I am implementing C# authorization using jquery cookies for my page. I set/encrypt username and password in the cookie and in my admin page, if I recognize cookie, then the user is authorized. If not, he gets redirected to the login page. The problem is, that cookie is read after page is loaded, so I can manually hit admin page and only in couple seconds it will get redirected. How do I prevent loading admin page for visitors, who have no cookie yet? What is a correct architecture for cookie based authorization?
Note: I am not using ASP.NET roles or User tables. I implemented my own tables for users.
I suspect that you're re-inventing the wheel. You don't have to use the Membership Provider and ASP.Net membership schema in order to take advantage of forms authentication. When the user logs in, simply drop the Auth Ticket (cookie) on them and you're done. You can then simply do the admin check on the admin page.
Some suggestions below...
Edit: I originally posted a means of storing roles in the Auth Ticket via UserData, but I think it's overkill for this situation.
Web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="30" slidingExpiration="true" />
</authentication>
. . .
<membership>
<providers>
<clear />
</providers>
</membership>
Post login:
When the user submits their username and password, validate them and check to see if they are an admin:
if (UserIsValid(username, pwd)) // some validation call
{
FormsAuthentication.SetAuthCookie(username, true);
}
Admin.aspx:
Finally, a quick hack to restrict access to an admin page. When the page loads, check that the user is / is not an admin:
if (!IsAdmin(User.Identity.Name)) // some admin call
Response.Redirect("Default.aspx");
The problem is, that you use client side code for your security check. If someone would disable JavaScript completely, he would never be redirected. Move the check to your server side code.
Related
In windows authentication without subdomain http://localhost/myweb/ its asking username/password after successful its displaying application page.
But when I ran with subdomain http://abc.localhost/myweb/
its not taking the login credentials, Its giving Unauthorized access error.
what changes I need to do to overcome this problem.
what I tried is:
in Web.config I changed allow users to * and deny users to ? but its not working
Its because the cookie is change and depended on the subdomain and domain - to make it keep the same cookie you have to define the domain parameter on the authentication lines and on cookie on web.config
The lines that you have to define it are...
<authentication mode="Forms">
<forms domain="domain.com" .... />
</authentication>
<roleManager domain="domain.com" >
.... other lines .....
</roleManager>
<httpCookies domain="domain.com" .... />
Setting up the correct domain with out subdomain you can have the same authenticated cookie on your subdomains
Other similar questions : Multiple applications using same login database logging each other out
I am using windows authentication impersonation in my MVC application.when i open the application the browser display a prompt for the credentials and validate the domain users.
But now i also want to create user in my application and also want to authenticate that users which is stored in my database.
Is it possible to authenticate Application DB users as well with windows authentication for domain users. i did much R & D on this but didn't found any solution yet. I will appreciate your suggestions. Thanks!
If I understand you correctly, you want to allow both Windows Authentication and Forms Authentication. This is not a common thing to do, but I have done it. Here is how I did it:
You have to use forms authentication as your primary authentication. So build the Forms Authentication as you normally would: you have a login page that, after submitting, validates the credentials from your database. The tricky part is adding Windows Authentication.
To do this, create one action in your authentication controller that uses Windows authentication. For this example, I'll assume your controller is AuthController and we'll call the action WinLogin. That action will look something like this:
[Authorize]
public ActionResult WinLogin() {
var principal = HttpContext.User;
if (principal == null || !principal.Identity.IsAuthenticated) {
//Windows authentication failed
return new HttpUnauthorizedResult();
}
// User is validated, so create the form authentication cookie
FormsAuthentication.SetAuthCookie(principal.Identity.Name, false);
return new EmptyResult();
}
It just checks if the user is validated and, if so, sets the Forms Authentication cookie with their AD username.
For that to use Windows Authentication, you have to update your web.config to tell it to use Windows Authentication for only that one action. You do that with a <location> tag:
<location path="Auth/WinLogin">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
By default, IIS won't let you change the authentication method at this place in the config. You need to update the "Feature Delegation" in IIS Manager to allow it.
In IIS Manager, click the server name on the left.
On the right, double-click "Feature Delegation" under the "Management" section.
Change both "Authentication - Anonymous" and "Authentication - Windows" to "Read/Write".
If you use IIS Express for debugging, you have to do something similar for that:
In the project folder, open the file .vs\config\applicationhost.config.
Modify these two lines so they say "Allow":
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
Next update your login page to hide the username and password fields by default (let's say they are inside a box with an id of loginBox). The idea is that you perform an AJAX request to the WinLogin action, and if that succeeds, then you forward the user on to the main page or whichever page they were trying to go to. If you use jQuery, that will look something like this:
$.get("#Url.Action("WinLogin", "Auth")")
.done(function() {
//success! forward to the page they want
window.location.replace(returnUrl);
}).fail(function() {
//failed - show manual login prompt
$("#loginBox").show();
});
});
As long as your website is already a trusted website (which I assume so if you already have Windows Authentication working now), then the Windows Authentication will happen during that AJAX GET request.
Notice the use of window.location.replace(), which will not add the login page to the browser history, so if the user then hits the back button, they do not come back to the login page. It makes things a little more seamless.
You could also add a loading circle or something to indicate that the user should wait while that GET happens, but you can decide that.
With all this in place, the user experience should be:
They access a page.
They are not authenticated, so they get redirected to the login page.
The login page attempts the Windows Authentication in the background.
If the Windows Authentication succeeds, they are automatically redirected back to the page they wanted.
If Windows Authentication failed, the username and password boxes appear and they can login manually.
I have a question regarding Sessions and Logins.
I currently developing a website in ASP.NET. I want the website to refresh every x seconds.
The thing is that the site uses Authentication.
So the first the user login and then the autorefresh occurs after x seconds. I am thinking of just writing a Cookie indicating that the user is logged in and setting the cookie expiration to maybe 10 minutes.
My question is when does the cookie expire? When the browser closes? Because if the it expires after then minutes while the user is logged on then this solution is not good - because the user has to login again after 10 minutes.
Might be a silly question...
Thanks guys.
To expand on #Spikolynn answer, all you need to do is to put in your web.config:
<authentication mode="Forms">
<forms loginUrl="/Login.aspx" timeout="2880"/>
</authentication>
that's it, now you need a function to log in:
private bool IsValid(string username, string password)
{
bool isValid = false;
//put some logic here
//if user authenticate set to true
return isValid;
}
Sign in:
if (IsValid("someUser", "SomePassword"))
{
FormsAuthentication.SetAuthCookie(user.Username, false);
}
Sign Out:
FormsAuthentication.SignOut();
No need to reinvent the wheel, use the tools ASP.net provide
If you are using Forms authentication, then cookie expiration is controlled with <authentication> tag in web.config. Forms authentication timeout vs sessionState timeout has a few more details.
Or do you really want to create your own cookie/authentication schemes?
I'm a student writing project for my degree and I'm trying to understand asp.net Membership and user management.
I read a lot of articles, some were handy but some just confused me.
after reading this: Examining ASP.NET's Membership, Roles, and Profile
I defined a SqlMembershipProvider which created user database for me in my sql server.
Then I defined some users from .net's administration tool and added a login control to my aspx page.
my questions are:
where does the control save the information about the user logged in?
and how can I access it?
how can I define a login function myself which validates the user and
redirect him to another page?
how do I use the loginstatus control in the new page to show
information about different users logged in or anonymous?
I want to restrict certain pages to certain users, and to builid
dynamic pages based on different users. do I need to define roles and
check for a user role?
what more membership functions can I use to help me manage users and roles?
this the config file after defining the provider and the connection string:
<configuration>
<connectionStrings>
<add name="igroup20_test2ConnectionString" connectionString="Data Source=Media.ruppin.ac.il;Initial Catalog=igroup20_test2;User ID=igroup20;Password=********" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<authentication mode="Forms"/>
<compilation debug="true" targetFramework="4.0"/>
<membership defaultProvider="CustomizedProvider">
<providers>
<add name="CustomizedProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="igroup20_test2ConnectionString" applicationName="ScottsProject" minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0"/>
</providers>
</membership>
</system.web>
</configuration>
Those are the tables the provider created in the ms sql server:
aspnet_Applications
aspnet_Membership
aspnet_Paths
aspnet_PersonalizationAllUsers
aspnet_PersonalizationPerUser
aspnet_Profile
aspnet_Roles
aspnet_SchemaVersions
aspnet_Users
aspnet_UsersInRoles
aspnet_WebEvent_Events
I would really appriciate your answers : )
where does the control save the information about the user logged in?
and how can I access it?
You probably means here, where the login control saves the credential informations and let that user login and see the secure pages. All the informations are stored encrypted on the login cookie. Its only save on the database the last login, and on a counter for the total fails.
You can read it by:
var authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];
I want to restrict certain pages to certain users, and to builid
dynamic pages based on different users. do I need to define roles and
check for a user role?
Yes this is what you must do.
how can I define a login function myself which validates the user and
redirect him to another page?
Here you can ether use the login control to interfere with the login process using the OnLoggingIn="OnLogginIn" and return e.Cancel = true; to cancel the login or true to let it continue.
Or you can create a new credential cookie, eg: How can I manually create a authentication cookie instead of the default method?
what more membership functions can I use to help me manage users and
roles?
From the moment you know the database tables of the login module and the way they work, you can direct change them using SQL.
how can I define a login function myself which validates the user and
redirect him to another page?
You can use the User Profile to store extra parameters and then use them on your code. Storing user preferences in Web Application
On the login control the OnLoggedIn="OnLoggedIn" is the final call that you can read that parametre and send the user to the correct page.
i m relatively new to C# and ASP.NET and I am having trouble designing an authentication system.
I have created a website where the user has to login, after which he can access various pages in this site. When the user clicks a logout link, he returns to the login page and is given the message "you have successfully logout." Now how do I prevent the user from typing the URL of one of the internal pages, bypassing my authentication? While working with PHP, I used session_start() and ob_end_flush() at the beginning and the end of each page to control authentication. What is a similar model in ASP.NET?
Also how do I include a .cs file from app_code folder to a aspx.cs?
If you are using FormsAuthentication, this is simple to do using configuration in web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="default.aspx" protection="All" path="/" slidingExpiration="true" timeout="60" />
</authentication>
This configuration forces aspx to ensure that all pages in the site can only be accessed by authorized users.
However, there is a logic problem with this configuration: no one would ever be able to login since they must be authorized to access any page in the site.
You can fix this, however, by opening "holes" in this protected by adding specific pages and indicating they can be authorized by anyone:
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now how do i prevent re entry into the site by typing the url of the internal pages in the address bar.
How are you actually tracking the authentication? Forms authentication? Windows authentication? Something custom? Essentially, what you need to do is have those pages check for a valid authentication token. If no such token exists, redirect to the login page or an error or something to that effect.
You can do this by checking for authentication manually in the Page_Init method (which can access Session data, Cookies data, etc. where you'd store such a token), you can use various methods built-in, etc.
The concept is the same as it was in PHP, the tooling is just a little different.
While working with PHP i used session_start() and ob_end_flush() at the beginning and the end of each page.....What is it im supposed to use in c#?
You don't need to explicitly start/end session state in ASP.NET. Any code in the scope of the web application can access session state/values via System.Web.HttpContext.Current.Session. Any request coming from the same session will have this data associated with it.
Also how do i include .cs file from app_code folder to a aspx.cs
While in PHP you had to include files, in ASP.NET it's compiled code so the file isn't so important. What you need to reference is the namespace/class to use the code. For example...
If you have the following in a file in App_Code:
namespace MyApplicationCode
{
public class SomeCode
{
// stuff in the class
}
}
Then from any code within the application you should be able to use it by it's fully-qualified name (MyApplicationCode.SomeCode):
var someVariable = new MyApplicationCode.SomeCode();
Additionally, you can add a using statement in the header of the code file:
using MyApplicationCode;
And then access it directly:
var someVariable = new SomeCode();
When a user is successfully authenticated with his credentials, a cookie is set with a session id that corresponds to a file that stores value on the server. This cookie confirms to the server that the user is authenticated.
Check how your system handles sessions, it can be done without a session cookie, too:
(pseudo-code)
if (User.Login(formUsername, formPassword)) {
SetCookie ("LoggedIn", 1, Time() + 3600);
}
Now, whicever page needs a logged in user to be viewed, you just check if the user has the cookie set:
(pseudo-code)
if (CookieIsSet("LoggedIn")) {
// this page can be viewed
}
else {
Redirect ("/notAuthorized");
}
When you log the user out, you can delete the cookie by setting the expiration date in the past:
(pseudo-code)
SetCookie ("LoggedIn", 1, Time() - 3600);
Now, the user cannot view the internal page as the check (CookieIsSet(...)) will fail. Now, functions, methods and all the details depend on the system, but it always works like this:
if credentials are ok, set a cookie
whenever an internal page is visited, check if cookie is set
when logging out, delete the cookie
Hope this helps.
To check if the user typed in the address bar I would simply check the UrlReferer in page load of protected pages, other aspects should be controlled by web security and state management
if (Request.UrlReferrer == null)
Response.Redirect("errorpage.aspx");