Missing asp.net forms authentication cookie

Question

We have a bizaar situation. We have the following in our web.config:

<authentication mode="Forms">
     <forms name="ASPDNSFGUID" loginUrl="SignIn.aspx" timeout="525600" /></authentication>

This is an ecommerce app, and the cookie is used to help us make sure that the contents of a basket is retained after they login, and this is not working. We've used this dozens of times before without problem.

The site is hosted on two front end web servers sitting behind a coyote point load balancer. We've noticed that when the site is viewed via HTTPS, the cookie is there, the authentication type is forms. HOWEVER, when we browse non-secure, the cookie is missing and the authentication type is not set. We know this because we created a page to print out all the headers for us.

Does anybody have any ideas on possible causes? We're wondering if the load balancer is stripping the cookie but we have no evidence of this, just a gut feel

Answer 1

We've noticed that when the site is viewed via HTTPS, the cookie is there, the authentication type is forms. HOWEVER, when we browse non-secure, the cookie is missing and the authentication type is not set.

This happens when you have set the requireSSL="true" on the <forms > tag.

How ever you can try to declare the domain="yourdomain.com" in the <forms > tag, with out the subdomain www. , because this can affect the cookie.

So first try this

<forms name="ASPDNSFGUID" domain="yourdomain.com" loginUrl="SignIn.aspx" 
          timeout="525600" />

then try to see if you have set programmatically the requireSSL.

Answer 2

Is the cookie set on https, and if so, are https and http on the same domain but different only by protocol? ie https://www.somesite.com and http://www.somesite.com

Because, if they have a different subdomain you will have issues unless you specify domain="somesite.com" in your <forms> element in the web.config