New Asp.Net MVC5 project produces an infinite loop to login page

Question

I am creating a brand new projet with Visual Studio 2013, I choose Asp.Net MVC and the framework 4.5.1 The project is created, then, I do nothing else than F5 to start the d

Answer 1

These answers are more or less pieces of the same puzzle; I'll try to put everything in one place. Problem that OP described hit my application the moment I implemented the OWIN pipeline and AspNET Identity.

So let's see how to fix it...

1. OWIN Startup

I guess you need it, because if you don't, then you don't need authentication, and I guess you do. Except it you're using some old-style authentication, and I guess you don't. So, don't remove either the OWIN startup attribute...

[assembly: OwinStartupAttribute(typeof(YourApp.Probably_App_Start.SomethingLikeAuthConfig))]

...or the configuration line...

<add key="owin:AppStartup" value="YourApp.Probably_App_Start.SomethingLikeAuthConfig" />

2. Access restriction on controllers

Now we cleared this up, you need the authentication. This means either each of your controller needs the [Authorize] attribute, or you can do the same to all controllers in one place by registering the thing globally (e.g. in RegisterGlobalFilters(), add line filter.Add(new AuthorizeAttribute())). In the former case (when securing each controller separately) skip this part, just go to the next one. In the latter case all of your controllers will be secured against unauthorized acces, so you need an entry point for that authorization - unprotected Login() action. Just add...

[AllowAnonymous]

...and you should be good.

3. OWIN cookie configuration

When your user logs in, his browser stores encrypted (hopefully!) cookie in order to simplify things for the system. So, you need cookie - don't delete the line that says UseCookieAuthentication.

4. What you really have to do is turn off the IIS integrated authentication mechanism for your web application. This means switching off Windows Authentication (Disabled) and enable letting any user in, at least as long as IIS Express is now concerned, by setting Anonymous Authentication (Enabled).

When you start your web site, this will in turn copy these settings into IIS Express configuration (applicationhost.config), and there you should see these two lines:

<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />

5. You might have the authorization config in your web.config that says deny users="?". It means the authorization subsystem is instructed to prevent anonymous users from entering. With OWIN, this still works as designed. You either have to remove this, or make your anonymous user able to access the Login page by using something like...

   <location path="Account/Login"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>

HTH

Answer 2

I know I may be late, and this is not directly for the OP's question. But if anyone in the future come here, one more check about AllowAnonymous and Authorize attribute is that, you have to check all child actions too.

For example, I had my Layout (which the Login page also use) that call 2 child actions for breadcrumbs and sidebar, and they did not have AllowAnonymous attribute (the Controller had Authorize attribute).

Hope this help.

Answer 3

Make sure you have no actions in pipeline that have authorize attribute. In my case, my layout had navigation menu controller which was missing allowAnonymous attribute.

Answer 4

You are missing [AllowAnonymous] attribute on login action.

[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
    // code....
}

2nd possibility, specific to IIS Express only: is that, if you created same default WebApplication1 project multiple times, playing with different authentication settings, IIS Express stored additional authentication settings in it's configuration file. Something like:

    <location path="WebApplication1">
        <system.webServer>
            <security>
                <authentication>
                    <windowsAuthentication enabled="true" />
                    <anonymousAuthentication enabled="false" />
                </authentication>
            </security>
        </system.webServer>
    </location>
</configuration>

Configurations are in user's Documents folder Documents\IISExpress\config\, and you should look for:

applicationhost.config

Then just delete xml node <location path="WebApplication1"> mentioned above.

---

Update for VS 2015+

If you're using Visual Studio 2015 or higher, check this path for the config file: $(solutionDir)\.vs\config\applicationhost.config

Each solution will have its own config file.

Answer 5

in my case: in my _layout.cshtml, i use Html.Action to call Action from Authorize Controller: ex: Html.Action("Count", "Product") -> loop error

fix: decorate by [AllowAnonymous] attribute in that Action (or remove these Html helper from _layout)

Answer 6

Highlight the project in Visual Studio

Open the 'Properties' panel on the right (or press F4)

Set 'Windows Authentication' to 'Disabled'

Set 'Anonymous Authentication' to 'Enabled'