Why won't IE let users login to a website unless in In Private mode?
- by Richard Fawcett
I'm not entirely sure this belongs on SuperUser.com. I also considered ServerFault.com and StackOverflow.com, but on balance, I think it should belong here?
We host a website which has the same code responding to multiple domain names. On 28th December (without any changes deployed to the website) a percentage of users suddenly could not login, and the blank login page was just rendered again even when the correct credentials were entered. The issue is still ongoing.
After remote controlling an affected user's PC, we've found the following:
The issue affects Internet Explorer 9.
The user can login from the same machine on Chrome.
The user can login from an In Private browser session using IE9.
The user can login if the website is added to the Trusted Sites security zone.
The user can NOT login from an IE session in safe mode (started with iexplore -extoff).
Only one hostname that the website responds to prevents login, the same user account on the other hostname works fine (note that this is identical code and database running server side), even though that site is not in trusted sites zone.
Series of HTTP requests in the failure case:
GET request to protected page, returns a 302 FOUND response to login page.
GET request to login page.
POST to login page, containing credentials, returns redirect to protected page.
GET request to protected page... for some reason auth fails and browser is redirected to login page, as in step 1.
Other information:
Operating system is Windows 7 Ultimate Edition.
AV system is AVG Internet Security 2012.
I can think of lots of things that could be going wrong, but in every case, one of the findings above is incompatible with the theory.
Any ideas what is causing login to fail?
Update 06-Jan-2012
Enhanced logging has shown that the .ASPXAUTH cookie is being set in step 3. Its expiry date is 28 days in the future, its path is /, the domain is mysite.com, and its value is an encrypted forms ticket, as expected.
However, the cookie is not being received by the web server during step 4. Other cookies are being presented to the server during step 4, it's just this one that is missing.
I've seen that cookies are usually set with a domain starting with a period, but mine isn't. Should it be .mysite.com instead of mysite.com? However, if this was wrong, it would presumably affect all users?
