Home/ Questions/Q 7846761
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T17:41:45+00:00

I have a website with ASP.NET Forms Authentication. I recently implement to save cookie

  • 0

I have a website with ASP.NET Forms Authentication. I recently implement to save cookie upon user login and now I found a problem. I am not 100% if the problem persist before or not.

The steps to reproduce are:

  1. go to my website with www (www.mysite.com)
  2. Login to the website.
  3. go to the website without www (mysite.com)
  4. It would ask me to login again so I did.
  5. Logout of the website. it redirect me to Login page.
  6. type http://www.mysite.com in the address bar and I found it still login.

So accessing to my website with or without (www) become like accessing to two different website. Logging out from http://www.mysite.com does not logout from mysite.com. The same with logging in, and vice versa.

Login page

    Login1_Authenticate Handles Login1.Authenticate

     Dim result As Boolean = UserLogin(userName, password)
     If (result) Then
        e.Authenticated = True
        If Login1.RememberMeSet = True Then
            SetCookies(userName)
        End If
        LoginCounter(userName)
     Else
        e.Authenticated = False
     End If

SetCookies()

    Dim tkt As FormsAuthenticationTicket
    Dim cookiestr As String
    Dim ck As HttpCookie

    tkt = New FormsAuthenticationTicket(1, userName, DateTime.Now(), DateTime.Now.AddDays(7), False, "")
    cookiestr = FormsAuthentication.Encrypt(tkt)
    ck = New HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
    ck.Expires = tkt.Expiration
    ck.Path = FormsAuthentication.FormsCookiePath()
    HttpContext.Current.Request.Cookies.Remove(".ASPXAUTH")
    Response.Cookies.Add(ck)

    End Sub

Login Status Control on Master Page

    LoginStatus1_LoggingOut Handles LoginStatus1.LoggingOut

    FormsAuthentication.SignOut()
    Session.Clear()
    Session.Abandon()
    Dim cookie1 As New HttpCookie(FormsAuthentication.FormsCookieName, "")
    cookie1.Expires = DateTime.Now.AddYears(-1)
    Response.Cookies.Add(cookie1)

    Dim cookie2 As New HttpCookie("ASP.NET_SessionId", "")
    cookie2.Expires = DateTime.Now.AddYears(-1)
    Response.Cookies.Add(cookie2)

Web.config

    <authorization>
    <deny users="?"/>
    </authorization>

    <authentication mode="Forms">
    <forms name=".ASPXAUTH" loginUrl="Login.aspx" defaultUrl="Default.aspx" cookieless="UseCookies"  timeout="1440" path="/" protection="All"/>
    </authentication>

Solution: put this in Global.asax ..

     Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
     Dim fromurl As String = "http://mysite.com"
     Dim tourl As String = "http://www.mysite.com"
     If HttpContext.Current.Request.Url.ToString().ToLower().Contains(fromurl) Then
        HttpContext.Current.Response.Status = "301 Moved Permanently"
        HttpContext.Current.Response.AddHeader("Location", tourl)
     End If
     End Sub
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would say the session cookie is (sub)domain specific.

    You need to redirect all requests from one domain to the other to force the browser to only use one session.

    • 0