I'm trying to implement ASP.NET Identity authentication in an EPiServer 7.5 CMS instance (Web Forms), but have encountered a few issues along the way.
The issues occur when a user logs out (login, role allocation and CMS access is all great). Initially I encountered the known issue "Object reference not set to an instance of an object" in Microsoft.Owin.Security.Cookies.CookieAuthenticationProvider.Exception(CookieExceptionContext context).
I've implemented the workaround (manually setting the CookieAuthenticationProvider.OnException object) which got rid of the first exception, but lead me to the "Server cannot set status after HTTP headers have been sent.", also a known issue. The suggested work around as I understand is to check for and ignore this exception, which I've done.
However, after the log out process completes and the user is redirected to the home page I get a rather confusing "Access Denied" response from the server:
GET http://localhost:54953/ HTTP/1.1Host: localhost:54953User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: __atuvc=105%7C2%2C153%7C3; ASP.NET_SessionId=ztbljztqggs5spjrl0t1gzgs; KeepLoggedOnUser=TrueConnection: keep-alive
HTTP/1.1 401 UnauthorizedCache-Control: privateTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0X-AspNet-Version: 4.0.30319X-SourceFiles: =?UTF-8?B?YzpcdXNlcnNcbmF0aGFuaWVsY294YWxsXGRvY3VtZW50c1x2aXN1YWwgc3R1ZGlvIDIwMTNcUHJvamVjdHNcRVBpU2VydmVyV2ViRm9ybXNBc3BuZXRJZGVudGl0eVxFUGlTZXJ2ZXJXZWJGb3Jtc0FzcG5ldElkZW50aXR5?=X-Powered-By: ASP.NETDate: Tue, 20 Jan 2015 16:34:48 GMT
This is the issue I'm asking for help with. I've managed to reproduce the problem in a fresh Web Forms Alloy site after implementing ASP.NET Identity authorisation (I'm happy to send this to anyone if needs be).
The steps I've taken to reproduce the issue are:
The only way to get round the "access denied" message at this point is to clear your cookies, after which you are treated like a brand new user.
Can anyone help diagnose and resolve this issue? It's a bit of a show stopper for me as I can't stick with the standard Forms authentication and legacy membership provider.
I've just discovered that the cookie "KeepLoggedOnUser" may be the cause of the problem. Deleting this cookie from the browser and refreshing the request shows the page as expected. Any ideas on what or why this may be. Is it an EPiServer cookie?
I think I found the cause of the problem.
In the EPiServer.PageBase.KeepUserLoggedOn() method there is some logic relating to the KeepLoggedOnUser cookie, which in my situation ends up calling the DefaultAccessDeniedHandler.CreateAccessDeniedDelegate() method, which I suspect is why I get the Access Denied error.
private static void KeepUserLoggedOn()
if (FormsSettings.IsFormsAuthentication || !Settings.Instance.UIKeepUserLoggedOn)
if (HttpContext.Current.Request.Cookies["KeepLoggedOnUser"] != null)
HttpContext.Current.Response.Cookies.Add(new HttpCookie("KeepLoggedOnUser", "True")
Path = HttpContext.Current.Request.ApplicationPath
By disabling the config option UIKeepsUserLoggedOn, I no longer have the KeepUserLoggedOn cookie and the "after logout" issue is not longer occuring.
This method probably needs review to facilitate a site setup to only use ASP.NET Identity authentication.
Good that you found a solution to this. I did some more investigation and it seems that we are not officially supporting or testing with asp.NET Identity yet (even though we have done the most underlying changes to support it). So some issues, like this, might still exist. I think that the plan is to add support to this in a not to far future.
Thanks for the reply, it's good to know the offical status. I'm happy that it's working well enough for my needs and will continue to use it despite not being fully supported.
Do you have a rough ETA of when it might be fully supported?
I just got the information that we actually did release the asp.NET Identity support a few months back. There is documentation on how to implement a solution using asp.NET Identity here:
That's even better to know :), however that is the guide I followed in my implementation which came up with the issues described. Unless I've done something wrong it does seem that the KeepUserLoggedOn() method in the PageBase class does have a minor bug in it. The work around avoids it, but it had me scratching my head for some time...
Do I need to raise it as a bug on here?
Hi, trying to implement this myself at the moment, it would be really useful if we knew what was in your package.config within the implementation example as theres lots of different versions of these classes floating around.
I've created the applicationuser, applicationmanager and signingmanager as per the episerver idenity owin implmentation example, I've also created the roles releated controllers and views. Additionally, I've taken the account controller, models and views from the MVC5 single page app project. Disabled forms auth in my config (couldnt find UIKeepsUserLoggedOn setting mentioned in Nats post?)
On startup of my project im getting:
Here is the list of versions of packages im currently using:
Any insights greatly appreciated, need to get this working asap. Seems like there is a conflict between Microsoft.Owin and EnterpriseLibrary.Common v6 (which im using for another element of the project).
Got it working in the end, used version 5.5 of both el common and validation and all was well. Still dont know why this would only get flagged up when the startup class scan occurred and not when it was run.
Tip for anyone doing this, its much easier to setup identity if your using vs 2013, because alot of the objects you require (the episerver example mentioned is shockingly incomplete, numerous bugs, action methods missing) are native with the right updates.
I am trying to implement the above. Would appreciate if you can guide me. I am using MVC version.
I am fairly new to Episerver (this is my first project on Episerver).
You can find a full example with use of MVC here.