stackoom
  简体   繁体   中英

MVC4 / IIS / Forms Authentication SSO issue

 原文  2013-04-11 10:46:43       c#/ asp.net-mvc/ iis/ forms-authentication/ session-cookies

Question

I've got a weird intermittent issue with MVC4 / IIS / Forms Authentication.

I've got a pair of sites that pass control to each other using SSO. Most of the time the handover occurs correctly and the user is redirected to the next site as intended. However, in some cases, the user is asked to log in again, even though valid SSO information was sent across. The SSO method is decorated with the [AllowAnonymous] attribute and the web.config also has a location entry granting access to /account/sso to all users.

It appears to occur when the destination site is being hit for the first time - once the app pool is warmed up, the issue disappears.

Some other points:

1 both sites are .net 4, so there should not be any legacy encryption issues.
2. this issue happens quite rarely (<10% of the time) so the code itself should be sound
3. Hosting is IIS 7.5 on win7x64 locally, and azure - happens in both places
4. Seems to be browser independent 

<location path="account/sso">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

[Authorize]
public class AccountController : BaseControllerTestable
{
    public AccountController()
        : base()
    {
    }

    [AllowAnonymous]
    public ActionResult SSO(string AuthToken, string Target)
    {
        //SSO logic here

    }
}

Any ideas?

3 answers

solution1
 1  2013-04-15 14:26:19

You have an Authorize attribute on your Controller class which means that your SSO method would have AllowAnonymous and Authorize applied to it. In this instance the Authorize attribute looks like it needs to be removed.

solution2
 0  2013-04-12 03:44:33

What is your BaseControllerTestable ? Do you have any authorization attributes there? Your Base class will be instantiated firs before it will get to your other methods on the derived class. So if by any chance you have [ Authorize ] on the base controller that may be an issue for you.

solution3
 0 ACCPTED  2013-04-18 14:59:37

I think I've finally resolved it (we'll only know for sure once we've had a good while without recurrence given that it was intermittent anyway)

A couple of factors came into play. Firstly I noticed a few static items (css+js files mostly) that were getting caught up in authentication loop even though they should be freely accessible, so I added a location rule in web.config to make sure they were allowed to anonymous users. I also added a route exception to ignore favicon.ico requests for good measure too. This seemed to stop the code from tripping over itself when authenticating for the first time. Finally, the reason the issue was intermittent was due to another bug where if there was any other sessions open (db driven) the issue didn't occur. this explained why the bug only happened early in the morning ie: all the sessions from the previous day had expired.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question MVC4 Forms Authentication Auto Login AJax call issue with Form authentication in MVC4 setting homepage in IIS for mvc4 website /application (no forms no.aspx) Asp.net forms authentication in mvc4 - as easy at it seems? MVC4 Forms Authentication Active Directory Custom Authorize Attribute MVC4 - Setting custom user data in forms authentication ticket causes the forms authentication cookie to not get set? MVC4 DropDownList issue Issue with ScriptCam in MVC4 mvc4 forms auth adds “guid” token to querystring when deployed to iis Windows authentication username and password when trying to access MVC4 app in IIS6
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM