Case Study: User request is always redirected to the login page of the Form Authentication
A custom ASP.NET application running on IIS 7.5 (Windows 2008 R2) is using Form Authentication.
The user reported that the request was always redirected to the login page after he input the correct user name and password.
He noticed that the problem only existed when he used the computer name to access the application. He did not experience this issue if he used IP address.
We captured the network trace and found the IIS server redirected the user request to Default.aspx after the user posted the user name and password. The server also set .ASPXAUTH cookie because the user was authenticated.
The subsequent request was to Default.aspx. However this request did not contain .ASPXAUTH cookie. Therefore the IIS server would redirect the request to login page again:
We found the computer name was “Test_Computer” which contains an underscore (_)
According to the following article IE would *not* send the cookie.
Q5: IE won’t set a cookie when the hostname/domain contains an underscore?
A: Correct. Technically, an underscore (like this _ ) is not a DNS character, and while Windows will let you use an underscore when naming your machine, it warns you that doing so may cause problems. One such problem is that WinINET blocks attempts to set cookies on such domains. See https://support.microsoft.com/kb/316112/en-us
The solution is to rename the computer.
Conclusion
We need to pay attention to the host header if IE did not send the cookie.
(Firefox and Chrome will still send the cookie in this scenario)
Regards,
Xin Jin from APGC DSI Team