ASP.NET 4.0 forms authentication issues with IE11

As I mentioned earlier, solutions that rely on User-Agent sniffing may break, when a new browser or a new version of an existing browser is released. Unfortunately because ASP.NET also contains browser-specific code, the new Internet Explorer 11 may cause some problems there as well.

Lucky coincidence, that one day after my previous post Eric Lawrence published an article about IE11 and User-Agent sniffing. Some interesting facts from his article:

  • The IE team deliberately designed the UA string to cause most sniffing logic to interpret it either Gecko or WebKit and not as previous IE version.
  • During the summer the ASP.NET team published a set of patches to fix the IE11 issues in earlier .NET versions. For example KB2836939 is for .NET 4.0, and you can find more links in Eric’s article.

The issue we experienced was on an older server that was running ASP.NET 4.0. IE11 sent the forms authentication cookie to the server, but the server completely ignored it. In the web.config file the forms element didn’t contain the cookieless attribute, because the default UseDeviceProfile worked perfectly before, however now we had to set it to UseCookies to make the authentication work with IE11 as well.

The patch mentioned earlier was not installed on this server, and we have not seen similar issues on .NET 4.5.

By the way setting cookieless="UseCookies" explicitly is a good security practice.


Technorati-címkék: ,,,

11 thoughts on “ASP.NET 4.0 forms authentication issues with IE11

  1. Martin Thwaites

    Don’t know whether you’ve had the same experience as us… MVC3 sites function fine with the KB2836939 patch, however, MVC4 sites still fail on cookie auth without your solution.

    We’ve tried everything to match up the 2, we even tried a previous release of the site on the same server, app pool etc. that used MVC3 and it worked fine, just MVC4 that didn’t work.

  2. Brian

    Does added cokieless=”UseCookies” now make cookies required to access the web site? What if the site wishes to allow users who have cookies disabled?

    1. Balássy György Post author

      Yes, that option makes cookies required. But anyway, the web is potentially useless without cookies, due to the fact that most sites use cookies to implement authentication. However, you can still disable third party cookies, that is not affected by this setting.

  3. Struggling Dev

    Thanks a lot!!! My ASP.NET site that uses cross-domain authentication did not open in in IE11 without setting the browser manually to compatibility view. With cookieless=”UseCookies” it works now!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s