I am trying to log in to my own application, and i have discovered something strange. When I am sending a POST request to a login controller, it somehow redirects itself to a GET login controller, and displays login form with an action set to http://localhost:5898/(X(1)S(1tgv3m2psb2cxqaw4koiyhyt))/Account/Login. Now what the hell is this (X(1)S(1tgv3m2psb2cxqaw4koiyhyt)) thing? Why is it there, and what does it do? And on top of that, how do i get rid of it? I do not want it in there...
It appears that you have set the session provider in your web.config (or on IIS) to use a Cookieless session state. This is the session identifier for your session.
http://msdn.microsoft.com/en-us/library/aa479314.aspx#cookieless_topic2
To get rid of it, you would need to change your sessionState element in your web.config to cookieless="false"
SessionState Web.Config element information
Those things are seen in asp.net when you disable cookie in your browser or your application settings. that is cookieless asp.net. you can start debugging your app from there.
hope it helps
Related
Due to an unknown reason, my website does not send ASP.NET_SessionId cookie to browser neither on local debugging IIS nor on deploying IIS, therefore my Session is always empty on each page. In IIS preferences 'Session state' is set to 'In process' (sorry, maybe not exact translation, I have localized IIS). Any ideas on this matter?
ADDITION 1: Well, I switched sessionState mode to <sessionState cookieless="UseUri" />. Url address in browser now contains (S(fn215g55r4kws155lbfaxf55)) tag, but Session property of the ASPX page is empty ANYWAY. So... my website is still sessionless without any obvious reason.
ADDITION 2. I created blank website on the same debug server and session cookie works okay there - values are persisted between calls. So, the problem is related to my main website or its web.config, I believe.
ADDITION 3. As mentioned #Damien_The_Unbeliever, the problem is really related to setting values. I do not know why, but session is completely ignores line Context.Session[promoCodeSessionKey] = (int?)promoCode.Id;. No cookie is send after this line. But if session is already created in another place and cookie is set, this line will work correctly.
ADDITION 4. I found the reason. See the answer below.
WOOHOO!! I found the reason! There was EnableSessionState="ReadOnly" directive in ASPX's <%# Page tag. Please pay attention, that a) because of this Session was not working on master page as well, and b) there are no exceptions!!
I'm testing my asp.net website on my local server (Windows Server 2008, IIS 7.0.6), and when I type in just the IP address in my browser, e.g.,
192.168.0.5
it comes back like this:
http://192.168.0.5/(S(u0nmzwxobbwpuk1mtvuybwn0))/default.aspx
The weird stuff between .0.5/ and /default.aspx changes every time I type in the ip and hit enter.
The content shows up correctly, but obviously there's a problem with the url.
Sounds like you might be using cookieless sessions.
Basically ASP.NET is storing your session id in the query string instead of storing it in a cookie. Looks gross, but allows you to use session state when someone does not accept cookies. You can read more here.
Guessing here - in your web.config file, you have set the sessionState cookieless attribute to UseUri or to true.
See the documentation on the sessionState element.
Seems like you Have Cookieless Sessions enabled. Below article illustrates the behavior:
MSDN - Cookie Less Sessions in ASP.NET
Changing the Setting in Web.Config can change the behavior:
<sessionState cookieless="true" />
We're currently having an issue with cookieless sessions in ASP.NET, according to the documentation on MSDN here when you use AutoDetect:
ASP.NET determines whether the requesting browser or device supports cookies. If the requesting browser or device supports cookies, AutoDetect uses cookies to persist user data; otherwise, an identifier is used in the query string. If the browser or device supports cookies, but cookies are currently disabled, cookies are still used by the requesting feature.
Notice the query string part! Now if it were indeed added to the URL like &sessionId=yoursessionidhere it's all fine but actually what I get are URLs like this: http://yourserver/folder/(session ID here)/default.aspx.
So my question is: How would I configure ASP.NET to use the querystring (as it claims) instead of this URL defacing method?
UPDATE:
I'm adding the config value we use in our web.config:
<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42424" cookieless="AutoDetect" timeout="20" />
Reading this resource here http://forums.asp.net/t/1480365.aspx/1 do you have the cookieless="UseUri" setting in the web.config - try deleting that from what I gather it may help! Do let me know!
Additionally it would probably be worth posting your config block in the question.
Ive done some more digging and found this post which covers the request handling in the source code for MVC - using the session id in the URL for routing looks to be baked in pretty deep - see the excepted answer code blocks Possible Bug With ASP.NET MVC 3 Routing?
I'll keep looking for you but this one has me stumped! I think you need to get this question in front of someone like Hanselmann, Haack or Skeet.
Have a portal which uses forms authentication
LoginUrl=Login.aspx DefaultUrl=Default.aspx
User credentials are in db... So during login, we get all the user credentials - so we reach db, user authenticated (Fidler shows http 302 for default.aspx), redirect to deault.aspx and back to login page again as we don't authenticated but we do IT!!!
have 4 machines on the project - 3 works ok - mine - not! Compare all the data - I have the same web config, iis setting etc
what it could be?
Thanks
If you have a web farm you need to ensure that all servers in the farm share the same machineKey because if you have autogenerated and different machine keys the authentication ticket might not be properly decrypted.
Did you set a domain on the forms element in the web.config file? If so, the request url must be within the domain or forms authentication just wont work. Localhost won't work either.
If you're testing on a development system you may want to add a fully qualified domain name to the hosts file ( [SystemDrive]:\Windows\System32\Drivers\Etc\hosts ).
so, I fixed the problem... the reason - my inattention...
so, I use fiddler again to analyze my requests/responses... so,
1) go to Default
2)redirect to Login and input login-password
3)the user found in db - FormAuthentication ticket created
4)redirect to Default
5) User became non-authenticated and move back to login page....
so Fiddler shows that on step 3 cookies created and debug shows that the user authenticated. But no cookie passed to Dfeault page.
I found that cookies from Login page has "secure" mark. It means that I have requireSSL=true property in webconfig... but requireSSL has value false on default... so, something overwrites it... I found one more config file in folder of top level with requireSSL=true... when I remove top-level config file - everything start work fine...
surely standard situation to miss someting... but such interesting effect I see first time - to do authentication and its break during redirect to default page - may be it helps somebody to save his/her time in further...
but anyway - thanks the people answer me for the problem :)
My site has the following url format: www.mysite.com/Display.aspx?ID=128
However most users see the url as
www.mysite.com/Display.aspx?ID=128&AspxAutoDetectCookieSupport=1
How can I avoid &AspxAutoDetectCookieSupport=1 from appearing in the url.
Is it to do something with cookie in web.config, but where? And what would be the implications if I remove that. How to remove?
Session State and Forms Authentication can both be set up in the web.config file to operate without cookies - this is called "cookieless configuration". When this happens, ASP.Net can be set to try to compensate for lack of cookies by using the query string as a cookie substitute. This is what is causing your unwanted querystring parameters.
You should look in your web.config for "cookieless = AutoDetect" or "cookieless = UseUri".
Changing the setting to "cookieless = UseCookies" will ensure that the cookieless feature will not be used, and hence it won't be appending the AspxAutoDetectCookieSupport to your URL.
The implications of this is that users who browse with cookies turned off will not be able to have Session data or use Forms Authentication. This may or may not affect your target audience, you'll have to judge that for yourself.
Edit: Here's the MSDN link for the cookieless feature: http://msdn.microsoft.com/en-us/library/aa479315.aspx