ASP.Net FormsAuthentication Redirect Loses the cookie between Redirect and Application_AuthenticateR
- by Joel Etherton
I have a FormsAuthentication cookie that is persistent and works independently in a development, test, and production environment. I have a user that can authenticate, the user object is created, the authentication cookie is added to the response:
'Custom object to grab the TLD from the url
authCookie.Domain = myTicketModule.GetTopLevelDomain(Request.ServerVariables("HTTP_HOST"))
FormsAuthentication.SetAuthCookie(authTicket.Name, False)
Response.SetCookie(authCookie)
The user gets processed a little bit to check for a first time login, security questions, etc, and is then redirected with the following tidbit:
Session.Add("ForceRedirect", "/FirstTimeLogin.aspx")
Response.Redirect("~/FirstTimeLogin.aspx", True)
With a debug break, I can verify that the cookie collection holds both a cookie not related to authentication that I set for a different purpose and the formsauthentication cookie. Then the next step in the process occurs at the ApplicationAuthenticateRequest in the global.asax:
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim formsCookieName As String = myConfigurationManager.AppSettings("FormsCookieName")
Dim authCookie As HttpCookie = Request.Cookies(formsCookieName)
At this point, for this ONE user authCookie is nothing. I have 15,000 other users who are not impacted in this manner. However, for one user the cookie just vanishes without a trace. I've seen this before with w3wp.exe exceptions, state server exceptions and other IIS process related exceptions, but I'm getting no exceptions in the event log. w3wp.exe is not crashing, the state server has some timeouts but they appear unrelated (as verified by timestamps) and it only happens to this one user on this one domain (this code is used across 2 different TLDs with approximately 10 other subdomains).
One avenue I'm investigating is that the cookie might just be too large. I would think that there would be a check for the size of the cookie going into the response, and I wouldn't think it would impact it this way. Any ideas why the request might dumping the cookie?
NOTE: The secondary cookie I mentioned that I set also gets dumped (and it's very tiny).
EDIT-NOTE: The session token is NOT lost when this happens. However, since the authentication cookie is lost, it is ignored and replaced on a subsequent login.
