Saturday, September 7, 2013

IE11 and ASP.NET Session cookies


I have just upgraded to IE11 and although it’s really awesome I had some weird issues with some MVC applications I am using. The problem occurred with the authentication cookie and the session id being stored in the URL. Although I explicitly enabled cookies for my custom applications’ URLs, the session id and the asp.net authentication token would still persist in the URL. This broke the POST requests as the server could not authenticate the request (the token was not posted in neither the URL nor a cookie) and would return a 401 response.

According to a discussion in msdn there seems to be an issue with the new user agent string (most sites don’t recognize the new IE) and thus the MVC doesn’t enable cookies. In order to explicitly force the use of cookies in the authentication token add the cookieless attribute in your forms authentication element as follows:

<authentication mode="Forms">
  <forms loginUrl="~/YourLoginUrl" timeout="2880" cookieless="UseCookies" />
</authentication>