DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 310415 - Last Review: October 24, 2013 - Revision: 1.0

 
This article was previously published under Q310415
This article has been archived. It is offered "as is" and will no longer be updated.

On This Page

SYMPTOMS

When you use mobile forms authentication, requests are not redirected to the page that is specified in the loginUrl attribute.

CAUSE

Mobile forms authentication is built on the ASP.NET forms authentication platform. A security issue exists when multiple Web applications are using mobile forms authentication with the same cookie name, keys, and (or) cookie path. In this scenario, it is possible to be authenticated in one application and to make a request to the other application without being redirected to the logon page for authentication. However, authorization rules still apply, which means that even though the user is authenticated on the second application (even though the user did not explicitly log on), the user may still be denied access to a resource because of the configuration.

RESOLUTION

To resolve this behavior, use one of the following methods:

Method 1

Provide a different value for the name attribute of the <form> element in the Web.config files:

Web.config in application 1:

<forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" >
				
Web.config in application 2:
<forms name=".ASPXAUTH2" loginUrl="login.aspx" protection="All" >
				

Method 2

Provide a different value for the path attribute of the <form> element in the Web.config files:

Web.config in application 1:

<forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" path="/app1" >
				
Web.config in application 2:
<forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" path="/app2">
				

Method 3

Configure different keys for each application. Add a <machineKey> element to the Web.config file, and then set the values:
<machineKey validationKey="<validationKey>" decryptionKey="<decryptionKey>" validation="SHA1" />
				
NOTE: See the articles in the "More Information" section to generate valid validation and decryption keys.

STATUS

This behavior is by design.

MORE INFORMATION

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
312906  (http://support.microsoft.com/kb/312906/EN-US/ ) HOW TO: Create Keys by Using Visual C# .NET for Use in Forms Authentication
313091  (http://support.microsoft.com/kb/313091/EN-US/ ) HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms Authentication
313116  (http://support.microsoft.com/kb/313116/EN-US/ ) PRB: Forms Authentication Requests Are Not Directed to loginUrl Page

APPLIES TO
  • Microsoft Mobile Internet Toolkit 1.0
Keywords: 
kbnosurvey kbarchive kbconfig kbcookie kbnofix kbprb kbsectools kbsecurity kbweb KB310415
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support