We use Windows Authentication with a session timeout of 20 seconds.
After 20 seconds, the session expires and the user is redirected to the
sessionExpired page. The problem is this: When the user uses IE,
closes the browser and logs in again using Windows Authentication,
a new session is not created for the same user. The old session remains present,
and the user is redirected to the sessionExpired page again.
What am I missing? What could be the problem?
Update:
My Configuration file is as follows
<system.web>
<roleManager enabled="false"/>
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<sessionState timeout="20"/>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="userName"
connectionPassword="password"/>
</providers>
</membership>
</system.web>
Related
I'm using the Default web.config that we get once we make a new project , I didn't see any "timeout" parameter so I added it like this :
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout ="7">
<providers>
<add name="DefaultSessionProvider"
type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
connectionStringName="DefaultConnection"/>
</providers>
</sessionState>
I'm logged into my account , I keep refreshing the page for like 14-15 minutes now but I'm not getting logged off . (where it's supposed to get me logged off after 7 minutes).
If you want authentication timeout specify in the <authentication> tag.
<authentication mode="Forms">
<forms timeout="7"/>
</authentication>
If you want session
<system.web>
<sessionState mode="InProc" cookieless="false" timeout="7" />
</system.web>
There are a few ways this can be accomplished, and it depends on how your website is setup.
In the web.config property sessionState
Configure the IIS app pool
If you're using Identity, you will want to set the ExpireTimeSpan in the ConfigureAuth()
I have successfully set up a test area on my website which is authenticated using forms auth on iis 8. I am using this in integrated mode with asp.net which as I understand should mean that with the correct web.config file I am able to make the server use the asp.net auth on everything not just URLs. If I try and navigate to a page that I haven't entered the credentials for it returns an error 403, which is what I expect. However if I put in the path of a file stored on the site exactly, it downloads the file without the need for credentials to be provided. Here is my current top level web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="false">
</compilation>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="default.aspx" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="staff/test/test">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="RoleManager" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
The area /staff/test/test has a word document in it. If I type www.website.com/staff/test/test/test.doc into my browser is downloads the file.
What should I change to secure that file?
Thanks for your replies. In the end it turned out to be the security permissions on the root of the website. The code I originally pasted on here worked fine I had the server\users group having read permissions where as I only needed iis_iusers having read permissions.
Thanks again
I have placed a c# web app on our IIS server, creating an application for it. I then changed the "Authentication" type to windows authentication for the site and also for the xml tags in my web config file. Now, when I navigate to the site, it asks me for the login username and password, but then does not authenticate, asking over and over for my credentials. In the browser login popup, i am typing
Domain\Username
Password.
How can I see why it will not authenticate, or find out what is wrong. I have done everything in articles I have found, but cannot find the issue. It is as if the server does not authenticate, but yet I can remote desktop to it with the same credentials, so it is on the domain.
Here is my web.conf file snippet with the settings:
<system.web>
<authentication mode="Windows" />
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
enable="true" />
I also added the same configuration to the application host file on the IIS server. The entry is below:
<location path="TaxFormerWebApp">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true">
<extendedProtection tokenChecking="None" />
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
<anonymousAuthentication enabled="false" />
</authentication>
<requestFiltering>
<fileExtensions applyToWebDAV="false" />
<verbs applyToWebDAV="false" />
<hiddenSegments applyToWebDAV="false" />
</requestFiltering>
On my local version of my site, you are free to roam with no problem. However when running off of the built version on the web, you are randomly logged out.
It happens whenever I click out of the Internet Window, but it also does it between page loads.
My web config is seen below,
<!--CONNECTION STRING-->
<connectionStrings>
<add name="RaiseFantasyLeagueConnectionString" connectionString="Data Source=MATT-PC\SQLEXPRESS;Initial Catalog=Raise;Integrated Security=True;MultipleActiveResultSets=True" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<customErrors mode="Off"></customErrors>
<sessionState timeout="30"></sessionState>
<!--MEMBERSHIP-->
<roleManager enabled="true" defaultProvider="SqlRoleManager">
<providers>
<add name="SqlRoleManager" type="System.Web.Security.SqlRoleProvider" connectionStringName="RaiseFantasyLeagueConnectionString" applicationName="MyApplication" />
</providers>
</roleManager>
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="30">
<providers>
<clear/>
<add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="RaiseFantasyLeagueConnectionString" applicationName="Raise Fantasy League" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"/>
</providers>
</membership>
<!--AUTHENTICATION-->
<authentication mode="Forms">
<forms name="RaiseFLAuthentication" loginUrl="home.aspx" cookieless="UseCookies" defaultUrl="/myPredictions.aspx" timeout="240"/></authentication>
<!--AUTHORIZATION-->
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I was told to put into my web config, but this has not solved the problem.
Can anyone tell me what I am missing?
Another issue I am having is that from the home page, if I log in I am not taken to the defult URL, just a 404 page. The URL does not even change from the default address.
Can anyone see why that may be happening?
I have set up member folders in c# asp.net webforms before to only allow certain users and to redirect if the user is not authenticated. I am wondering is this possible / how would I implement the authentication based on weather a Session variable is present(filled with a value) or not authenticate if the Session is null.
I was hoping that something like this would be possible similar to how you can set permissions in we.config for entire folder.
It can be done with help of standart asp.net features. I will try to advice one possible solution for it. First you need to setup "web form authentication" ASP.NET Authentication, you should modify your web.config.
<system.web>
<authentication mode="Forms">
<forms name="Custom" loginUrl="/login.aspx" />
</authentication>
</system.web>
Then you need to specify members locations in the web.config also ASP.NET Authorization.
<location path="folders/memberN">
<system.web>
<authorization>
<allow roles="memberN"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
This will allow all users in group "memberN" to work under "folders/memberN" path.
Next we need to add membership and role providers to your web.config. Membership and role providerse configured based on sql server provider.
<configuration>
<connectionStrings>
<add name="SqlServices"
connectionString="Data Source=MySqlServer;Integrated Security=SSPI;Initial
Catalog=aspnetdb;" />
</connectionStrings>
<system.web>
<roleManager defaultProvider="SqlProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/">
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlServices"
applicationName="SampleApplication" />
</providers>
</roleManager>
<membership
defaultProvider="SqlProvider"
userIsOnlineTimeWindow="20">
<providers>
<remove name="AspNetSqlProvider" />
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
applicationName="/" />
</providers>
</membership>
</system.web>
</configuration>
Finnaly we need to create special tabels in the database (more details).
%WINDOWS%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe -S <server> -E -d <database> -A all