Forms Authentication - loginUrl page executed for each request (Chrome only)

With the help of Fiddler, I was able to figure this out.

It seems both Chrome and Firefox make an additional request for your favicon.ico, whether or not you've specified that you're using one in your HTLM page. Internet Explorer, on the other hand, doesn't bother.

This was a problem for me for a few reasons:

1. I didn't have one. I'd only just started my site and creating a favicon.ico was step 274.
2. I'm using runAllManagedModulesForAllRequests, so requests for icons, like all content, runs through Forms Authentication.
3. If you don't <link> to one and specify its location, Chrome and Firefox try to grab one from your web root. Forms Authentication (and my web.config) have my root locked down. The only file being served from my root is my loginUrl page.

Each time a request for favicon.ico was being made, Forms Authentication was disallowing it and redirecting the request to my loginUrl page, consequently causing my loginUrl page to be executed twice and screwing up my session values. The following Fiddler screenshots show the proof.

Chrome seems to request the icon on every page request:

Whereas Firefox seems to request it twice initially, for some reason, but then gives up for subsequent requests:

So, the solution:

1. Create a favicon.ico file and place it in your web root.

2. Allow anonymous access to it via a <location> element in your root web.config.

   <location path="favicon.ico">    <system.web>        <authorization>            <allow users="?" />        </authorization>     </system.web></location>

Alternatively (probably the preferred method, since you can designate the name and location):

1. Create a favicon.ico file and place it in a public subfolder, like /img.

2. <link> to it properly within your loginUrl page.

   <link rel="icon" href="/img/favicon.ico">

Try <forms loginUrl="test.asp" timeout="2880" cookieless="UseCookies" />