ASP.Net MVC identity infinite redirect loop

Question

I have an ASP.Net MVC5 application, using the Identity "out of the box" template, as per ASP.Net Identity 2.0.0. I need to upgrade it to use the newer code that is in the latest ASP.Net MVC template, namely the use of the SignInManager class.

I have done some A|B comparisons between the code in my original app and the template generated in the latest, and ported over all that I could see what different.

However, I'm getting an odd error, I suspect OWIN related. When I try and Login or Register, it triggers a Redirect loop that eventually crashes the app with a security warning as the URL Query string has concatenated itself to death.

---

The URL is : https://localhost:44302/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FAccount%252525252525252525252525252525252525252FLogin

Detailed Error Information:

Module    RequestFilteringModule

Notification    BeginRequest

Handler    ExtensionlessUrlHandler-Integrated-4.0

Error Code    0x00000000

---

I've used the exact same settings when referring to ReturnUrl in all methods.

For the most part, my applications' original AccountController and related security code was untouched from the original template. My newer sample application runs fine on my local machine, so I’m not sure where the differences are.

I've seen posts suggesting that IIS Express configuration is to blame, but I've followed the cleanup advice, and also published to an Azure site with the same result.

I've been spending a lot of time trying to resolve this and haven't had any success so I thought I'd put it out there for some advice… thanks in advance for any & all help. Please let me know if you need to see more code.

Answer 1

I think your login action is missing [AllowAnonymous] attribute.

Answer 2

Do you have SSL setup locally? Are authenticating on HTTPS then being redirected to HTTP which is killing the cookie & redirecting back to the HTTPS login page

Have you got something in the web.config for forms authentication redirect like

  protection="All" requireSSL="true" loginUrl="~/Account/Login.aspx"

Do your cookies look ok?

Answer 3

Resolved... turns out the culprit was my Unity DI configuration.

I drilled deep to find the errors getting recursively thrown on each redirect, and it suggested the AccountController dependencies weren't being instantiated. I had a similiar issue last year Unity Container trying to resolve non registered type, throwing error , and so I looked further into the changed dependencies.

Following the suggested answer at Register IAuthenticationManager with Unity resolved the issue.

Thanks for the suggestions re: SSL / HTTPS / Filters, investigating these led me to the exceptions.

Answer 4

I also face this same issue before and solve by adding this line in web config

<add key="owin:AutomaticAppStartup" value="false"/>

It will disable OWIN startup discovery.

I hope it will work.

Also check in the IIS virtual directory. Check that anonymous user is enable or not, if disabled then enable it and problem will be solved.