This is a strange and interesting problem!

First let me explain the scenario. I have a formsAthentication website, which redirects everything to login.aspx unless the user logs in. I also have a logout.aspx. The reason for this is when the last user didnt log out, and the server session is left in an invalid state, the user is redirected to logout.aspx which cleans the session and starts a new one. 

Login.aspx.cs (Simplified) >>

    protected void Page_Load(object sender, EventArgs e)
    {
        if (HttpContext.Current.User.Identity.IsAuthenticated && Session["FullName"] != null)
            Response.Redirect("~/UsersView.aspx");
        else if (HttpContext.Current.User.Identity.IsAuthenticated)           
            Response.Redirect("~/Logout.aspx");

    }

 
Logout.aspx.cs >>

    protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            if (Session["Username"]==null) Session["Username"]="Unknown";
            EmployeeSystem.Log("Logout.aspx", "User", null, "Logout", null);
            Request.Cookies.Clear();
            Roles.DeleteCookie();
            Session.Clear();
            Session.Abandon();
            FormsAuthentication.SignOut();
        }
        catch (Exception ex)
        {
        }
        Response.Redirect("~/Login.aspx");
    }

I also have a componentart script handler that integrates all client side resources into one file:
Web.Config >>

		<httpHandlers>
      <add type="ComponentArt.Web.UI.CallbackHandler,ComponentArt.Web.UI" path="*.aspx" verb="*" />
      <add type="ComponentArt.Web.UI.ScriptHandler,ComponentArt.Web.UI" path="ComponentArtScript.axd" verb="*"/>
    </httpHandlers>

When I load the application, the side effect is that before the user is authenticated none of the visual UI controls would load!

Further investigation revealed that when the browser requests for ComponentArtScript.axd, it is redirected to the login page and eventually the server dumps the content of the login page instead of the resource! 

To solve the problem I tried changing the path="ComponentArtScript.axd" to path="Images/ComponentArtScript.axd" (where the Image location of my site has anonymous access). But that didnt work, the browser is still requesting from the website root.

So I added the following line in web.config under Configuration tag >>

<configuration>
  .....
  <location path="ComponentArtScript.axd">
    <system.web>
      <authorization>
        <allow users="*"/>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
  .....
</configuration>

And wala! Problem fixed...

If you are aware of any simpler solution please do post. I believe that these sort of things should be highlighted in one consistent documentation. I get this feeling that Component Art documentation is seriously lacking. Information is available but spread across thousands of threads in different dev forums.

This is a very strange problem, and not one I can say I've ever seen before... in fact, we use authentication and the script handler on this site, and I've not seen or heard a report of this sort of error. I tried to replicate but failed. I've attached my code- can you take a look at let me know what I might be doing differently than you are, or if this exhibits the same problem?

Yes I think I know what's different...

Unlike your's I am taking care of an "Invalid Server State". This is caused when sometimes, the cookie is not cleared, but the server cleared all session variable due to a timeout. In such case, I am redirecting to Logout.aspx, which clears everything (and forces to logout). After this happens, a browsers request to "ComponentArtScript.axd" is redirected to the "Login.aspx". See the action of Logout.aspx - could one of those statement cause this problem?

Also, I see another post made by someone else which is also due to this.

-cheers
Russel Apu.

I have more news regarding this issue... I now have a replication project to cause this.

Download Sample Project

To create the issue, open this website in Visual studio, set Login.aspx as your start page. Now run the project. When the login page shows up in IE, hit the refresh button (green icon to the right of the address dropdown). Now click the "show" button... this will create a javascript error as the dialog resource is not loaded.

I also have further insight into this issue. It appears that the problem is caused by enabling roles.

I have the following as access permission:

		<authorization>
			<allow roles="testuser"/>
			<deny users="*"/>
			<deny users="?"/>
		</authorization>

Please note that this issue can only be observed when the user is not authenticated (i.e. in the login page, or any page that is not bound to authenticated user roles).

Normally (without roles enabled), the behavior is that when browser requests ComponentArtScript.axd, the browser responds with a valid file. And when the user hits the browser refresh/reload button, the server responds with a "http 304 Not modified" Code. But when role is enabled, after the user hits refresh and the new page requests ComponentArtScript.axd, the server responds with a "http 302 Moved" Code, and redirects to the login page. The browser then loads the login.aspx instead.

I hope this information is enough for you guys to get started on this issue.

Thanks :)
Russel Apu



 

What does your default deny-all rule look like in your web.config?

This type of problem will also manifest itself in http->https redirection.

Sorry didnt get your question. My access rules are posted above.

I noticed that this problem emerges only when roles are enaled that is deny users="*" and then allow roles="some_role" (allow only authenticated users who are in some_role)...

Normally, if I have deny users="?" and allow users="*" (allow only authenticated users) it works.

Thanks for the information, cansub- I can see what you're seeing now, and something does appear to be awry. I'm going to speak to the team now to see if they can shed any light on why the return code from roles based authentication may cause this- I'll post back again asap.

I spoke with the team, and while we've yet to source *why* the security behaviour is different when using roles, it does appear that the rule that you've created will be required, at least for the time being. They'll look into the issue more closely, and thanks for bringing this to our attention.

Thanks stephen,

You are a very responsive and elite team :)... Please keep the spirit up!

kudos,
Russel Apu

Anything further on this issue?  I've run into the same thing using forms authentication/a login page.

I'm afraid the situation remains the same, and the posted rule above would still be required. I'll remind the team that this item remains unaddressed, and I apologize for the trouble. 

Hi,
I am also facing the same problem, is any body has solution for this?