ASP NET MVC5 randomly redirects to my login page

Question

I have an ASP.NET MVC application with ActionFilters for Authentication and no Forms Authentication. "SegurancaAction" is the attribute responsible for validating authentication and exists in every controller endpoint except in the login ones (as expected).

I'm facing a problem in which sometimes I try to access one of my controllers and the GET request goes to my login endpoint. In the method Application_BeginRequest at Global.asax, I can see the very first attempt is at 'security/login' (the route to my login endpoint) instead of the one I want. I can also see this endpoint being called in debugging apps such as Fiddler, or ASP.NET Trace or Glimpse MVC5.

Besides calling the wrong action, once I login again this issue keeps happening for the same endpoint I was trying to access, redirecting my site to the login page over and over.

SegurancaAction:

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        Autenticacoes autenticacao = _authApp.IsAutenticado(filterContext.HttpContext.Session.SessionID);

        if (autenticacao == null)
        {
            if (filterContext.HttpContext.Request.IsAjaxRequest())
                filterContext.Result = new HttpStatusCodeResult(System.Net.HttpStatusCode.Unauthorized);
            else
            {
                filterContext.HttpContext.Response.RedirectPermanent("/security/login");
                return;
            }
        }
        else
        {
             // other stuff
        }
    }

SecurityController:

    [HttpPost]
    [ConfigAction]
    public ActionResult Login(vm_Login login)
    {
        if (ModelState.IsValid)
        {
            if (!String.IsNullOrEmpty(login.Login) && !String.IsNullOrEmpty(login.Senha))
            {
                Entidades entidade = _entidadeApp.GetByUsuarioSenha(login.Login, login.Senha);

                if (entidade == null)
                {
                    ViewBag.FalhaAutenticacao = "As credenciais informadas não conferem!";
                    return View("Login");
                }
                else
                {
                    string encryptionKey = System.Configuration.ConfigurationManager.AppSettings["EncryptionKey"];
                    var a = _autenticacaoApp.Autenticar(entidade.Id, encryptionKey, login.Senha, HttpContext.Session.SessionID);
                }

                Response.RedirectPermanent("~/principal/index");
            }
        }
        else
        {
            ViewBag.FalhaAutenticacao = "É necessário informar o usuario e a senha!";
        }

        return View();
    }

All _autenticacaoApp.Autenticar(...) method does is to create an authentication entry on the database, it's a completely custom code.

Does anyone know why this issue happens? Sometimes I can reproduce it by deleting the cookies that contain ASP.NET_Session ID and RequestVerificationToken. So far I know those cookies are automatically generated and I notice that sometimes when I login again they are not re-generated.

Best guess: [SessionID keeps changing in ASP.NET MVC why?](https://stackoverflow.com/a/5835631/) — NightOwl888, Jan 19 '18 at 10:50
Thanks for the guess. I figured out the answer, I just posted it. Still, thanks :) — Mari Faleiros, Jan 19 '18 at 11:15

score 0 · Accepted Answer · answered Jan 19 '18 at 11:14

I figured out the issue. It was this "RedirectPermanent" method being used here:

filterContext.HttpContext.Response.RedirectPermanent("/security/login");

It tells the browser that the resource I'm trying to access is no longer available and is now located at this new Url. The browser records this information and always redirects to the new resource.

I just changed it to use "Redirect" instead.

ASP NET MVC5 randomly redirects to my login page

1 Answers1