I am writing a Windows Service(using C#, WCF) that is intended to record Windows user's session event and post it to some other WCF Service.
Below code sometimes works as expected but not always. It returns empty mostly in SessionUnlock, SessionLogoff events.
var usernmae = Machine.getInstance().getUsername();
The above code-line is used inside a utility function which is being called from OnSessionChange event of Windows Service as below: -
protected override void OnSessionChange(SessionChangeDescription changeDescription)
{
var sessionDetails = sessionLogger.BuildSessionDetails(changeDescription);
....
}
and that BuildSessionDetails function is like: -
public class SessionLogger : ISessionLogger
{
private static readonly ILog log = LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
public SessionDetails BuildSessionDetails(SessionChangeDescription changeDescription)
{
SessionDetails sd = new SessionDetails();
sd.ChangeTime = DateTime.Now.ToUniversalTime();
sd.SessionId = changeDescription.SessionId.ToString();
sd.ChangeType = changeDescription.Reason.ToString();
//This is where I am EXTRACTING USERNAME
sd.Username = Machine.getInstance().getUsername();
...
...
}
}
The expected result is username all time whenever the session event happens.
Any idea what is happening or causing here to not return the username always?
Your code gets the UserName property from the Win32_ComputerSystem class. The documentation on that variable says:
Name of a user that is logged on currently. This property must have a value. In a terminal services session, UserName returns the name of the user that is logged on to the console not the user logged on during the terminal service session.
Is that your intention?
You seem to consider this code to be a suitable alternative:
userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
But that will always return the name of the user specified on your service's "Log On" tab — probably not what you want.
Exactly which "user" are you trying to get?
Edit based on comments:
To get the user name associated with the session that was changed:
In OnSessionChange(), get the sessionID value from the SessionChangeDescription parameter.
Use the sessionID in a call to the WTSQuerySessionInformation function with the WTSUserName value to get the user name associated with the session.
That should work in all occasions except when a user has logged off (because the session will no longer be available to query). If that is an issue, you can work around that problem by:
Introducing a sessionID-to-username map in your application
Populating the map by enumerating all active sessions when your service starts
Adding to the map whenever you receive a logon event
Removing from the map (by sessionID) whenever there is a logoff event
Related
Upon logging in, I am saving a Session variable for that user who just logged in. This Session variable is very very important for every single thing the user then see's (see this question MVC Individual User Accounts login value persisting)
I see there being a potential problem where the Session variable is not tied in with the user being logged in, it has its own expiry (unless someone can give a 100% fool proof way of that NOT happening, for example, when I restart debugging, I am still logged in but the session variable has gone, regardless of expiry).
What I do then, is to check the Session variable exists, and sign them out and redirect if its null. However the redirect needs to be done within the Action, and would need to happen for EVERY get request, so there will be a lot of duplicate code.
var customerIdSession = Session["CustomerId"];
if (customerIdSession == null)
{
// Then sign out which needs the AuthenticationManager property to be defined in the controller too!
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
return RedirectToAction("Login", "Account");
}
var customerId = Convert.ToInt32(customerIdSession);
Is there a way I could tidy this up? And not have to do this on EVERY get method. Make it a global check somehow, like Authorize does for login
I found the answer on my own in the end. I took the idea I had of it being similar to the Authorize so found a way to make my own Authrorize attribute. This way, I can put the attribute above every Controller then assume the Session variable exists in every action. If not, the user is logged out and redirected automatically.
public class AuthorizeSessionAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var customerId = httpContext.Session["CustomerId"];
if (customerId == null)
{
var lo = httpContext.GetOwinContext().Authentication;
lo.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
return false;
}
return true;
}
}
I have an asp.net site, where in i am checking session variable in Global.asax in Application_BeginRequest but it always says object reference not set to an instance of an object, i don't understand this, because i am checking the condition for null before using the value, but still it throws the above error, however when i check it inside the default.aspx Page_Load event it works properly without any issues.
Can anyone tell whats the problem behind this, am i not supposed to use the session variable inside Application_BeginRequest
If yes, then how i will be checking the session value, what i want to achieve is, if user is logged in (If Session["Login"] is not empty means user logged in) and has the rights to access the page, then allow him/her else throw him to the homepage.
Here is what i am doing.
Below function checks for if user is logged in:
public static String LoggedInUser
{
get
{
if (HttpContext.Current.Session["Login"] == null)
return String.Empty;
else
return HttpContext.Current.Session["Login"].ToString();
}
set
{
HttpContext.Current.Session["Login"] = value;
}
}
Below function checks if user has right to access the page:
public static bool IsPageAllowed(String Pagename)
{
bool _isPageAllowed = false;
XmlDocument doc = new XmlDocument();
doc.Load(HttpContext.Current.Server.MapPath("Pagenames.xml"));
if (LoggedInUser != String.Empty)
{
XmlNodeList list = doc.DocumentElement.SelectNodes("/AllPages/Pages[#user='" + GetLoggedInUserRole(Globals.LoggedInUser).ToLower() + "']/Page[contains(text(), '" + Pagename + "')]");
if (list.Count > 0)
_isPageAllowed = true;
}
return _isPageAllowed;
}
And below function is used on Application_BeginRequest to redirect user based on their rights:
if (!Globals.IsPageAllowed(rawUrl.Substring(1, rawUrl.Length - 1)))
{
Response.Redirect("default.aspx");
}
Session state is available during and after appropriately named HttpApplication.PostAcquireRequestState.
Occurs when the request state (for example, session state) that is associated with the current request has been obtained.
Full sequence of events with descriptions is available somewhere on [MSDN](http://msdn.microsoft.com/en-us/library/bb470252.aspx and other sites like ASP.NET Application Life Cycle
Shortened list of events below (many events are omitted, see MSDN link for details):
BeginRequest
AuthenticateRequest
AcquireRequestState
PostAcquireRequestState
ProcessRequest method (or the asynchronous version IHttpAsyncHandler.BeginProcessRequest) of the appropriate IHttpHandler class for the request. For example, if the request is for a page, the current page instance handles the request.
Note that session state is not available till at least AcquireRequestState (where it may be available if SessionStateModule managed to receive that event before your code). There is no way Session will be available during BeginRequest.
Note that there are explicit authentication events that should be used if you need authentication/authorization (also it is not usable for your case as you keep auth information in session state).
Sorry for the basic question, first time with Web MVC4 in C#...
I'm creating a web interface for an application I've written in C#/SQL. I've been able to attach the MVC4 framework to the SQL DB. Now I want to secure what people can do based on group membership in AD. I have the authentication in my web.config set to "Windows" and it properly displays the User.Identity.Name that i'm logged in with. So I know it's pulling up the current logged in user. More over, I need to be able to authenticate a user outside of the active directory domain in the case of an android or ipad device. I haven't gotten that far yet though... for the most part, I'd like to auto authenticate the logged in user if possible then prompt for a username/password if none exists.
Ok, also I already know how to pull group membership for a user in AD. But I need to run that AD query and store that information somewhere that can be accessed on each page. Then on each page how do I access that variable?
For example, I don't want to display a menu option if they don't have access to it so that variable needs to be used to either display or not display the menu option that's being secured. Also, I assume I need to add that security on the webpage as well so that if someone tries to go there manually they cannot.
I assume I don't want to use session variables for security reasons..
In the past with Adobe Flex I used a singleton to manage the session state. I did a search out there and people are saying that it's probably not a good idea in C#. Not many examples of this anyway...
What are you doing to do this?
Here is what I would recommend. Start looking for examples of the ActiveDirectoryMembershipProvider Class. This MembershipProvider combined with Forms Authentication will provide you with a secure system to authenticate users.
Once authenticated, you need to authorize your users to access resources by combining the Active Directory Role Provider(ADRP) (to determine User Groups) with the standard way of Securing your MVC Application.
To get you started I created these simple extension methods when you can extend to use the ADRP (as I haven't used the ADRP).
public static class IPrincipalExtensions
{
private static _adminName = "Administrator";
public static bool IsAnonymous(this IPrincipal instance)
{
return (instance == null);
}
public static bool IsAdminOrInRole(this IPrincipal instance, string role)
{
if (instance == null
|| instance.Identity == null
|| !instance.Identity.IsAuthenticated)
{
return false;
}
bool result = instance.IsInRole(role)
|| instance.IsInRole(IPrincipalExtensions._adminName));
return result;
}
}
Then I also extended the default AuthorizeAttibute to give me an attribute I can use solely for Administrators:
public class AuthorizeAdministratorAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
bool result = false;
IPrincipal user = httpContext.User;
if (user.Identity.IsAuthenticated)
{
result = user.IsAdmin();
}
return result;
}
}
This uses the same extension methods provided in my IPrincipalExtensions so I don't repeat myself. Some might find this overkill as the following two lines are equal:
[Authorize("Administrator")]
[AuthorizeAdministrator]
However, since the first example is using a string, a simple mistype denies access, and if I decided to change the role/group name to "Admins" it becomes more difficult. So using the second one (which I could argue is strongly typed) if the group changes, I only have to change the name in one location.
I am building an ASP.NET UI on an existing system, which consists of separate SQL server databases for each project. An "enterprise" database lists all current projects which allows anonymous users to select the project to work in. The project name is stored in a session variable. When log in is required the username/password/roles etc are obtained from the database indicated by the project name. I have implemented my own basic membership and role providers to do this, with changes in web.config to specify the roles required for specific pages. (I do not use the standard ASP.NET Configuration tool to manage users, I have existing apps that work with my user tables).
This all seemed to work initially but I discovered that the session variables are not yet loaded at the time when the authorization system checks the roles the current user belongs to in order to determine if the page is accessible. So if we have a < allow roles="xxx" > in web.config then the authorization system fires before session data is loaded and thus before I know which project database should be used.
[Specifically: HttpContext.Current.Session is null when the call to RoleProvider.GetRolesForUser is made]
Anybody who has tackled this problem should know exactly what I'm talking about. My questions therefore are:
A) What is the "Best Practise" solution to this scenario?
B) Could I be storing the project name somewhere else (not in session variable) that is available during the authorization phase?
[Update: Yes - we can use cookies, assuming we do not require cookieless operation]
C) Is there a way to manually get the session variable at this earlier time?
I tried an option to cache roles in cookies, but after a few minutes of testing with that option on I found GetRolesForUsers was still being called.
Thanks
Update:
Here is another description of the root problem which suggests "The application could cache this information in the Cache or Application objects.":
http://connect.microsoft.com/VisualStudio/feedback/details/104452/session-is-null-in-call-to-getrolesforuser
Update:
This looks like the same problem found here:
Extending the RoleProvider GetRolesForUser()
Update:
There was a suggestion about using UserData in FormsAuthenticationTicket, but I require this data even when not logged on.
UPDATE: I solve this these days in a much simpler way by using a wildcard SSL certificate that allows me to configure subdomains for each project, thus the project selection is specified directly in the URL (and each project gets its own subdomain). I still use a cookie hack purely for testing purposes when running on localhost where we have no subdomains.
Original solution:
I have not found any "best practise" write up on this scenario, but here is what I have settled on:
1) In order to support anonymous users switching between projects (i.e. SQL databases) I simply use a session variable to track the project selection. I have a global property that uses this project selection to serve the corresponding SQL connection string as and when it is required.
2) In order to support the call to GetRolesForUser() on pages that have role restrictions applied to them we cannot use the session variable, because as stated the session variable has not been initialized yet when GetRolesForUser() is actually called (and I have found no way to force it into being at this early point in the request cycle).
3) The only option is to use a cookie, or use the Forms Authentication ticket's UserData field. I trawled through many theories about using session/cookie/IDs linked to an object stored in the application cache (which is available when the session is not) but ultimately the correct choice is to place this data in the authentication ticket.
4) If a user is logged on to a project it is via a ProjectName/UserName pair, hence anywhere we are tracking the user's authentication we require both these data. In trivial testing we can get away with the username in the ticket and the projectname in a separate cookie, however it is possible for these to get out of synch. For example if we use a session cookie for the projectname and tick "remember me" when we logon (creating a permanent cookie for the authentication ticket) then we can end up with a username but no projectname when the session cookie expires (browser is closed). Hence I manually add the project name to the UserData field of the authentication ticket.
5) I have not figured out how to manipulate the UserData field without explicitly setting a cookie, which means that my solution cannot work in "cookieless" session mode.
The final code turned out to be relatively simple.
I override the Authenticate event of the LoginView in the login page:
//
// Add project name as UserData to the authentication ticket.
// This is especially important regarding the "Remembe Me" cookie - when the authentication
// is remembered we need to know the project and user name, otherwise we end up trying to
// use the default project instead of the one the user actually logged on to.
//
// http://msdn.microsoft.com/en-us/library/kybcs83h.aspx
// http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.login.remembermeset(v=vs.100).aspx
// http://www.hanselman.com/blog/AccessingTheASPNETFormsAuthenticationTimeoutValue.aspx
// http://www.csharpaspnetarticles.com/2009/02/formsauthentication-ticket-roles-aspnet.html
// http://www.hanselman.com/blog/HowToGetCookielessFormsAuthenticationToWorkWithSelfissuedFormsAuthenticationTicketsAndCustomUserData.aspx
// http://stackoverflow.com/questions/262636/cant-set-formsauthenicationticket-userdata-in-cookieless-mode
//
protected void LoginUser_Authenticate(object sender, AuthenticateEventArgs e)
{
string userName = LoginUser.UserName;
string password = LoginUser.Password;
bool rememberMe = LoginUser.RememberMeSet;
if ( [ValidateUser(userName, password)] )
{
// Create the Forms Authentication Ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
userName,
DateTime.Now,
DateTime.Now.AddMinutes(FormsAuthentication.Timeout.TotalMinutes),
rememberMe,
[ ProjectName ],
FormsAuthentication.FormsCookiePath);
// Create the encrypted cookie
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
if (rememberMe)
cookie.Expires = DateTime.Now.AddMinutes(FormsAuthentication.Timeout.TotalMinutes);
// Add the cookie to user browser
Response.Cookies.Set(cookie);
// Redirect back to original URL
// Note: the parameters to GetRedirectUrl are ignored/irrelevant
Response.Redirect(FormsAuthentication.GetRedirectUrl(userName, rememberMe));
}
}
I have this global method to return the project name:
/// <summary>
/// SQL Server database name of the currently selected project.
/// This name is merged into the connection string in EventConnectionString.
/// </summary>
public static string ProjectName
{
get
{
String _ProjectName = null;
// See if we have it already
if (HttpContext.Current.Items["ProjectName"] != null)
{
_ProjectName = (String)HttpContext.Current.Items["ProjectName"];
}
// Only have to do this once in each request
if (String.IsNullOrEmpty(_ProjectName))
{
// Do we have it in the authentication ticket?
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = identity.Ticket;
_ProjectName = ticket.UserData;
}
}
}
// Do we have it in the session (user not logged in yet)
if (String.IsNullOrEmpty(_ProjectName))
{
if (HttpContext.Current.Session != null)
{
_ProjectName = (string)HttpContext.Current.Session["ProjectName"];
}
}
// Default to the test project
if (String.IsNullOrEmpty(_ProjectName))
{
_ProjectName = "Test_Project";
}
// Place it in current items so we do not have to figure it out again
HttpContext.Current.Items["ProjectName"] = _ProjectName;
}
return _ProjectName;
}
set
{
HttpContext.Current.Items["ProjectName"] = value;
if (HttpContext.Current.Session != null)
{
HttpContext.Current.Session["ProjectName"] = value;
}
}
}
Can't you postback the project selection to some page, add that selection to the session, then redirect to appropriate protected page, where auth will kick in and force login?
ASP.NET session doesn't get created in the form of a cookie until you place at least one item in it.
So I'm using SignalR, it's setup and working correctly on my Website.
Let's suppose user A logs in (I am using the Membership API). When A logs in I am calling the connection from .js located in my masterpage. That will assign this use a specific userId.
Let's say now user B logs in goes does some event and that event needs to notify user A from codebehind.
So what I am trying to do here is notify user B of use A's action from CodeBehind. How will user B know user A's ID and how does the whole thing work? I couldn't find help in the documentation as it does not go into that kind of stuff.
How can this be achieved? Thanks.
I realize this has already been answered, but there another option that folks might find helpful. I had trouble finding info on how to do this, so hopefully this helps someone else.
You can override the SignalR ClientID generation and make it use the membership UserID. This means you do not have to maintain a CleintID -> UserID mapping.
To do this, you create a class that implements the IClientIdFactory interface. You can do something like:
public class UserIdClientIdFactory : IClientIdFactory
{
public string CreateClientId(HttpContextBase context)
{
// get and return the UserId here, in my app it is stored
// in a custom IIdentity object, but you get the idea
MembershipUser user = Membership.GetUser();
return user != null ?
user.ProviderUserKey.ToString() :
Guid.NewGuid().ToString();
}
}
And then in your global.asax:
SignalR.Infrastructure.DependencyResolver.Register(typeof(IClientIdFactory), () => new UserIdClientIdFactory());
EDIT -- as nillls mentioned below, things have changed in the signalR version 0.4. Use ConnectionId rather than ClientId:
public class UserIdClientIdFactory : IConnectionIdFactory
{
public string CreateConnectionId(SignalR.Hosting.IRequest request)
{
// get and return the UserId here, in my app it is stored
// in a custom IIdentity object, but you get the idea
MembershipUser user = Membership.GetUser();
return user != null ?
user.ProviderUserKey.ToString() :
Guid.NewGuid().ToString();
}
}
And DependencyResolver has moved:
SignalR.Hosting.AspNet.AspNetHost.DependencyResolver.Register(typeof(IConnectionIdFactory), () => new UserIDClientIdFactory());
Hope this helps someone!
Your app needs to store a mapping of SignalR client (connection) IDs to user ids/names. That way, you can look up the current SignalR client ID for user B and then use it to send a message directly to them. Look at the chat sample app at https://github.com/davidfowl/JabbR for an example of this.