IIS Redirect Local Website

Question

2.00/5 (2 votes)

See more:

I've made a site with two pages: Login.aspx and Main.aspx. On the Login page I'm making a cookie containing information about the user, then with Response I'm sending the cookie to the Main page where I receive it and if it's not received I redirect the user back to Login. When I open the the website from Visual Studio everything works, but after I tried using it with Microsoft IIS as a localhost website, the page just can't change from the Login. Is it some option I need to set from IIS, or what I'm missing?

C#

HttpCookie cookie = new HttpCookie("autorization");
Response.Cookies["autorization"]["name"] = name;
Response.Cookies["autorization"]["password"] = pass.ToString();
Response.Redirect("Main.aspx");

Also tried using ~/Main.aspx, ./Main.aspx, /Main.aspx, full path with http://ip:port/Main.aspx. I can access Main by turning off the cookie receive in Main and typing it manually in the url bar, but not by the code from Login (even without cookie).

Why it works on Visual Studio but not on IIS? What should I change to make it works in IIS too? Thanks.

/*
I think it could be related to the retrieving of information from the SQL server through the Web server. I'm using the following string:

C#

Data Source=.\SQLEXPRESS;Initial Catalog=master;Integrated Security=SSPI;

Tried with server:localhost, with ip\SQLEXPRESS, with Integrated Security to false. May be I need to set something in the SQL to allow the information to pass through IIS, since it's works only with the Visual Studio. With tracing the sql I saw that the site started with IIS connects and retrieve the information from the database, but may be it's not passing it through the IIS.
*/

/*
The problem was in the SQL and ISS ApplicationPool communication. I've changed ApplicationPool Identity as Local System and in SQL under Logins I've changed the NT AUTHORITY\SYSTEM permission to access the specific database through Server Role (or if needed only specific database access - through User Mapping). Now I returned the Identity to ApplicationPoolIdentity and I'm using connection string with username and password.
*/

Posted 26-Nov-15 11:34am

Member 0123456789

Updated 27-Nov-15 0:38am

v9

Add a Solution

Comments

jgakenhe 26-Nov-15 19:17pm

If you have main.aspx as your default page in the web.config, it may cause the problem. When you run in VS, you may have set login.aspx as the default page in VS, not the web.config.

If that isn't it, you need to debug the login.aspx.cs and the main.aspx.cs and see what happens when you go over the redirect code.

Member 0123456789 27-Nov-15 0:47am

Login.aspx is set as the default document and I've tried using Main.aspx, including it with Login.aspx, changing the order and excluding it, but it's still refresh the page, when I press the button which execute the redirect code.

jgakenhe 27-Nov-15 0:54am

Try changing the website to anonymous in iis and take out the default login page from the web.config because you are not using forms authentication ticket, you are using a http cookie.

Member 0123456789 27-Nov-15 1:03am

The authentication was already set to anonymous and I've tried the combination without default document - using the ip/Login.aspx and it connects to the Login page, but not further redirects to Main.aspx. The whole situation works in Visual Studion and the cookie as you can see is session - you can see it at the browser too. I'm allowing it in both - VS and IIS. If I turn off the cookie check and visit directly the Main.aspx in IIS by typing ip/Main.aspx I can reach it, but I can't redirect it through the Login.aspx.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2015-11-27T02:27:00

Storing the username and password in a cookie is an EXTREMELY bad idea.

The cookie is sent with every request to the site. Anyone on the network will be able to intercept the request and read the user's credentials.

Since you haven't marked the cookie as "HTTP-only", an attacker who managed to exploit an XSS vulnerability in your site would be able to read the user's credentials from javascript, and send them to their own server.

Don't try to re-invent the wheel. Use the built-in security features to secure your site.

Introduction to Membership | MSDN[^]
ASP.NET Membership and Role Provider[^]
ASP.NET Identity | The ASP.NET Site[^]
How to build (and how not to build) a secure "remember me" feature | Troy Hunt[^]