1

I have a asp.net website which uses forms authentication. When i provide a link to a secure page on the website in a Microsoft Word document it sets a return URL even when i'm already logged in to the website. This means i am redirected to the login page which then directs me to the unauthorised access page even though i am authorised to see the page.

My web.config code:

<authentication mode="Forms">
  <forms protection="All" requireSSL="true" name="BSOAuthCookie" loginUrl="~/Login/Login.aspx" defaultUrl="~/secure/securepage.aspx" cookieless="UseCookies" timeout="30" />
</authentication>

This is the code in the page load of my login page to redirect me to the unauthorsied access page:

        If Request.IsAuthenticated AndAlso Not String.IsNullOrEmpty(Request.QueryString("ReturnUrl")) Then
            ' This is an unauthorized, authenticated request...
            Response.Redirect("~/UnauthorisedAccess.aspx")
        End If

If i put the same link in an email and i click it appears to work fine.

Improve this question

1 Answer 1

Reset to default
1

Using the requireSSL="true" you force the authenticated cookies to be readable only on secure page, any unsecured page is not pass the authentication.

Add this assertion on your code and before the IsAuthenticated to double check that you are call from secure page.

Debug.Assert(HttpContext.Current.Request.IsSecureConnection
                                                  , "Must be on secure page");

Also set the domain="sitename.com", with out the www, to force the authendicated cookie to be set from both domain and subdomain.

<authentication mode="Forms">
  <forms domain="sitename.com 
        protection="All" requireSSL="true" name="BSOAuthCookie" 
        loginUrl="~/Login/Login.aspx" defaultUrl="~/secure/securepage.aspx" 
            cookieless="UseCookies" timeout="30" />
</authentication>
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The link i'm clicking is to a secure page. All the requests are sent over https as soon as a user logs in. Also in my page load method on the login page i have this block of code which amends http to https. Please see my page load method above.
Then try the domain - and set the Assertion to double check it.
Thanks Aristos! I have tried what you suggested but it is still doing the same.
@Azeem then more debug on browser to see what and where is that cookie.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.