I need support... I set up in web.config the tag:
<anonymousIdentification enabled="true" cookieless="UseCookies" />
with profile, membership and forms authentication with all the neccesary information. If I log a User with the proper credentials I see in aspnet_Users table the logged user.
On the other hand, when I access the website - and the cookie is set up for anonymous in the browser with info .ASPXANONYMOUS - everything worked ok in the browser but not in the database.
aspnet_Users table only register logged users but not anonymous users on it. any help will be appreciated.
brgds, sebastian.
additional info: pro.asp.net4 in csharp edition 2010 says:
"aspnet_Users table Lists user names and maps them to one of the applications in
aspnet_Applications. Also records the last request date and time
(LastActivityDate) and whether the record was generated automatically for
an anonymous user (IsAnonymous). Anonymous user support is discussed
later in this chapter (in the section “Anonymous Profiles”)."
"ASP.NET provides an anonymous identification feature that fills this gap. The basic idea is that the
anonymous identification feature automatically generates a random identifier for any anonymous user.
This random identifier stores the profile information in the database, even though no user ID is
available. The user ID is tracked on the client side using a cookie (or in the URL, if you’ve enable
cookieless mode). Once this cookie disappears (for example, if the anonymous user closes and reopens
the browser), the anonymous session is lost and a new anonymous session is created.
Anonymous identification has the potential to leave a lot of abandoned profiles, which wastes space
in the database. For that reason, anonymous identification is disabled by default. However, you can
enable it using the element in the web.config file"
this is what I´m looking for...
the asp.net sql membership api only logs to that table if the user actually logs in. If it is an anonymous user that is just passing by the site, it will not log to that table. They must login by calling Memberhip.ValidateUser(...)
User won't appear in aspnet users AFAIK, but the stuff you track should be in the profiles table. My understanding is the user data gets created when the user registers and then the profile data gets migrated.
Related
I am adding a custom Disabled column to my AspNetUsers table so that an administrator can temporarily disable an account. (It looks like LockoutEndDateUtc doesn't work exactly as I need.)
But what if an administrator disables an account while the user is logged in? Rather than having to check if the current user account is disabled on every request, I am looking for a way to expire that user's session so that the next request will require them to log in.
I believe this is controlled by a cookie. Is this possible?
Actually this can be automatically done. In ASP.NET Identity in the user store there is a property called SecurityStamp. When you change this the user is forced to re-authenticate with the next request. This is because this field is used to generate the authentication token (cookie in your case). The framework has methods that are built into it for changing this either directly UpdateSecurityStampAsync as well as or indirectly. A good example of when it is changed indirectly is when the identity's password is updated through the framework (ie. calling UpdatePassword or RemovePasswordAsync), or when enabling 2 factor authentication for the identity.
The method to change the security stamp is can be found in the UserManager and is called UpdateSecurityStampAsync. From the documentation:
Generates a new security stamp for a user, used for SignOutEverywhere functionality.
I'm looking for the best practice way of saving user identification data in my MVC application. Users authenticate onto the site using Azure AD. When a user saves data I want the "user id" to be saved on that record to uniquely identify it and also allow users to return their own set of data.
What is the best method to get the users AD unique identifier?
Azure AD provides claim based authentication. You can retrieve authenticated user identifier from current ClaimsPrincipal object.
We use the objectidentifier or oid as mentioned on the page I've linked below.
The sub claim might also be the right choice, depending on the need of your application(s), but it doesn't seem to be included anymore by default.
Optionally, tid in combination with oid might also be useful if you need to share data across services.
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens
And more specifically:
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#using-claims-to-reliably-identify-a-user-subject-and-object-id
I am new to MVC and actually new to web development all together. I have about 7 years of development experience but in services, database, object models, etc.. basically middle-tier and back-end development. I am trying to learn ASP.NET and decided to build a site using MVC3 for a personal site for myself. I will be hosting this from an account at dotnet-hosts.com. Here is my question... I don't have a domain and I will be using the built in membership provider. I noticed in the auto generated code that was created when I added the project template that in the AccountController in the method ChangePassword (ChangePasswordModel model) there is this line of code...
MembershipUser currentUser = Membership.GetUser(User.Identity.Name, true /* userIsOnline */);
My question is specifically around User.Identity.Name, this looks like it would be returning the Windows user name just like Environment.UserName would. The Visual Studio template I used is the (Mobile Ready HTML5 MVC.NET) as I want to be able to support clients from any device...Windows PC, Apple, Windows Phone, iPhone, etc... If the call to User.Identity.Name is correct then I would like to ask how does this work on devices that are not Windows like an iPhone? If my assumption is correct that this will only work for Windows computers with a domain then how can I achieve this? would I need to perhaps use some caching? If so could I maybe grab the user name and their IP address to be used as the cache key from the Authentication page?
My high level question is... How do I get the current logged in user's userName regardless of the device/platform? I know this question is probably not written well and may be hard to understand... I apologize for that. I am new to web development and trying to get my feet wet and would like to start to the latest technology.
The call is correct. The User.Identity.Name is filled out by whatever authentication provider is in use - Windows authentication, Forms authentication, some custom authentication provider, or whatever. It isn't bound to a specific user "type". The authentication provider has the responsibility of making sure the Identity object corresponds to the current user on every request. Usually that part is taken care of using a combination of cookies and database.
The MVC template (although I haven't had a look at the template since MVC 2) uses ASP.NET's Membership class, which in turn uses a membership provider - for example SqlMembershipProvider or ActiveDirectoryMembershipProvider - the former stores your users' credentials (username and password etc.) in an SQL Server database, the latter uses Active Directory (i.e. primarily Windows logons). SqlMembershipProvider is the default, and MVC is set up to use a local SQLExpress database file as its user store.
The authentication provider that's implemented in the template project uses FormsAuthentication, which does the login procedure through a simple HTML form (the one in the LogOn view) and keeps the user signed in by way of an encrypted cookie. Works on any platform.
The setup for both FormsAuthentication and SqlMembershipProvider can be found in web.config (the one in the root of the site). There you can find the connection strings for the SQLExpress database (and e.g. change them to use a "real" SQL Server if needed), the timeout for logins etc.
(Note that you can do a lot of that configuration easily in a GUI through the "ASP.NET Configuration" button in the toolbar of Solution Explorer in Visual Studio - it also provides an easy way to set up the first users).
In short, it's all ready to go - and doesn't lock out non-Windows users.
Like you said User.Identity.Name is indeed correct. for returning the logged in users name. But the membership section like you said, provides only windows accounts. You can use similar without the user of windows accounts, to work in every scenario, and can still verify against windows if present. If you call it without membership, and follow the default MVC3 template it should work fine.
String Username = User.Identity.Name;
When you log on, using the template MVC3, it creates an authcookie. See account controller code. Here, two parameters are passed into it. The username, and to persist (when browser is closed - login is still cached).
The username is a string field, which is what is called by User.Identity.Name and infact, anything can be put into it, and is not in anyway linked to Windows login.
You could test the login via method you desire, and if yes, set a cookie using the authcookie method. (its encripted). And set the username to what ever you want. And if your verification of the user fails, dont create one, and redrect back to page.
See the example code. This is all from memory, as I dont have code infront of me for reference. But its all in the account controller, Login Action.
When the cookie is set, The users login state is cached for the session. You will need to ensure the user is logged in when visiting a webpage. Otherwise loggin in will be pointless. This is a simple attribute on the controller/action.
Note: dont do this to the Account/logon controller, as you wont be able to visit the logon page, as you are not logged in.
[Authorize]
public ActionResult DoSomething()
{
// ...
}
Hope I have helped.
Is there any relationship between anonymous session ( where random identifier is generated for anonymous user, which enables the use of temporary profiles for unknown users) and a Session state?
If anonymous user is authenticated we need to clear anonymous identifier so that MigrateAnonymous event won't fire again. But why isn’t Asp.Net able to detect that now user is authenticated (since it now has authentication cookie ) and thus doesn’t send anonymous cookie back to browser?
thanx
No. Anonymous identification uses its own cookie. It's unrelated to session state.
For example an anonymous user might have done some customizations to the application. You might want to store the customization info for him/her as soon as he registers on the Web site. If it destroys the cookie at the time of authentication, you'd lose access to the actions he/she had done.
UPDATE (in response to the comment):
While from a purely technical perspective, it's perfectly possible to remove the cookie automatically, I think they had done this to make this step explicit. For example, if for any reason, you want to defer the migration to the next request, you can do that. The other point I can think is that AnonymousIdentificationModule is a completely different entity from ProfileModule. None of them require the other one to do the job. You could have several different custom per user customization modules that would work with anonymous identification. ProfileModule is just one of them (and note that MigrateAnonymous is controlled by ProfileModule and not AnonymousIdentificationModule). So, design-wise, ProfileModule shouldn't touch the anonymous identification cookie. AnonymousIdentificationModule could possibly intercept the request at some time and delete the cookie itself if it wanted to but that would reduce flexibility and you would have lost data if you haven't migrated it.
I am using .NET 3.5.
Also, Forms Authentication is used.
Is there any way to get the list of ALL logged-in users or a count in ASP.NET?
Note: I am not using Memberships and Roles
No there isn't unless
You have defined one in your own code
You are using the default ASPNET Membership Provider which has a GetNumberOfUsersOnline() method defined.
You are using a custom Membership Provider and have provided an implementation for the GetNumberOfUsersOnline() method yourself
The default ASPNET Membership provider calculates number of users online by querying the SQL Server database and checking the LastActivityDate stored against each user against the defined UserIsOnlineTimeWindow property that you can set in web.config. If the LastActivityDate is greater than the current time minus the UserIsOnlineTimeWindow value (which represents minutes), then a user is considered to be online.
If you wanted to do something similar then you might consider implementing a similar method. you can see the code for the default providers by downloading the source code. To complete your picture, you might also want to run aspnet_regsql.exe so that you can see the stored procedures that the default providers use.
Membership provider do have its benefits but just to track the users online you can also:
Add a column LastActivityDate to your user table and update it from your code during login and on all page loads for that user.
And to get the usersonline for the past X minutes just use the following sql
Select * from Users where LastActivityDate >
DATEADD(minute, -(X), GETDATE())
Forms Authentication stored all it’s
state in a cookie that is passed to
the users browsers.
(This enables Forms Authentication to work on a web farm)
Therefore there is no way to get a list of logged users etc from standard Forms Authentication.
However Forms Authentication has events that it fires when it Authenticates a user etc. You could update your own list of users in these events – (be careful with locking if you do so)
However as a user will be “logged of” when the cookie is expired by the browsers, you will find it very hard to correctly remove all logged of users at the correct time from your list.
You may be better of stored the time you last saw each users and then having a list of users you have seen in say the last 5 minutes. E.g keep a list of active users.
I used Session_Start and Session_End under Global.aspx. it works most of times except the user close his/her browser. the server side needs to wait for the session expired to remove the user.