I am using windows authentication impersonation in my MVC application.when i open the application the browser display a prompt for the credentials and validate the domain users.
But now i also want to create user in my application and also want to authenticate that users which is stored in my database.
Is it possible to authenticate Application DB users as well with windows authentication for domain users. i did much R & D on this but didn't found any solution yet. I will appreciate your suggestions. Thanks!
If I understand you correctly, you want to allow both Windows Authentication and Forms Authentication. This is not a common thing to do, but I have done it. Here is how I did it:
You have to use forms authentication as your primary authentication. So build the Forms Authentication as you normally would: you have a login page that, after submitting, validates the credentials from your database. The tricky part is adding Windows Authentication.
To do this, create one action in your authentication controller that uses Windows authentication. For this example, I'll assume your controller is AuthController and we'll call the action WinLogin. That action will look something like this:
[Authorize]
public ActionResult WinLogin() {
var principal = HttpContext.User;
if (principal == null || !principal.Identity.IsAuthenticated) {
//Windows authentication failed
return new HttpUnauthorizedResult();
}
// User is validated, so create the form authentication cookie
FormsAuthentication.SetAuthCookie(principal.Identity.Name, false);
return new EmptyResult();
}
It just checks if the user is validated and, if so, sets the Forms Authentication cookie with their AD username.
For that to use Windows Authentication, you have to update your web.config to tell it to use Windows Authentication for only that one action. You do that with a <location> tag:
<location path="Auth/WinLogin">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
By default, IIS won't let you change the authentication method at this place in the config. You need to update the "Feature Delegation" in IIS Manager to allow it.
In IIS Manager, click the server name on the left.
On the right, double-click "Feature Delegation" under the "Management" section.
Change both "Authentication - Anonymous" and "Authentication - Windows" to "Read/Write".
If you use IIS Express for debugging, you have to do something similar for that:
In the project folder, open the file .vs\config\applicationhost.config.
Modify these two lines so they say "Allow":
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
Next update your login page to hide the username and password fields by default (let's say they are inside a box with an id of loginBox). The idea is that you perform an AJAX request to the WinLogin action, and if that succeeds, then you forward the user on to the main page or whichever page they were trying to go to. If you use jQuery, that will look something like this:
$.get("#Url.Action("WinLogin", "Auth")")
.done(function() {
//success! forward to the page they want
window.location.replace(returnUrl);
}).fail(function() {
//failed - show manual login prompt
$("#loginBox").show();
});
});
As long as your website is already a trusted website (which I assume so if you already have Windows Authentication working now), then the Windows Authentication will happen during that AJAX GET request.
Notice the use of window.location.replace(), which will not add the login page to the browser history, so if the user then hits the back button, they do not come back to the login page. It makes things a little more seamless.
You could also add a loading circle or something to indicate that the user should wait while that GET happens, but you can decide that.
With all this in place, the user experience should be:
They access a page.
They are not authenticated, so they get redirected to the login page.
The login page attempts the Windows Authentication in the background.
If the Windows Authentication succeeds, they are automatically redirected back to the page they wanted.
If Windows Authentication failed, the username and password boxes appear and they can login manually.
Related
We have an application developed in Asp.Net MVC which uses session and Cookies. Which is declared in Web.config as -
<sessionState cookieless="true" regenerateExpiredSessionId="true" timeout="20"/>
Observation is, if we login in Chrome it generates a token in URL as
http://localhost:34343/(S(ypr1jdz2lk5ysiqearcracfj))/Home/Index
If the same url is copied in new Chrome window or in Internet explored, user still logged in and can see the home page.
In this case, we want user to logout and redirect to login page again if he copies the link from one browser to another browser window.
Can you please help with some references on this?
Thank You!
which uses session and Cookies.
You do not use cookies in your apllication because of this setting
cookieless="true"
URL contains sessionID and you can see it (S(ypr1jdz2lk5ysiqearcracfj)). If you send this url via another browser, your server application uses this parameter to find session and identificate user. If you change the settigns to
<sessionState cookieless="false" regenerateExpiredSessionId="true" timeout="20"/>
SessionID will be store in cookies and cannot be shared between different browsers. Of course if you start new window of the same browser, user will be still logged in.
Every HttpRequest to any page in the Asp.net App is somehow authenticated. I check it by printing the debug information in the view:
<p>Request.IsAuthenticated: <%= Request.IsAuthenticated %></p>
Authentification mode for the project is set to "Windows" in Web.config:
<authentication mode="Windows" />
Even simple HTTP request without cookies turns out to be authenticated.
What is the cause of this behavior? Did I miss some setting in Web.config?
The browser uses Windows Integrated Authentication - which means it automatically logs the user in using their windows credentials - without asking.
If you set <authentication mode="Windows" /> it is going to log the user in with their Windows credentials automatically.
For more information, see here.
I'm using wkhtmltopdf creating PDF from my html site. This works fine in development but when I upload it to the webserver with IIS7 I have the problem with the user.
In the site I use the windows authentification to log on the current user and also display the username on the site.
But the problem is that wenn the pdf is generating the current user isn't used so that I get an error. I don't want to use a temp-user for login (wkhtmltopdf.exe --username...) because this would be displayed on the website and also on the pdf.
Already tried the impersonate
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
but then I get
You are not authorized to view this page due to invalid authentication headers
I looked around and tried for a while but get no working solution for me to create a cookie or something like that and give it to wkhtmltopdf to create the pdf with the current user logged on.
Thanks for your help
If you are using Forms Authentication, you can use the --cookie option to pass the ASP.NET_SessionId cookie to wkhtmltopdf.
i m relatively new to C# and ASP.NET and I am having trouble designing an authentication system.
I have created a website where the user has to login, after which he can access various pages in this site. When the user clicks a logout link, he returns to the login page and is given the message "you have successfully logout." Now how do I prevent the user from typing the URL of one of the internal pages, bypassing my authentication? While working with PHP, I used session_start() and ob_end_flush() at the beginning and the end of each page to control authentication. What is a similar model in ASP.NET?
Also how do I include a .cs file from app_code folder to a aspx.cs?
If you are using FormsAuthentication, this is simple to do using configuration in web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="default.aspx" protection="All" path="/" slidingExpiration="true" timeout="60" />
</authentication>
This configuration forces aspx to ensure that all pages in the site can only be accessed by authorized users.
However, there is a logic problem with this configuration: no one would ever be able to login since they must be authorized to access any page in the site.
You can fix this, however, by opening "holes" in this protected by adding specific pages and indicating they can be authorized by anyone:
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now how do i prevent re entry into the site by typing the url of the internal pages in the address bar.
How are you actually tracking the authentication? Forms authentication? Windows authentication? Something custom? Essentially, what you need to do is have those pages check for a valid authentication token. If no such token exists, redirect to the login page or an error or something to that effect.
You can do this by checking for authentication manually in the Page_Init method (which can access Session data, Cookies data, etc. where you'd store such a token), you can use various methods built-in, etc.
The concept is the same as it was in PHP, the tooling is just a little different.
While working with PHP i used session_start() and ob_end_flush() at the beginning and the end of each page.....What is it im supposed to use in c#?
You don't need to explicitly start/end session state in ASP.NET. Any code in the scope of the web application can access session state/values via System.Web.HttpContext.Current.Session. Any request coming from the same session will have this data associated with it.
Also how do i include .cs file from app_code folder to a aspx.cs
While in PHP you had to include files, in ASP.NET it's compiled code so the file isn't so important. What you need to reference is the namespace/class to use the code. For example...
If you have the following in a file in App_Code:
namespace MyApplicationCode
{
public class SomeCode
{
// stuff in the class
}
}
Then from any code within the application you should be able to use it by it's fully-qualified name (MyApplicationCode.SomeCode):
var someVariable = new MyApplicationCode.SomeCode();
Additionally, you can add a using statement in the header of the code file:
using MyApplicationCode;
And then access it directly:
var someVariable = new SomeCode();
When a user is successfully authenticated with his credentials, a cookie is set with a session id that corresponds to a file that stores value on the server. This cookie confirms to the server that the user is authenticated.
Check how your system handles sessions, it can be done without a session cookie, too:
(pseudo-code)
if (User.Login(formUsername, formPassword)) {
SetCookie ("LoggedIn", 1, Time() + 3600);
}
Now, whicever page needs a logged in user to be viewed, you just check if the user has the cookie set:
(pseudo-code)
if (CookieIsSet("LoggedIn")) {
// this page can be viewed
}
else {
Redirect ("/notAuthorized");
}
When you log the user out, you can delete the cookie by setting the expiration date in the past:
(pseudo-code)
SetCookie ("LoggedIn", 1, Time() - 3600);
Now, the user cannot view the internal page as the check (CookieIsSet(...)) will fail. Now, functions, methods and all the details depend on the system, but it always works like this:
if credentials are ok, set a cookie
whenever an internal page is visited, check if cookie is set
when logging out, delete the cookie
Hope this helps.
To check if the user typed in the address bar I would simply check the UrlReferer in page load of protected pages, other aspects should be controlled by web security and state management
if (Request.UrlReferrer == null)
Response.Redirect("errorpage.aspx");
I am implementing C# authorization using jquery cookies for my page. I set/encrypt username and password in the cookie and in my admin page, if I recognize cookie, then the user is authorized. If not, he gets redirected to the login page. The problem is, that cookie is read after page is loaded, so I can manually hit admin page and only in couple seconds it will get redirected. How do I prevent loading admin page for visitors, who have no cookie yet? What is a correct architecture for cookie based authorization?
Note: I am not using ASP.NET roles or User tables. I implemented my own tables for users.
I suspect that you're re-inventing the wheel. You don't have to use the Membership Provider and ASP.Net membership schema in order to take advantage of forms authentication. When the user logs in, simply drop the Auth Ticket (cookie) on them and you're done. You can then simply do the admin check on the admin page.
Some suggestions below...
Edit: I originally posted a means of storing roles in the Auth Ticket via UserData, but I think it's overkill for this situation.
Web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="30" slidingExpiration="true" />
</authentication>
. . .
<membership>
<providers>
<clear />
</providers>
</membership>
Post login:
When the user submits their username and password, validate them and check to see if they are an admin:
if (UserIsValid(username, pwd)) // some validation call
{
FormsAuthentication.SetAuthCookie(username, true);
}
Admin.aspx:
Finally, a quick hack to restrict access to an admin page. When the page loads, check that the user is / is not an admin:
if (!IsAdmin(User.Identity.Name)) // some admin call
Response.Redirect("Default.aspx");
The problem is, that you use client side code for your security check. If someone would disable JavaScript completely, he would never be redirected. Move the check to your server side code.