I am creating a web application that is hosted under a web site with forms authentication enabled. I have a role in my authentication database "Admins". Here is my controller code:
[RequireHttps]
[Authorize(Roles = "Admins")]
public ActionResult Index()
{
return this.View();
}
When I go to the Index page, if I'm not authenticated, it redirects me to the login page where I enter my credentials. The login page then redirects back to Index page of the new app, but the controller doesn't recognize that the user is authenticated.
I have taken the Authorize attribute off and looked at the request as it went out in the Chrome developer console and confirmed that the cookie is indeed being sent. But if I leave the Authorize attribute as is, and go to the Index page, the cookie collection on the request in my controller is empty. The headers collection contains a header entitled "Cookie", and the value of the header contains the .ASPXAUTH cookie.
The login page calls logs in with this code:
FormsAuthentication.SetAuthCookie(userName, remember, "/");
This behavior is reproducible in all major browsers.
What can I do to cause the Cookies collection of the request to be populated?
What do I need to do to make the application realize that the user really is authenticated?
Edit:
I still don't have it working, but I'm pretty sure it's something to do with the ASPXAUTH cookie being filtered.
I'm sure there are multiple causes of this problem. In my case, the problem was that the version of MVC I was using to write the cookie was different from the version that was decrypting it. I changed my sites to all be running MVC 4, and the cookie that was created by one site was consumable by the other site.
Is the .ASPXAUTH cookie generated a secure cookie, i.e. SSL? If so and your Index.aspx is only over HTTP not HTTPS, you will not see the cookie in the collection.
Related
I'm using WSFederationAuthentication module for authentication. I want this: after user press logout button, he signs out (delete all cookies) and redirect to login page.
I have this code for logout button:
var ls = new LoginStatus();
ls.LogoutAction = LogoutAction.Redirect;
ls.LogoutPageUrl = {some URL, where I have sign out code}
Signout part:
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
String signoutURL = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(
authModule.Issuer,
{login Url},
null);
WSFederationAuthenticationModule.FederatedSignOut(
new Uri(signoutURL),
new Uri(authModule.Realm));
This code really do signout and delete cookies, but does not redirect to login page. Still, url, that users sees contains this part:
&wreply={loginUrl}
As I understand wreply parameter does not always is used.
Instead of using FederatedSignOut() method I tried this one:
System.Net.WebRequest req = System.Net.WebRequest.Create(signoutURL);
System.Net.WebResponse resp = req.GetResponse();
Redirect(LoginUrl);
But, this doesn't really do sign out. When user tries to log in next time, he doesn't need to enter any credentials and is signed in automatically. My guess, not all cookies are deleted.
So, there is my question, how can I do sign out and force redirect to login page?
P.S. I also delete FedAuth cookies by myself.
I think you may have misunderstood how federated sign on and sign out work (I say this as you have neglected to mention what I would consider is the most important thing.)
When you attempt to login to an application that uses WS-Federation you are actually redirected to an identity provider (Idp) and you login to this Idp. Once logged into the Idp you will be redirected back to your site with a security token and you will then be logged in to your site also.
At this stage you are logged in to two applications in effect:
The Idp
Your web site
What are you trying to achieve?
Logging out of your site only
Federated Sign out (i.e. Signing out
of the Idp and your site and any other relying partys)
If we are in case 1 then that is simple. Delete your cookies and you will be fine however you will still be logged into the Idp and so when a user navigates back to your site and gets redirected to the Idp they will likely be redirected back to your site with a security token without being prompted for credentials and will then be logged into your site again, which seems a bit pointless.
Given this, I think you are after scenario 2. Well in that case, the functionality you want actually depends on what software you are using for your Idp, something you have neglected to mention in the question.
Unfortunately I don't believe there is a generic way to do what you want with all Idp's and even more some Idp's won't directly support it.
I think it may be best raising a question about how your Idp works and how to get this to work. Also some very good things to include in the question would possibly be the URL's of your site and Idp (not for the purposes of "checking them out" but because other indirect solutions may be possible if they come under the same domain name). Also anything about your infrastructure of your Idp and site would also be helpful as again specific setups could give indirect solutions.
Seems to be, that redirect Url can be only Url, that is written in Idp config:
<passiveEndpoints>
<endpoint endpointType="WsFed" location="{this url}" binding="Post" />
</passiveEndpoints>
If wreply parameter value is any other url, it won't work.
"If a wreply parameter was specified in the ACSSignOut cookie, the
JavaScript redirect to the address indicated by the wreply value to
complete the sign-out. Otherwise, the JavaScript redirects to the
Return URL of the relying party, as specified in the ACS Management
Portal."
Source
I have a Login.aspx page where I use Forms Authentication to login to the site. I use a cookie to store the additional user data and in the next page I use Asynchronous web-api calls to get some data. In the process I read the cookie and the user data. If the user data is found I proceed and if not I want to logout the user and redirect them to login page. I have the following code but the execution of the web-api call continues.
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
HttpContext.Current.Response.End();
How do I make the user log out and redirect to login page when I know that the cookie is not found?
You should check for the cookie before you make the Web API calls.
If the cookie exists and is valid, call the service.
If the cookie doesn't, redirect to the login page.
In your API, check for the cookie in the call. If the cookie does not exist, return a 401 unauthorized response code in your web api response.
I have a custom action filter, that inside the OnActionExecuting, depending on certain criteria, logs out a user and redirects them to the home page of the site. The (stripped back) code for the redirect part is below
filterContext.Controller.TempData.Add("key", "Message");
filterContext.Result = new RedirectResult("/");
As above, i am also setting a tempData message. Because the user has been logged out, when they hit the home page, the [Authorize] attribute will redirect them to the login GET page. On the login view, i am displaying any messages from within tempData. However in this situation the tempData is empty.
This is very similar behavior to how my login POST works (if invalid, it redirects to home, which redirects to login and displays the tempData message that was set in the Login post). This code can be seen below
TempData.Add("key", errorMessage);
return Redirect("/"));
The reason i am doing it this way, rather than redirecting specifically to the login page is because this code is distributed across many sites, so we dont know what the login GET url is.
Does anyone have any information as why this is working for the Login POST but not for the ActionFilter Redirect?
Edit:
If i remove the logout call within the custom action filter, the tempData is still set within the Home action - however this doesnt explain why it works for the Login POST but not the action filter?
So it turns out that when i was logging out the user from the system, i was also abandoning the session (calling HttpContextBase.Session.Abandon()) and also resetting the cookie session id. These were affecting the TempData behavior. By removing these calls, the tempData is now correctly set and displayed.
setting the result to new RedirectResult("/") will cause the current server-processing to stop ,and send the client a responce, that tells the client to request a new URL - the one you had said in the RedirectResult. The second request is then different, and does not contain the values from the previous processing.
Try using Redirect("/"); or Server.Transfer("/"); to service the new route in the same client request.
I want to use the domain: aaaa.com to have a login form for the site at domain: cccc.com.
Note, I have full control of the server at cccc.com and have setup CORS on the server at cccc.com. I essentially have full control of the server at aaaa.com as well.
I am using jquery's $.ajax to send a POST to the cccc.com asp.net mvc 3 server. It looks like I get the right response back and I see the ASP.NET_SessionId and .ASPXAUTH cookies in the response. When I get the correct response in javascript with no login errors, I want to redirect to cccc.com/Home/Index using window.location. Everything seems to be working up to this point. Authentication, getting a correct response, etc. However when javascript redirects, cccc.com still wants me to login again. Why is this happening?
Is it because the authentication cookies belong to aaa.com? How can I work around this?
Thanks
Yes, the authentication cookies will belong to the other site, and are not shared.
If you had a subdomain of cccc.com instead of a completely separate domain, it would work if you set a domain-wide cookie.
As it is though, you will have to copy the cookie upon login, logout, and any other authentication methods that modify how the cookie is stored. If you're on a different server, you would also lose your ability to do sessions unless you have a session state server.
You could try copying the auth cookies with javascript after your POST to log in completes.
I am creating an application in which I am using Live Id authentication. When the user tries to access an authenticated page, I am redirecting the user to Live Id sign in page. Is it possible to return the user to the previously asked page (from which he was redirected). Some thing like return URL.
Actually I want to pass some data in query string to webauth-handler.aspx page when the user successfully logs in. Can any body tell me how to pass query string to webauth-handler.aspx?
Thanks
Ashwani
When the user tries to acces a page that needs authenticated (prior to redirection) save the returnUrl to a Session Variable:
Session["MyReturnUrl"] = Request.QueryString["ReturnURL"];
You would have set up your Live Authentication Settings to always redirect to a certain page on your site if authentication is successfull, on that page you will simply do the following:
//Set Authentication cookie here then redirect to previously requested url
Response.Redirect(Session["MyReturnUrl"]);
I fixed this by saving the return url in cookie and then checking if the cookie is present to do the redirection.