Click here to Skip to main content
14,243,524 members
Rate this:
Please Sign up or sign in to vote.
I've made a site with two pages: Login.aspx and Main.aspx. On the Login page I'm making a cookie containing information about the user, then with Response I'm sending the cookie to the Main page where I receive it and if it's not received I redirect the user back to Login. When I open the the website from Visual Studio everything works, but after I tried using it with Microsoft IIS as a localhost website, the page just can't change from the Login. Is it some option I need to set from IIS, or what I'm missing?

HttpCookie cookie = new HttpCookie("autorization");
Response.Cookies["autorization"]["name"] = name;
Response.Cookies["autorization"]["password"] = pass.ToString();
Response.Redirect("Main.aspx");


Also tried using ~/Main.aspx, ./Main.aspx, /Main.aspx, full path with http://ip:port/Main.aspx. I can access Main by turning off the cookie receive in Main and typing it manually in the url bar, but not by the code from Login (even without cookie).

Why it works on Visual Studio but not on IIS? What should I change to make it works in IIS too? Thanks.

/*
I think it could be related to the retrieving of information from the SQL server through the Web server. I'm using the following string:
Data Source=.\SQLEXPRESS;Initial Catalog=master;Integrated Security=SSPI;

Tried with server:localhost, with ip\SQLEXPRESS, with Integrated Security to false. May be I need to set something in the SQL to allow the information to pass through IIS, since it's works only with the Visual Studio. With tracing the sql I saw that the site started with IIS connects and retrieve the information from the database, but may be it's not passing it through the IIS.
*/

/*
The problem was in the SQL and ISS ApplicationPool communication. I've changed ApplicationPool Identity as Local System and in SQL under Logins I've changed the NT AUTHORITY\SYSTEM permission to access the specific database through Server Role (or if needed only specific database access - through User Mapping). Now I returned the Identity to ApplicationPoolIdentity and I'm using connection string with username and password.
*/
Posted
Updated 27-Nov-15 0:38am
v9
Comments
jgakenhe 26-Nov-15 19:17pm
   
If you have main.aspx as your default page in the web.config, it may cause the problem. When you run in VS, you may have set login.aspx as the default page in VS, not the web.config.

If that isn't it, you need to debug the login.aspx.cs and the main.aspx.cs and see what happens when you go over the redirect code.
Member 0123456789 27-Nov-15 0:47am
   
Login.aspx is set as the default document and I've tried using Main.aspx, including it with Login.aspx, changing the order and excluding it, but it's still refresh the page, when I press the button which execute the redirect code.
jgakenhe 27-Nov-15 0:54am
   
Try changing the website to anonymous in iis and take out the default login page from the web.config because you are not using forms authentication ticket, you are using a http cookie.
Member 0123456789 27-Nov-15 1:03am
   
The authentication was already set to anonymous and I've tried the combination without default document - using the ip/Login.aspx and it connects to the Login page, but not further redirects to Main.aspx. The whole situation works in Visual Studion and the cookie as you can see is session - you can see it at the browser too. I'm allowing it in both - VS and IIS. If I turn off the cookie check and visit directly the Main.aspx in IIS by typing ip/Main.aspx I can reach it, but I can't redirect it through the Login.aspx.

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

Storing the username and password in a cookie is an EXTREMELY bad idea.

The cookie is sent with every request to the site. Anyone on the network will be able to intercept the request and read the user's credentials.

Since you haven't marked the cookie as "HTTP-only", an attacker who managed to exploit an XSS vulnerability in your site would be able to read the user's credentials from javascript, and send them to their own server.

Don't try to re-invent the wheel. Use the built-in security features to secure your site.

Introduction to Membership | MSDN[^]
ASP.NET Membership and Role Provider[^]
ASP.NET Identity | The ASP.NET Site[^]
How to build (and how not to build) a secure "remember me" feature | Troy Hunt[^]
   
Comments
Member 0123456789 30-Nov-15 4:05am
   
You're not really answering the question, but the post is really helpful for the beginners. You can set this up from the web.config too - for all cookies. Thanks you.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100