I have two different web applications hosted in same server .
and in one application i have link to the second one .
If a user login in first application and click the link to second one ,
the user automatically login as i pass the login information through query string .
The Problem :
If the user click on logout button in any of these application , automatically loose session in the other one too
Why this happen ? How can i overcome this ?
I got the Issue , I have same domain name for both of these applications .
As it has same domain name the cookie and session ids are same . Hosted these applications with different domain names and the issue gone ..!
If you are using Forms Authentication you should change cookie name in web.config
<system.web>
<authentication mode="Forms">
<forms name=".SOMENAME" requireSSL="false" protection="All" loginUrl="~/Security/Login" timeout="2880" />
</authentication>
</system.web>
Related
In windows authentication without subdomain http://localhost/myweb/ its asking username/password after successful its displaying application page.
But when I ran with subdomain http://abc.localhost/myweb/
its not taking the login credentials, Its giving Unauthorized access error.
what changes I need to do to overcome this problem.
what I tried is:
in Web.config I changed allow users to * and deny users to ? but its not working
Its because the cookie is change and depended on the subdomain and domain - to make it keep the same cookie you have to define the domain parameter on the authentication lines and on cookie on web.config
The lines that you have to define it are...
<authentication mode="Forms">
<forms domain="domain.com" .... />
</authentication>
<roleManager domain="domain.com" >
.... other lines .....
</roleManager>
<httpCookies domain="domain.com" .... />
Setting up the correct domain with out subdomain you can have the same authenticated cookie on your subdomains
Other similar questions : Multiple applications using same login database logging each other out
TL/DR: I am experiencing an HTTP-302 redirect loop when trying to share an authentication cookie between an ASP.NET WebForms site and an ASP.NET MVC web site that are served on separate sub-domains.
Details
a.website.com - The existing WebForms site. Works fine.
b.website.com - The new MVC site I'm trying to integrate using the shared cookie.
User reaches b.website.com and is not yet authenticated. They are redirected to a.website.com/Login.aspx.
User enters their username/password.
The user is redirected to the original desired page on b.website.com.
b.website.com receives the authentication cookie in the request, but for some reason fails to see the user as authenticated. It sends them back to a.website.com/Login.aspx.
a.website.com sees the cookie and realizes the user is authenticated, and redirects the user back to b.website.com.
Steps 4 and 5 repeat until the browser breaks the loop.
Setup
The setup follows the MSDN documentation for Configuring Forms Authentication Across Applications precisely: the two sites share machine key settings and Forms authentication settings. Both sites reside on the same server and IIS instance. Both sites force SSL. In the web.config file, the Membership and RoleManager settings are identical.
For a.website.com, which hosts the login page:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
<authentication mode="Forms">
<forms name="COOKIE_NAME"
domain=".website.com"
loginUrl="login.aspx"
defaultUrl="login.aspx"
requireSSL="true"
cookieless="UseCookies"
protection="All"
enableCrossAppRedirects="true"
path="/"/>
</authentication>
<machineKey
validationKey="((validation key))"
decryptionKey="((decryption key))"
validation="SHA1"
decryption="AES" />
b.website.com is of course pretty similar, except the login URL for unauthorized users directs them to the login on site "a".
<httpCookies httpOnlyCookies="true" requireSSL="true" />
<authentication mode="Forms">
<forms name="COOKIE_NAME"
domain=".website.com"
loginUrl="https://a.website.com/login.aspx"
defaultUrl="login.aspx"
requireSSL="true"
cookieless="UseCookies"
protection="All"
enableCrossAppRedirects="true"
path="/"/>
</authentication>
<machineKey validationKey="((validation key))"
decryptionKey="((decryption key))"
validation="SHA1"
decryption="AES" />
Troubleshooting
This setup works as expected on my development machine and our test server (albeit with no domain setting and loginUrl set accordingly) where both web sites are running from the same domain, just different port numbers. For example, in local development, site "a" might run from https://development:44301/ and site "b" might run from https://development:44302/. However, on the production machine--where they are actually on different subdomains--I experience the redirect loop.
Using the browser web developer tools, I can see that the authorization cookie is being sent to b.website.com after the login redirect. Also on b.website.com, if I remove the [Authorize] attribute decorating the controller, the pages load as expected. I'm reasonably sure the issue is limited to how the MVC site is handling the authentication cookie in the limited subdomain scenario.
It sounds like the same issue was reported on SO here and here, but those users had not set enableCrossAppRedirects="true". That setting (which is enabled in my code) seems to be required for subdomain redirects, as I've already tried. This SO article details the setting a bit more and indicates the redirect should be done via SSL, which I am also doing.
What am I missing? How can I better debug the authentication failure that apparently occurs when site "b" receives but does not acknowledge the cookie?
I finally found an answer, unmentioned in the MSDN documentation I referenced above. Many thanks to Steve Smith's 2-year old blog entry.
The older WebForms site targeted a previous release of .NET, so there is an additional compatibility mode string setting on the machineKey config to handle this. If both applications were the same version, this would be unnecessary.
To be absolutely clear for future searchers-- In the web.config of the older a.website.com WebForms site, targeting an earlier .NET release, I had used an ordinary machinekey setting:
<machineKey
validationKey="((validation key))"
decryptionKey="((decryption key))"
validation="SHA1"
decryption="AES" />
In the web.config of the newer MVC site, I had to also specify the compatibility mode to work with the older site's framework:
<machineKey
compatibilityMode="Framework20SP2"
validationKey="((validation key))"
decryptionKey="((decryption key))"
validation="SHA1"
decryption="AES" />
Note that the compatibility mode string is NOT necessarily the targeted framework of the other app. Any targeted version between 2.0SP2 and 4.5 will need a setting of "Framework20SP2". Check the link above to make sure you're picking the right one!
With this in place (along with the matching forms settings in the original MSDN article), everything worked perfectly.
I foresee myself spending another day figuring out why my authentication is broken when we get around to upgrading the older site's targeted framework!
My Azure cloud service app has users logged in with session data. If they click on a link internally that doesn't have a preceding www, then the session data is not applied. If they go back and click on a link that does have a preceding www, the session data works as expected. Does anyone know how to resolve this?
TIA
Sounds like your session cookies are not tuned to the wildcard of the domain. Can this be a problem? Check the forms section of your web.config if it contains domain attribute and if it doesn't, set it.
<authentication mode="Forms">
<forms loginUrl="/Account/LogOn" timeout="43200" domain="yourdomain.com"/>
</authentication>
I use ASP.NET and ASP.NET Authentication.
I have a website with structure like:
ROOT
- CMS
- AdminCms
- web.conf*
- FORUM
- AdminForum
- web.conf*
- web.conf ***
Now in web.conf *** I use for CMS LOGIN PAGE
<authentication mode="Forms">
<forms loginUrl="~/Cms/AdminCms/Login.aspx" timeout="2880" />
</authentication>
My Questions:
How can I have another DEFAULT LOGIN PAGE for another folder? (if the user use for example FORUM).
Would be possible insert in web.conf* another
<authentication mode="Forms">
<forms loginUrl="~/Forum/AdminForum/Login.aspx" timeout="2880" />
</authentication>
Any ideas?
Based on my comment earlier - Forms authentication allows redirecting a user to different pages after a successful login. To enable this, the forms authentication keeps track of the original page a user came from in the ReturnUL request parameter to the login page.
In your case you could do something like this in the codebehind of your login page after a successful login:
string originalTarget = Request.Params["ReturnUrl"];
if(originalTarget != null)
{
if(originalTarget.Contains(#"/FORUM/")
Response.Redirect(someForumURL);
else
Response.Redirect(someCMSURL);
}
Edit: Here also a link to an article - Forms Authentication - Redirecting users to a Page other than Default.aspx
If you mark both the folders, CMD and Forum as an application in IIS, you can easily do this since both of them will be a separate application domain.
In an ASP.NET 3.5 application running on IIS, how do I force a "deauthentication" of all currently logged-in and authenticated users?
iisreset didn't seem to do the trick!
Changing the authentication form name will then require new authentication from all users.
From:
<authentication mode="Forms">
<forms name="originalName" loginUrl="~/Account/Login" />
</authentication>
To:
<authentication mode="Forms">
<forms name="differentName" loginUrl="~/Account/Login" />
</authentication>
ASP.NET authentication is designed to be resilient to an IISReset due to its use of cookies - performing an IISReset will clear any in-memory information, but the next time a user asks for a page on your site, they will send their authentication token, which (if it hasn't timed out) will still be valid, and the server will re-authenticate them.
You could write something that would effectively log out the user after a restart, by (for example) storing the application start time in a global variable in Application_Start, and then comparing the users LastActivityDate with that value - if it's before the start time, then you can call the appropriate sign-out method during Application_SessionStart or Application_BeginRequest.