I have a problem which I can't replicate on my dev server (IIS 8.5), but which is happening on my live server.
The ASP.NET website uses forms authentication, which works perfectly unless the URL is rewritten. On rewritten URLs, the user is not considered logged in. If you click "log in", then the user is logged in without redirecting to the login form! This means the cookie is somehow being used to authenticate the user after clicking "log in". Refreshing the rewritten page reverts to not being logged in.
Here are some concrete examples:
Go to http://www.paraglidingmap.com and log in with the following details (top right of the screen):
Username: test
Password: hibiscus
Now go to this page which uses URL redirection, and you will not be logged in! But if you click "log in", you will be magically logged in until you refresh the page.
http://www.paraglidingmap.com/page/AppAndroid
Someone out there must be smarter than me. Why is this only happening on the live server and not dev? I have checked that integrated pipeline is used on both servers.
I have found a solution. Instead of using HttpContext.Current.RewritePath, using Context.Server.TransferRequest seems to also transfer the request cookie.
I would be grateful if anyone could explain why this is the case.
Related
I understand that when a user logs in to MVC webapp (when runtime executes FormsAuthentication.SignIn(..)), that user receiver a cookie and continues to work with the site with that cookie.
However the user can login again, from incognito window or another PC and get access to the site from both places simultaneously. I would like to prevent him from doing that.
I believe that the solution of this issue lies somewhere close, however nethier googling nor digging into MVC Forms Authentication classes provided me nothing I could work with.
So how do I forcibly sign off the last user login info (I believe it is a cookie stored inside a web server, I might be wrong) when that user successefully attempts to login in somewhere new place?
You need to implement
Application_AuthenticateRequest
in your global.asax file an validate that the user identity is still correct. e.g. you need to keep track of all session related to the user and which clients he used. You can then respond with a cookie reset in the mentioned method, if you want to sign out the user.
The only way you can do that, is by storing the user login in information in a table. So when the user tries to log in again, you can verify weather he is logged in some where else by quering the table. Once the user logs out, delete rows from the table.
Remember you would not be able to do anything with the help of cookies. Cookies will just contain form authentication ticket, which would be used by authentication module to verify whether the coming request is authenticated or not. And since the calls are stateless you can not decided anything just by looking at the cookie
I have a login screen, and upon successful login i will display a welcome screen. But the problem is if i refresh the web page. i am taken back to the login screen. If i am successfully logged in, then if i refresh i should go to the Welcome page.
I did some research and found out that i should be using cookies to handle this. Is cookies the best approach or are there any other way i could solve this ?
Could someone please point me to a good tutorial that explains how to do this? or some sample code to start with?
Here is the MSDN on the FormsAuthenticationTicket class that is used for authorizing users to your application. This is the term that you want to ask about/Google for more information on user authentication.
The basic premise is that once you have authenticated a user, you issue an encrypted cookie that contains some basic information about that user. This cookie is what is used to prove the user is who they say they are, defines the login expiration times and allows you to authorize them to different resources in your application.
Words of Caution
With that said, if you are rolling your own authorization/login system, I highly encourage you to use the built in .NET membership providers. There are many caveats to web authorization and authentication and the likelyhood that you leave a security hole open using your own code is extremely high.
Here are some other approaches that don't require cookies:
if you can use authentication provided natively by browser (i.e. Windows if your case is intranet with Windows domain) than you can base your decision on headers other than cookie header (i.e. in case of Windows auth you can use "impersonate request as user" functionality) to see if user is "logged in" to your system.
you can also set information on local system in Local storage to say "this user is logged in" and than check on login page if some other page needs to be rendered. This is not secure approach, but it maybe ok (as you still need to have some way to secure all other pages).
We are building an intranet for a client, the client doesn't want the users to log on, as they have already logged onto the domain (Active Directory)
But they do want to know the AD username of each user so that if they post on the blog, their identity can be recorded.
Our thinking so far has been, that our web.config file should say:
<identity impersonate="false" />
so that each user browses the intranet site as themselves and not the App Pool user configured in IIS.
Would this be the right way to go about it?
If so, what IIS authentication should we be using? NOTE: we are not authenticating the user, so we don't want the logon prompt, all users will already have logged onto the domain, we just want to see their username.
Is this even possible? And are we on the right track?
In C#, we can retrieve the username like this:
System.Web.HttpContext.Current.Request.LogonUserIdentity.Name.ToString()
but we just can't find an IIS authentication setting that will not prompt a domain/network login.
You need to turn on windows authentication. After you did that, the identity token will be passed to the server as I remember, and you can manage the authentication with that.
Also note that only Chrome and IE supports this fully, Firefox will ask at least for pressing an ok button before authenticating the user.
Other thing to note is the set the trust levels correctly in the browser, or it wont do the automatic authentication.
You already know how to get the LogonUserIdentity and set up IIS correctly. What is lacking is to get the browser to automatically authenticate with the AD account of the user. To enable that you have to configure the browser to do so, which I think only is enabled for Intranet zone sites by default.
this is my scenario: I'm developing a web application where the user logs in, when he clicks a link I want him to be redirected to a Sharepoint site and I want to automatically pass to Sharepoint his username and password, therefore he doesn't need to log in.
How should I do this? Please indicate me the best strategy. I have already tried with this, but it did'nt work out.
http://forums.asp.net/t/883397.aspx
The login via NetworkCredential seems to work fine, but when I redirect my page to Sharepoint it prompts me again for user and password.
Thanks in advance.
We did something like this on a application I was working on (although it wasn't a SP site). You want to setup the web.config so that both site can decode the authentication token (cookie) that is set in your web application. Take a look at this article on MSDN that describes how to configure forms authentication across applications.
I wonder if the following is possible.
A user logs in on my website, using a username and password using his default browser.
Later on, my C# program is run on the same PC. I want to check if the user is logged in in the default browser, so I can access a webpage that is in the registered-only area. Is this somehow possible?
I number of possibilities come to mind:
You could check their cookie folder for a valid cookie for your site
Check the browser history (perhaps using a toolbar)
Use the web browser control so that users log-in through your app
I have never seen either of the above in practice.
I think the best method would be to set up the site to ask for credentials if they're not logged in - so the user can enter them and continue. You'll find this method in most (if not all) of the major websites out there that have client installed software (such as the Gmail Notifier)
You could possibly do it with a cookie saved on the machine, you would need to find where its stored and the naming of the cookie or some kind of api to read the cookie.
here is a few links
http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.cookiecontainer.aspx
http://msdn.microsoft.com/en-us/library/system.windows.application.getcookie.aspx
http://bytes.com/topic/c-sharp/answers/677862-reading-creating-cookies-local-machine-using-windows-application
http://www.codeproject.com/Messages/2981086/How-to-read-cookies-in-winforms-Net.aspx