This project is read-only.

Upgrade from 2.0 to 2.5 Broke Auto-Login for Blog in Sub-Application

Dec 16, 2011 at 8:03 PM
Edited Dec 16, 2011 at 8:04 PM

Awhile back I installed BE 2.0 as a sub-application to my parent application and by configuring the forms authentication of the BE 2.0's web.config I was able to recognize users who logged into my parent application and authenticate them automatically.  Rather than providing 2 places for users to login, I force my users to login to the parent application, then when they do a cookie is created which was recognized by BE 2.0.  The pertinent web.config section look like:

        <authentication mode="Forms">
            <forms timeout="129600" name="CSWRFORMAUTH" protection="All" slidingExpiration="true" loginUrl="~/Account/login.aspx" cookieless="UseCookies"/>

The name "CSWRFORMAUTH" in this <forms> tag matches what is in my parent application and the machinekeys match as well.  In BE 2.0 this worked great but now that I've upgraded, BE 2.5 no longer recognizes users who login to my parent application.  I can login directly through BE and am able to authenticate against the database, so I know that login works, but I don't want the users to be able to log into 2 places so I need BE 2.5 to recognize my parent application's authenticated users.

I had to do a similar thing with my 3rd party forum application, and it recognizes my parent application's users just fine and logs them in, so I'm pretty sure something happened in the move from BE 2.0 to 2.5.

Any ideas?

Dec 16, 2011 at 8:35 PM

May be, check role manager and set it use same cookie, something like:

<roleManager cookieName=".BLOGENGINEROLES" ... cookiePath="/yourAppPath">

Jan 19, 2012 at 2:51 PM

I tried that but still doesn't recognize my users authenticated through my parent application.  I looked in my old installation and was previously able to recognize my authenticated users without editing the <roleManager> section.  Here are some code snippets from my web.configs for anyone who may be able to help out.

Parent App web.config

      <!-- Keys for encrypting and decrypting passwords, generated at the website -->
      <machineKey validationKey="B8C7F65D22B69591411086F3E0E68331064D46D3B43F7DB71F6AA6EE854475E10B92C030D7D41D75B3AB50F1B7B0F85126E68FFFE1F0114B825E6DD34D284D" decryptionKey="3B168CB07DFD5F5FB7EAFDA4CCB564788BD41ABFB37D45" validation="SHA1"/>

      <!-- Autentication -->
      <authentication mode="Forms">
        <forms name="CSWRFORMAUTH" protection="All" path="/" loginUrl="~/error/AccessDenied.aspx" timeout="2592000" cookieless="UseCookies"/>

      <!-- Roles -->
      <roleManager enabled="true"/>

      <membership defaultProvider="CSWR_MembershipProvider" userIsOnlineTimeWindow="15">
          <add name="CSWR_MembershipProvider" connectionStringName="LocalSqlServer" applicationName="/" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="true" passwordFormat="Encrypted" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture=neutral,&#xA;             PublicKeyToken=b03f5f7f11d50a3a"/>

      <!--Anonymous Users-->
      <anonymousIdentification cookieless="UseCookies" enabled="true"/>

BlogEngine web.config

        <machineKey validationKey="B8C7F65D22B69591411086F3E0E68331064D46D3B43F7DB71F6AA6EE854475E10B92C030D7D41D75B3AB50F1B7B0F85126E68FFFE1F0114B825E6DD34D284D" decryptionKey="3B168CB07DFD5F5FB7EAFDA4CCB564788BD41ABFB37D45" validation="SHA1"/>
        <authentication mode="Forms">
            <forms timeout="129600" name="CSWRFORMAUTH" protection="All" slidingExpiration="true" loginUrl="~/Account/login.aspx" cookieless="UseCookies"/>
        <pages enableSessionState="false" enableViewStateMac="true" enableEventValidation="true" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
				<add namespace="App_Code.Controls" tagPrefix="blog"/>
		<customErrors mode="Off" defaultRedirect="~/error.aspx" redirectMode="ResponseRewrite">
			<error statusCode="404" redirect="~/error404.aspx"/>
		<membership defaultProvider="SqlMembershipProvider">
				<add name="XmlMembershipProvider" type="BlogEngine.Core.Providers.XmlMembershipProvider, BlogEngine.Core" description="XML membership provider" passwordFormat="Hashed"/>
				<!--<add name="SqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="BlogEngine" applicationName="BlogEngine"/>-->

        <add name="SqlMembershipProvider"

        <add name="DbMembershipProvider" type="BlogEngine.Core.Providers.DbMembershipProvider, BlogEngine.Core" passwordFormat="Hashed" connectionStringName="BlogEngine"/>
		<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true"  cookieName="CSWRFORMAUTH">
                <add name="XmlRoleProvider" type="BlogEngine.Core.Providers.XmlRoleProvider, BlogEngine.Core" description="XML role provider"/>
                <!--<add name="SqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="BlogEngine" applicationName="BlogEngine"/>-->
                <add name="SqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="BlogEngine" applicationName="/"/>
                <add name="DbRoleProvider" type="BlogEngine.Core.Providers.DbRoleProvider, BlogEngine.Core" connectionStringName="BlogEngine"/>

Feb 16, 2012 at 4:26 PM
Edited Feb 16, 2012 at 4:49 PM

In performing more debugging, I have found that 2.5 seems to delete the parent application's authentication cookie when you navigate from the parent application to the subapplication.  My <authentication>, <machineKey>, and <membership> sections of my web.configs match EXACTLY as detailed here:

However, the authentication cookie named 'CSWRFORMAUTH' which is created when I login to my parent application is deleted when I navigate to the BE 2.5 home page.  I look in my cookies after navigating to the blog home page and sure enough the cookie is gone.  If I navigate back to my parent application it believes I am logged-out so it is very destructive.

After navigating to the blog, the 'CSWRFORMAUTH' cookie from my parent application is deleted and a new cookie named '.ASPXANONYMOUS' is created, so obviously the blog isn't recognizing the parent application cookie.  But I don't understand why it would delete the parent cookie.

There must have been a fundamental change with the way 2.5 handles cookies because this was working just fine before the upgrade to 2.5 and my sub-forum has no problem recognizing my parent application's authentication cookie.

Any ideas guys?

Feb 17, 2012 at 1:21 AM

Are you sure BE.NET is configured to use the same application pool as the parent app? Something to check...


Feb 17, 2012 at 2:08 AM

It's in a shared hosting environment so I'm not really sure, but like I said it was working before I upgraded BE to 2.5, and my forum (which is configured as a sub-application) works just fine and recognizes the authentication ticket.  Thanks for the suggestion though.

Feb 17, 2012 at 3:12 AM

BE 2.5 requires .NET 4.0 while BE 2.0 runs on .NET 3.5, so it is most likely you changed app pool, as 3.5 and 4.0 can not run on the same. What about your forum application? Is it .NET 4.0 also?

I don't believe BE changed anything in the way it handles cookies. What you can do is, create empty ASP.NET 4.0 website with single web.config and default.aspx and put it on your site either side-by-side or instead of new BE. Move from forum to that page and see if it will keep cookies. If it is there - then something in BE clears it up.

Feb 18, 2012 at 2:25 PM

Hi rtur,

My main application, my forum, and the blog are all definitely running .NET 4.0 as my hosts won't let you differentiate within a single account.  The reason I upgraded the blog is because I was forced to start using .NET 4.0 on the main application, so the others had to fall in line.  I may have been wrong in saying that I upgraded from 2.0 to 2.5, it may have actually been 1.6 to 2.5, but I don't think that's relevant.

All of my relevant config sections match as suggested by Microsoft to share cookies.  Here are the typical steps I'm performing.

1.  Login to parent application (login successful)

2.  Navigate to forum (authentication recognized)

3.  Navigate back to parent application (authentication recognized)

4.  Navigate to blog (authentication not recognized)

5.  Navigate back to parent application or forum (user has been logged-out).  Look in cookies, original authentication cookie gone.


Basically any time I navigate to the blog my current cookie gets destroyed and a .ASPXANONYMOUS cookie is created.  I can login to the blog directly, but the resulting cookie is not recognized by the parent application or the forum.

The only anomaly I've seen is that, if I login to my parent application only a single authentication cookie, CSWRFORMAUTH, is created.  However, if I log into the blog directly, 2 cookies are created, 'CSWRFORMAUTH' & 'CSWRFORMAUTH-27604f05-86ad-47ef-9e05-950bb762570c', not sure if that holds any clues.


Feb 18, 2012 at 11:40 PM

You seems to be rehashing the behavior you already described.  

This issue seems to be that even if you're using .NET 4.0 across the apps you could still be using different application pools.  One of the troubles with $19.95/month hosting is not having access to IIS Configuration information.  In this case you may want to ask the host provider via a Trouble Ticket to verify that BlogEngine.NET is indeed using the same application pool as the root application.  

Good luck,

Feb 19, 2012 at 2:20 AM

Verified that all applications are in the same pool.