Forms Authentication - loginUrl page executed for each request (Chrome only)
I think I've pared this down as far as I can. It happens only when using Forms Authentication and only seems to work in IE. So far, I've found that both Chrome and Firefox cause the issue. I have a very simple ASP page that increments a counter (stored in a session variable) on each page load. The page is named test.asp and appears in my web root. Here are the contents:
<%
' Write the last value (obviously blank the first time)...
Response.Write "Last Num: " & Session("Num") & "<br>"
' Increment the counter...
Session("Num") = Session("Num") + 1
' Show the number we just saved...
Response.Write "This Num: " & Session("Num") & "<br>"
' Throw the session ID out there, too, to make sure it's consistent...
Response.Write "Session ID: " & Session.SessionID
%>
<form method="post" action="test.asp">
<input type="submit" value="Submit">
</form>
And I've stripped down my web.config as much as possible while still reproducing the issue. Here are its contents:
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="test.asp" />
</authentication>
</system.web>
</configuration>
Pretty basic stuff here. I've set test.asp as the "login" page and enabled runAllManagedModulesForAllRequests. Things work as expected. All requests are redirected to test.asp, as you'd expect. And test.asp loads fine, except it for what happens next...
Here's how the page appears in IE (v11), Chrome (v44), and Firefox (v39) when loading initially and after submitting:
Internet Explorer 11:
Google Chrome 44:
Mozilla Firefox 39:
When I click [Submit], I'm obviously expecting the Last Num value to be equal to the previous This Num. But that only happens in IE. In Chrome, it seems to be doing an extra increment. And in Firefox, it seems to be doing two! To make things more confusing, after that initial submission, Firefox properly increments by 1 each time. Chrome, however, continues to double-increment with each submission.
These are default browser installations. No added extensions or special configurations. Cookies are enabled in all three browsers (the default). I can see the ASPSESSIONID cookie using the developer tools of each browser. And, as you can see in the screenshots, the Session ID is created on page load and stays consistent throughout the session.
If I continue submitting, the results are the same. IE continues to work properly. The other browsers continue to double or triple increment.
Anyone seen this issue before? Or see where I may have gone wrong here? I've tried specifying cookieless="UseCookies" in the <forms> section of the web.config as well.
Edit 1 - Testing Elsewhere:
All of my testing to this point has been on my local PC: Windows 7 64-bit with IIS 7.5. Today, I connected to my eventual test server -- a Windows Server 2008 R2 box, also with IIS 7.5 -- and I get the same results there with my test page.
Edit 2 - loginUrl-related?
Using a new page, test2.asp, with the same content (and given explicit anon access via a <location> element in my web.config) works fine. So it seems to be loginUrl related? Maybe with every page request, it's calling the loginUrl page behind the scenes? But again, with some connection to Chrome/Firefox...
Edit 3 - More Proof:
I decided to log the value of This Num each time the page is executed. Here's what I'm seeing:
Internet Explorer:
8/4/2015 11:52:07 AM, Num=[1] Initial page load. One execution.
-----------------------------
8/4/2015 11:52:11 AM, Num=[2] All future submissions run once.
8/4/2015 11:52:16 AM, Num=[3]
8/4/2015 11:52:20 AM, Num=[4]
Chrome:
8/4/2015 11:34:58 AM, Num=[1] I get 2 executions on initial page load.
8/4/2015 11:35:00 AM, Num=[2] First execution (Num=1) appears in browser.
-----------------------------
8/4/2015 11:35:29 AM, Num=[3] Every submit causes page to run twice.
8/4/2015 11:35:29 AM, Num=[4]
-----------------------------
8/4/2015 11:35:49 AM, Num=[5]
8/4/2015 11:35:49 AM, Num=[6]
Firefox:
8/4/2015 11:36:25 AM, Num=[1] I get 3 executions on initial page load.
8/4/2015 11:36:25 AM, Num=[2] The first execution (Num=1) is the page
8/4/2015 11:36:25 AM, Num=[3] I see in the browser.
-----------------------------
8/4/2015 11:36:34 AM, Num=[4] All future submissions run once.
8/4/2015 11:36:43 AM, Num=[5]
8/4/2015 11:36:48 AM, Num=[6]
8/4/2015 11:36:53 AM, Num=[7]
Edit 4 - loginUrl Page Called on Every Request:
It seems any type of page request is causing test.asp to execute behind the scenes, which increments the session variable. And that must be because it's the page identified by loginUrl for Forms Auth. Combining the tests I did under edits 2 and 3, I granted anon access to a new test page (test2.asp) that doesn't do anything special -- just loads a static page. Here it is:
<html><body>I'm test2.asp</body></html>
And then I monitored the log file that test.asp appends to when it runs. Every time I requested test2, I would get a new entry in the log. So every time I made a page request, test.asp runs in the background (and increments the session variable). Here's how the log looked after three requests to my test2 page:
8/4/2015 12:20:57 PM, Num=[3]
8/4/2015 12:21:07 PM, Num=[4]
8/4/2015 12:21:14 PM, Num=[5]
test2.asp doesn't do anything with the session variable (nor logging) but there's the proof. So, for some reason, on Chrome, it runs the loginUrl page with each request. I think I can consider that to be proven. Now I just need a solution!
With the help of Fiddler, I was able to figure this out.
It seems both Chrome and Firefox make an additional request for your favicon.ico, whether or not you've specified that you're using one in your HTLM page. Internet Explorer, on the other hand, doesn't bother.
This was a problem for me for a few reasons:
- I didn't have one. I'd only just started my site and creating a
favicon.icowas step 274. - I'm using
runAllManagedModulesForAllRequests, so requests for icons, like all content, runs through Forms Authentication. - If you don't
<link>to one and specify its location, Chrome and Firefox try to grab one from your web root. Forms Authentication (and my web.config) have my root locked down. The only file being served from my root is myloginUrlpage.
Each time a request for favicon.ico was being made, Forms Authentication was disallowing it and redirecting the request to my loginUrl page, consequently causing my loginUrl page to be executed twice and screwing up my session values. The following Fiddler screenshots show the proof.
Chrome seems to request the icon on every page request:
Whereas Firefox seems to request it twice initially, for some reason, but then gives up for subsequent requests:
So, the solution:
- Create a
favicon.icofile and place it in your web root. Allow anonymous access to it via a
<location>element in your rootweb.config.<location path="favicon.ico"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location>
Alternatively (probably the preferred method, since you can designate the name and location):
- Create a
favicon.icofile and place it in a public subfolder, like/img. <link>to it properly within yourloginUrlpage.<link rel="icon" href="/img/favicon.ico">
- Automatically open Chrome developer tools when new tab/new window is opened
- Chrome Devtools ACTUAL data size/transferred
- Unable to Open Cookie File
- How to download older versions of Chrome from a google official site
- How to wait until an element exists?
- Access DOM elements inside iframe from chrome extension
- Bookmark :~:text= specifications
- console.log timestamps in Chrome
- Different results on Chrome and Safari for absolutely positioned elements when container-type: inline-size is set
- handle both mouse and touch events on touch screens
- svg path not drawing for single point on chrome surface
- Why does my Angular 9 sort routine work great when using Google Chrome (Ch131) browser, but works poorly (gets Wait msg) when using MS Edge (Ch131)?
- Is there any way to debug chrome in any IOS device
- Retrieve a request using the requestId after the response is received in Firefox extension
- Chrome DevTools Debugger freezing once it hits breakpoint
- Is it possible to save MHTML with scripts included?
- Is there any way to use Web Share Api for other browsers than Chrome
- Process.Start(...) Suddenly Fails when Called by ASP.NET MVC 5 Running in IIS on Windows 10 and Windows Server 2019
- Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html"
- Finding JavaScript memory leaks with Chrome
- Trying to use chrome_undetected selenium driver and portable chrome
- Video auto play is not working in Safari and Chrome desktop browser
- Google Chrome not launching on Ubuntu even after installing it
- Using Selenium on Mac Chrome
- Selenium - This version of ChromeDriver only supports Chrome version xx
- Debugging iframes with Chrome developer tools
- Chrome Print to PDF via Windows Command Prompt
- Using --js-flags in Google Chrome to get --trace output
- Using Google Charts in Chrome extension
- open multiple tabs on a single window by a single click using JavaScript