Try our conversational search powered by Generative AI!

Issues implementing ASPNET Identity authentication


I'm trying to implement ASP.NET Identity authentication in an EPiServer 7.5 CMS instance (Web Forms), but have encountered a few issues along the way.

The issues occur when a user logs out (login, role allocation and CMS access is all great). Initially I encountered the known issue "Object reference not set to an instance of an object" in Microsoft.Owin.Security.Cookies.CookieAuthenticationProvider.Exception(CookieExceptionContext context).

I've implemented the workaround (manually setting the CookieAuthenticationProvider.OnException object) which got rid of the first exception, but lead me to the "Server cannot set status after HTTP headers have been sent.", also a known issue. The suggested work around as I understand is to check for and ignore this exception, which I've done.

However, after the log out process completes and the user is redirected to the home page I get a rather confusing "Access Denied" response from the server:

Raw Request:

GET http://localhost:54953/ HTTP/1.1
Host: localhost:54953
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __atuvc=105%7C2%2C153%7C3; ASP.NET_SessionId=ztbljztqggs5spjrl0t1gzgs; KeepLoggedOnUser=True
Connection: keep-alive

Raw Response:

HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?YzpcdXNlcnNcbmF0aGFuaWVsY294YWxsXGRvY3VtZW50c1x2aXN1YWwgc3R1ZGlvIDIwMTNcUHJvamVjdHNcRVBpU2VydmVyV2ViRm9ybXNBc3BuZXRJZGVudGl0eVxFUGlTZXJ2ZXJXZWJGb3Jtc0FzcG5ldElkZW50aXR5?=
X-Powered-By: ASP.NET
Date: Tue, 20 Jan 2015 16:34:48 GMT

Access denied.

This is the issue I'm asking for help with. I've managed to reproduce the problem in a fresh Web Forms Alloy site after implementing ASP.NET Identity authorisation (I'm happy to send this to anyone if needs be).

The steps I've taken to reproduce the issue are:

  • Create new EPiServer Web Forms Alloy site using VS templates
  • Follow the implementation guide on
    NOTE: there are some small differences in my implementation to this, but I'm certain nothing relevant to the issue.
  • Implement a register and login form to create new users and allow user logins
  • Implement logout form (firing IAuthenticationManager.SignOut())
  • Encounter the "Access Denied" response

The only way to get round the "access denied" message at this point is to clear your cookies, after which you are treated like a brand new user.

Can anyone help diagnose and resolve this issue? It's a bit of a show stopper for me as I can't stick with the standard Forms authentication and legacy membership provider.


Jan 20, 2015 18:00

I've just discovered that the cookie "KeepLoggedOnUser" may be the cause of the problem. Deleting this cookie from the browser and refreshing the request shows the page as expected. Any ideas on what or why this may be. Is it an EPiServer cookie?

Jan 20, 2015 18:32

I think I found the cause of the problem.

In the EPiServer.PageBase.KeepUserLoggedOn() method there is some logic relating to the KeepLoggedOnUser cookie, which in my situation ends up calling the DefaultAccessDeniedHandler.CreateAccessDeniedDelegate() method, which I suspect is why I get the Access Denied error.

private static void KeepUserLoggedOn()
      if (FormsSettings.IsFormsAuthentication || !Settings.Instance.UIKeepUserLoggedOn)
      if (HttpContext.Current.Request.Cookies["KeepLoggedOnUser"] != null)
        if (PrincipalInfo.CurrentPrincipal.Identity.IsAuthenticated)
        DefaultAccessDeniedHandler.CreateAccessDeniedDelegate()((object) null);
        if (!PrincipalInfo.CurrentPrincipal.Identity.IsAuthenticated)
        HttpContext.Current.Response.Cookies.Add(new HttpCookie("KeepLoggedOnUser", "True")
          Path = HttpContext.Current.Request.ApplicationPath

By disabling the config option UIKeepsUserLoggedOn, I no longer have the KeepUserLoggedOn cookie and the "after logout" issue is not longer occuring.

This method probably needs review to facilitate a site setup to only use ASP.NET Identity authentication.



Jan 20, 2015 18:57

Hi Nat!

Good that you found a solution to this. I did some more investigation and it seems that we are not officially supporting or testing with asp.NET Identity yet (even though we have done the most underlying changes to support it). So some issues, like this, might still exist. I think that the plan is to add support to this in a not to far future.

Jan 21, 2015 9:07

Hi Linus,

Thanks for the reply, it's good to know the offical status. I'm happy that it's working well enough for my needs and will continue to use it despite not being fully supported.

Do you have a rough ETA of when it might be fully supported?



Jan 21, 2015 10:50


I just got the information that we actually did release the asp.NET Identity support a few months back. There is documentation on how to implement a solution using asp.NET Identity here:

Jan 21, 2015 14:45

Hi Linus,

That's even better to know :), however that is the guide I followed in my implementation which came up with the issues described. Unless I've done something wrong it does seem that the KeepUserLoggedOn() method in the PageBase class does have a minor bug in it. The work around avoids it, but it had me scratching my head for some time...

Do I need to raise it as a bug on here?

Thanks again,


Jan 21, 2015 16:29

Hi, trying to implement this myself at the moment, it would be really useful if we knew what was in your package.config within the implementation example as theres lots of different versions of these classes floating around.

I've created the applicationuser, applicationmanager and signingmanager as per the episerver idenity owin implmentation example, I've also created the roles releated controllers and views.  Additionally, I've taken the account controller, models and views from the MVC5 single page app project.  Disabled forms auth in my config (couldnt find UIKeepsUserLoggedOn setting mentioned in Nats post?)

On startup of my project im getting:

Here is the list of versions of packages im currently using:

Any insights greatly appreciated, need to get this working asap.  Seems like there is a conflict between Microsoft.Owin and EnterpriseLibrary.Common v6 (which im using for another element of the project).

Edited, Feb 13, 2015 12:13

Got it working in the end, used version 5.5 of both el common and validation and all was well.  Still dont know why this would only get flagged up when the startup class scan occurred and not when it was run.

Tip for anyone doing this, its much easier to setup identity if your using vs 2013, because alot of the objects you require (the episerver example mentioned is shockingly incomplete, numerous bugs, action methods missing) are native with the right updates.

Feb 17, 2015 12:42

Hi Adam,

I am trying to implement the above. Would appreciate if you can guide me. I am using MVC version.

I am fairly new to Episerver (this is my first project on Episerver).




Mar 11, 2015 15:24

Hi Pankaj,

You can find a full example with use of MVC here.



Aug 26, 2015 14:39
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.