Trouble Redirecting in Forms Authentication

From: Ryan Kelley (rmkelley@adelphia.net)
Date: 07/29/02 

From: "Ryan Kelley" <rmkelley@adelphia.net>
Date: Mon, 29 Jul 2002 14:36:32 -0400

I have run through the tutorial at
http://www.gotdotnet.com/team/student/wintellect/aspnet_tutorial.aspx, and
am trying to create the same thing using VS.NET, instead of just creating
text files. The trouble I am having is when I try to manipulate the cookie
that will be sent after authentication is validated. The code handling the
Submit button is as follows:

string strRole;
if( AuthenticateUser( m_txtUser.Text, m_txtPassword.Text, out strRole ) )
{
    // get the authentication cookie
    HttpCookie cookie = FormsAuthentication.GetAuthCookie( m_txtUser.Text,
m_chbxRemember.Checked );
    // set it's timeout to 15 minutes from now
    cookie.Expires = DateTime.Now.AddMinutes( 15D );
    // add the role value to the cookie
    cookie.Values.Add( "Role", strRole );
    // add the cookie to the response
    Response.Cookies.Add( cookie );
    // send the authenticated user to the requested page
    string strRedirectUrl = FormsAuthentication.GetRedirectUrl(
m_txtUser.Text, m_chbxRemember.Checked );
    Response.Redirect( strRedirectUrl, false );
}

This code is VERY similar to the tutorial mentioned above, only I've added a
Name/Value pair to the cookie's Values collection. Here's the trouble...
When the above code is executed, the cookie is either never sent down, or
never picked up by the RedirectUrl. I say this because I am sent BACK to
the login page. It appears as though the login page just refreshed, when
what is happening is the requested page is still not authenticated (no
cookie). Part of me is thinking it has something to do with the cookie
getting lost because the Response.Redirect call just performs the redirect,
and the cookie is never sent down.

If I just call FormsAuthentication.RedirectFromLoginPage(), it works just
fine. I go to the protected page, the cookie is there, and if the "Remember
Me" checkbox was not checked, then I am sent to the login page again after a
restart of IE. But I want to add information to the cookie that the
protected pages can use.

For information purposes, below are the two web.config files that are in the
web app directories.

web.config in the base directory:
    <authentication mode="Forms">
        <forms loginUrl="Login.aspx" />
    </authentication>
    <authorization>
        <allow users="?" />
    </authorization>

web.config in the subdirectory, where the "protected" pages live:
    <authorization>
        <deny users="?" />
    </authorization>

Any ideas? 

--
Ryan Kelley
Software Engineer, MCP
Quantcast