FormsAuthentication and FireFox

February 9, 2016      .net Programming, Website Design

I have encountered an issue where my users were unable to log into my ASP.net application when using the FireFox browser. Other browsers worked fine: IE, Edge, Chrome. So I knew it wasn't a global issue.

First some background. The application in question uses standard Forms Authentication, meaning it uses the web.config settings for its configuration and the standard .net System.Web.Security.FormsAuthentication class. I have used this for years in numerous applications without incident.

So what was the problem this time?

Apparently, FireFox is less forgiving about its cookie names than other browsers - and this was the root of my issue. In my web.config, I had set it as follows:

<authentication  mode="Forms">
  <forms  loginUrl="~/Member/Login.aspx"  timeout="2880"  defaultUrl="~/Member/Home.aspx"
     name="My Application"  path="/" />
</authentication>

Note the "My Application" in bold. This name attribute is used as the name of the authentication cookie (which you can prove by inspecting the cookies sent by the browser for authenticated users).

As I found out, FireFox does not accept spaces in its cookie names and therefore was refusing the authentication cookie. So when a user clicked the "Login" button they got sent to their home page (which requires authentication) but since FireFox refused to create the cookie they were directed back to the sign in page. Not good.

Luckily the fix was simple:

<authentication mode="Forms">
  <forms loginUrl="~/Member/Login.aspx" timeout="2880" defaultUrl="~/Member/Home.aspx"
     name="MyApplication"  path="/" />
</authentication>

Once I remove the space from the value of the name attribute (from "My Application to "MyApplication"), FireFox accepted the cookie and everything worked as it should.

Phew!

I thought this was worth sharing as extensive online searches turned up nothing....