs e)
    {
        HtmlGenericControl htmlGenericControl = LoginUser.FindControl("errorMessageSpan") as HtmlGenericControl;
        if (htmlGenericControl != null) htmlGenericControl.Visible = true;
    }

I have "Fiddled" with the Login form reponse and I get the following Cookie-Set headers:

Set-Cookie: ASP.NET_SessionId=lpyyiyjw45jjtuav1gdu4jmg; path=/; HttpOnly
Set-Cookie: .ASPXAUTH=A7AE08E071DD20872D6BBBAD9167A709DEE55B352283A7F91E1066FFB1529E5C61FCEDC86E558CEA1A837E79640BE88D1F65F14FA8434AA86407DA3AEED575E0649A1AC319752FBCD39B2A4669B0F869; path=/; HttpOnly
Set-Cookie: .ASPXROLES=; expires=Mon, 11-Oct-1999 23:00:00 GMT; path=/; HttpOnly

I don't know what is useful here because it is obviously encrypted but I find the .APXROLES cookie having no value interesting. It seems to fail to register the cookie, but passes authentication

© Stack Overflow or respective owner

Related posts about ASP.NET

Related posts about iis7