ASP.Net Forms Authentication, Safari/Chrome on iPhone and Persistent Cookies



I couldn’t resist but write about the solution to the following problem as I have spent several hours on this.

If you are on .Net and you don’t want the user to type his username/password every time he comes to your website (even if he closes the browser and opens it again), you would typically use .Net’s Forms Authentication’s persistent cookie feature.

In your project you would use the following code:

1
2
//c# code
FormsAuthentication.SetAuthCookie(userName, true /*createPersistentCookie*/);
1
2
3
4
5
<!--web.config-->
<authentication mode="Forms">
        <!--2880 minutes is 48 hours-->
	<forms loginUrl="~/Account/SignIn" timeout="2880"/>
</authentication>

The above solution works well on all major desktop browsers but does not work on iPhone/iPad/iPod browsers like Safari & Chrome. I am not mentioning Opera because it does not behave the way modern browsers do.

I have spent several days looking for the solution.

The second suggestion from Scott Hanselman along with this suggestion from Brian Y worked only partially.

STEP 1:

Scott suggests adding cookieless=”UseCookies” attribute as follows.

1
2
3
<authentication mode="Forms" >
  <forms loginUrl="~/Account/SignIn" timeout="2880" cookieless="UseCookies" />
</authentication>

STEP 2:

Brian suggests adding the following xml block to a .browser (browser definition file) file under App_Browsers folder in the project. Read the above Scott’s article to know about browser definition files.

1
2
3
4
5
6
<!--This is part of browser definition file remember. Not web.config. -->
<browser refID="Mozilla" >
    <capabilities>
        <capability name="cookies"  value="true" />
    </capabilities>
</browser>

This worked partially. In the sense, if the user closed the browser and opened it again, it remembered the cookies and signed in without asking for the user credentials. But it ignored timeout=”2880″. So it worked only for 30 minutes.

And finally, few more days of hunting brought me to this article with suggests adding machineKey element to your web.config.

STEP 3:
The above mentioned article suggests generating machineKey from this online tool and adding it to your web.config.

That’s it!! Combination of STEP 1, STEP 2 & STEP 3 above will bring you to a working solution.

I was extremely thrilled to see Safari & Chrome working past several hours. This was not an easy thing to crack. Thanks to all the people involved in providing different solution to this problem.

Thanks to the readers :)

6 thoughts on “ASP.Net Forms Authentication, Safari/Chrome on iPhone and Persistent Cookies

  1. Hattensh

    Hi, I tried this solution but its not working for me. Is your solution working for subfolders i.e. I have a members sub folder that is protected?

  2. Hattensh

    Yes I have reproduced the error. When I protect the whole website Forms Authentication works but when I am protecting a single folder e.g. members it doesnt work. Any ideas?

  3. Gautam Jain

    I have tried only for whole website. Sorry not sure how folder-based authentication works.

  4. gany__

    I cannot get an forms authentication to work with IOS 6 safari or chrome on IOS 6.

    I have no idea where to go.

    Does anyone else have any more feedback on this?

  5. Excellent blog! I have been struggling with this issue on a ASP.NET MVC 4 Website when accessed through iOS 6 Chrome Browser (both on iPhone and iPad) for a few days now. I did get bits and pieces of it but the combination of the 3 items is what did the trick for me. The interesting part is I was only experiencing this problem with Google Chrome, not Safari. I am glad the issue was resolved.

    Thanks Again!
    Pete

  6. Hey this is very helpful as authorization and authentication is the major part of a website . Thank u for you wonderful guidance . :)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">