I understand that when a user logs in to MVC webapp (when runtime executes FormsAuthentication.SignIn(..)), that user receiver a cookie and continues to work with the site with that cookie.
However the user can login again, from incognito window or another PC and get access to the site from both places simultaneously. I would like to prevent him from doing that.
I believe that the solution of this issue lies somewhere close, however nethier googling nor digging into MVC Forms Authentication classes provided me nothing I could work with.
So how do I forcibly sign off the last user login info (I believe it is a cookie stored inside a web server, I might be wrong) when that user successefully attempts to login in somewhere new place?
You need to implement
Application_AuthenticateRequest
in your global.asax file an validate that the user identity is still correct. e.g. you need to keep track of all session related to the user and which clients he used. You can then respond with a cookie reset in the mentioned method, if you want to sign out the user.
The only way you can do that, is by storing the user login in information in a table. So when the user tries to log in again, you can verify weather he is logged in some where else by quering the table. Once the user logs out, delete rows from the table.
Remember you would not be able to do anything with the help of cookies. Cookies will just contain form authentication ticket, which would be used by authentication module to verify whether the coming request is authenticated or not. And since the calls are stateless you can not decided anything just by looking at the cookie
Related
I need to implement the secure system, in MVC which will recognize that user logged in is followed proper authentication steps.
Can i know which authentication scheme will be better of the following.
Form authentication will be using cookie, which in turn get the user details based on the cookie. In form authentication we have advantage that with the cookie available in browser, system will auto login from that.
Storing the logged in user information in session and checking that user logged in. But if the session expires we need to logout the system. Suppose the user need to work till entire day, some time user can leave without interaction for 20 mins, system automatically sign-out the user.
Storing the logged user details in sql server session which will be having performance issues.
So i need to implement secure and performance oriented scheme which will be maintain user information securely and also have advantages like auto login with cookie.
Primary goal is to maintain which user logged in and he should be authenticated through the system which he is accessing and safely logout the system
The 1-option is not safe because you can pick up the cookie data and insert it into another browser to impersonate the user.
I use the 2-option for example with my website because it has a secure structure. If the browser is closed and opened again the session is destroyed but you can always use it as long as the same browser is open to access your profile without having to log in.
The 3-option has too much editing and processing effort so I wouldn't recommend it.
Maintaining the user would simply fall when you maintain the user data
in the database via an admin panel which you create. So you have the
possibility to install an ACL system later.
I have a javascript client and an asp.net server. I am using simplemembership provider style authentification, the login/register and roles are working fine. The problem is, once the user logs in, I have to be able to check the future server controller hits and determine whether to permit or deny the user to use those controller functions. My first thought was using sessions, once the user logs in I would have the created session store his username (or id or whatever), and use that later to check whether his role has sufficient rights. The problem occurs when the log in function is hit, the session is created and the credentials are stored, but as soon as the function ends the session ends (which means I can't check his future controller hits). My question is, is there a way to makes this work this way (lets say somehow forcing the session to stay open until logout or timeout), or am I going about it completely wrong?
Thank you in advance, and I hope this isn't one of those "stupid" questions!
I am looking to upgrade a project I have from ASP.NET Web Forms to MVC 4.
In the process of the upgrade I am trying to re-evaluate the way we handle authentication and login.
Currently, when a user attempts to log in, I (the front-end), make a call to the database to validate and then that comes back as yay or nay with an associated 'token'. I then have to pass that token to the next page on our site where it gets placed into a javascript object. That token is then passed with every ajax call and is updated after each with a new token. I personally manage that token within the client browser.
Now, in MVC 4 the default Internet Application comes with the needed logic to employ some form of local registration and login. But I don't understand how it works.
After a user 'registers' where does that get stored?
When a user is logged in and then changes pages, how does that user stay logged in?How does his credentials get passed?
It seems to me that the current way that we handle our login is grossly outdated and flawed. But at this time I do not understand how I could setup MVC to look at our current (external, its not within this project) database to authenticate users.
I have a book on MVC 4 but it doesn't seem to go into detail on how this works.
Any help would be appreciated.
Thanks!
After a user 'registers' where does that get stored
If you used VS2012, ASP.NET MVC 4, it will store the user in LocalDB. That's the default out-of-the-box implementation that uses the new Simple Membership Provider.
When a user is logged in and then changes pages, how does that user
stay logged in?How does his credentials get passed?
The currently authenticated user is stored in a encrypted Forms Authentication cookie. Look at the LogOn POST action which emits this cookie.
I had a similar question, you can see my post here, but the solution I found and went with was from this article. It's very detailed with how the new SimpleMembership system works.
The biggest change is that you no longer need any of the aspnet_regsql stuff anymore. Once you register, the database schema gets created along with a row for the user. No SP's or Views required!
I've got an ASP.NET site. I want to forbid user to log in with the same login from two computers. If someone is logged in and somebody else wants to log in with the same login it should show him a message that this user is already logged in. I don't have any Forms Authentication or something like that. On button "LOG IN" I just connect to the database and check if user and password are valid.
I thought that when user is logged in, I would update his status in database and when somebody else will try to log in, I will check in database if this user is already logged, but it isn't good idea, because when user doesn't click button "LOG OUT", it will not update his status in database that he's inactive.
Is there any other way to do this without Forms Authentication and something like that?
There is no perfect solution
You can't reliably solve this problem, but you can come close. There will be edge cases where a legitimate user will be frustrated by this restriction.
What you can do
The ASP.Net membership provider keeps track of the last time that a given user was seen, meaning the last time they were logged in and accessed a page. You can follow a similar strategy, also noting the IP address of the user and perhaps the user agent of the browser.
If you see two different IP addresses and/or user agents for the same login credentials within a short window (say, 20 minutes) you can assume they are most likely from different devices.
Be aware
As I said, there are edge cases where you will be wrong. For example, someone on a mobile device will frequently get a new IP address.
Honestly, it would be easier to let Microsoft take care of the details with the forms authentication but here is how I would do it if I was "challenged" to not use forms authentication. (There are other ways, this is just one that I like).
On log in I would create session cookie for the user (say 10 mins), this cookie would contain an id to a table where I would store their userid, the login time, and the ip they referenced from. I would include this information in the cookie too (with a simple encryption), on every page load I would update the cookie to last an additional 10 mins and check the credentials against the database. This means the session would time out if the user did not access the web site every ten mins. This would also allow you to know when the user was logging in from another location.
Side note: Almost all of the above is taken care of for you if you use a custom authentication for windows forms. Using the windows forms authentication means you don't have to worry about the time out and cookie management.
You could have the user last_activity_time file in your database which is updated whenever a logged in user access any of your page. You can now have a window e.g. 30 mins (a period of time when it is valid that the user is logged) comparing the last_activity_time with the current time, if the time difference if greater than the required window (30 mins), you consider the user is inactive
I wonder if the following is possible.
A user logs in on my website, using a username and password using his default browser.
Later on, my C# program is run on the same PC. I want to check if the user is logged in in the default browser, so I can access a webpage that is in the registered-only area. Is this somehow possible?
I number of possibilities come to mind:
You could check their cookie folder for a valid cookie for your site
Check the browser history (perhaps using a toolbar)
Use the web browser control so that users log-in through your app
I have never seen either of the above in practice.
I think the best method would be to set up the site to ask for credentials if they're not logged in - so the user can enter them and continue. You'll find this method in most (if not all) of the major websites out there that have client installed software (such as the Gmail Notifier)
You could possibly do it with a cookie saved on the machine, you would need to find where its stored and the naming of the cookie or some kind of api to read the cookie.
here is a few links
http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.cookiecontainer.aspx
http://msdn.microsoft.com/en-us/library/system.windows.application.getcookie.aspx
http://bytes.com/topic/c-sharp/answers/677862-reading-creating-cookies-local-machine-using-windows-application
http://www.codeproject.com/Messages/2981086/How-to-read-cookies-in-winforms-Net.aspx