Authentication loss with IE8 and MVC FileContentResult

• ASP.NET MVC2
• .NET 3.5
• FormsAuthentication
• URL: domain.com/myapp
• Problem area: Dynamically created PDFs returned as FileContentResult

Everything was working fine until IE8. With IE8, when the user opens a PDF and then returns to the app, he has lost his authentication. I added an expiry on the forms auth cookie and the problem appeared to be resolved. However, I later discovered that the same problem occurs in the parent app. With the persistent cookie, when the user continues in my app (domain.com/myapp), everything is fine, but when he returns to the parent app (domain.com) window he has lost his authentication. The parent app uses a proprietary authentication and authorization architecture that relies on session state.

So my understanding of the problem is that the FileSystemResult does not carry any session information and thus the session is lost. I understand that by adding an expiration to the cookie, the cookie is persisted and that enables the authorization to persist in my app, even when docs were opened.

I don't quite understand why adding an expiry to my cookie transferred the problem to the parent app. So, I was wrong, this has been happening all along in the parent. Interestingly, when I hooked up Fiddler to watch what was going on, the problem went away.

Do you have suggestions to resolve this? I can't think of anything other than something really ugly like writing the file to the server and returning a page with a link to open the file directly.

Based on this question开发者_Go百科 I think I am hosed.

There's some changes to the way IE8 handles persistance cookies which could be the route of your problems. There's an interesting post here that describes a possible solution.

The solution took us quite a while to find online believe it or not, and when we found it we wanted to kick ourselves for not finding it sooner. It all stems from the domain attribute of the forms authentication settings within the web.config file of your application. We typically left that attribute blank in our apps to make it easier to develop. Further, none of the other browsers above cared about that setting and functioned just fine. However, that changed in IE8 and now that attribute is required.