Home > Security, WebDev, Windows 8 > ASP.NET 4.0 forms authentication issues with IE11

ASP.NET 4.0 forms authentication issues with IE11

As I mentioned earlier, solutions that rely on User-Agent sniffing may break, when a new browser or a new version of an existing browser is released. Unfortunately because ASP.NET also contains browser-specific code, the new Internet Explorer 11 may cause some problems there as well.

Lucky coincidence, that one day after my previous post Eric Lawrence published an article about IE11 and User-Agent sniffing. Some interesting facts from his article:

  • The IE team deliberately designed the UA string to cause most sniffing logic to interpret it either Gecko or WebKit and not as previous IE version.
  • During the summer the ASP.NET team published a set of patches to fix the IE11 issues in earlier .NET versions. For example KB2836939 is for .NET 4.0, and you can find more links in Eric’s article.

The issue we experienced was on an older server that was running ASP.NET 4.0. IE11 sent the forms authentication cookie to the server, but the server completely ignored it. In the web.config file the forms element didn’t contain the cookieless attribute, because the default UseDeviceProfile worked perfectly before, however now we had to set it to UseCookies to make the authentication work with IE11 as well.

The patch mentioned earlier was not installed on this server, and we have not seen similar issues on .NET 4.5.

By the way setting cookieless="UseCookies" explicitly is a good security practice.

 

Technorati-címkék: ,,,
  1. Ben
    November 19, 2013 at 11:45

    Thanks a lot for the information. This change to the web.config file worked perfectly for me.

  2. November 24, 2013 at 18:59

    typo, should be cookieless not cookiless

  3. Martin Thwaites
    November 25, 2013 at 14:01

    Don’t know whether you’ve had the same experience as us… MVC3 sites function fine with the KB2836939 patch, however, MVC4 sites still fail on cookie auth without your solution.

    We’ve tried everything to match up the 2, we even tried a previous release of the site on the same server, app pool etc. that used MVC3 and it worked fine, just MVC4 that didn’t work.

  4. ashish asati
    November 28, 2013 at 11:00

    Thanks Sir,

  5. Imst
    December 2, 2013 at 10:00

    Thanks, you saved my day and probably the entire week :)

  6. Brian
    December 3, 2013 at 17:13

    Does added cokieless=”UseCookies” now make cookies required to access the web site? What if the site wishes to allow users who have cookies disabled?

    • December 3, 2013 at 19:39

      Yes, that option makes cookies required. But anyway, the web is potentially useless without cookies, due to the fact that most sites use cookies to implement authentication. However, you can still disable third party cookies, that is not affected by this setting.

  7. Struggling Dev
    January 5, 2014 at 22:57

    Thanks a lot!!! My ASP.NET site that uses cross-domain authentication did not open in in IE11 without setting the browser manually to compatibility view. With cookieless=”UseCookies” it works now!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: