// thinkbeforecoding

Asp.Net authentication cookie oddities...

2008-12-29T17:24:12 / jeremie chassaing

Back to low level considerations.

In order to use a specific and shareable encryption scheme between sites, we had to bypass the FormsAuthentication.Encrypt method an write a new one.

Something strange happened then. When using our implementation, the cookie disappeared !

The cookie was added to the Response.Cookies, but was not present in the Request.Cookies of the following request.

After deep search, it appeared that the cookie was actually sent to the browser. Why wouldn’t it be sent back ?

The really weird thing was that the cookie data was in the Response.Headers, but not in Response.Cookies !!!

It seems that when parsing the Cookie header, Asp.net strips off the .ASPXAUTH cookie if it cannot be decrypted by FormsAuthentication.Decrypt !

The solution was to use another cookie name, and everything was working again !

If it can save 2 hours of your precious time…