I am trying to use a C# webrequest to GET data from a page, then POST data back to the site. The problem I am having however, is that it is logging out between the functions. I have a function that grabs part of the page, and then ends it's request. Then, another function, using that data, logs into the site. After this, another function is made that navigates to another page, and posts data. However, the user is no longer logged in when I attempt to run this final function. What needs to be done so that the user stays logged in?
Thanks
Have you set
webRequest.PreAuthenticate = True
The trouble you're having is that after the login a cookie is being set by the website to keep you logged in (whether by session or cookie authentication). To maintain these cookies between the requests / responses you need to use a cookie container. Some details of that implementation can be found on the answer to this question.
Related
I wasn't really sure on how to form the search terms for this question but I didn't really find what I was looking for either way, so here goes:
How would I force a client to only enter certain parts of my website from certain entry points? For example I have an overview of what activities the company I work in currently got going but I only want users to be able to enter the page responsible for adding a new activity by pressing the "Add New Activity" button.
So that you can't enter that page just by typing in the URL for example. How would one achieve this in ASP?
The same way we do it in the real world, authentication, authorization. Whenever a visitor views a page on your website. They are sending a HTTP request, along with that request you'll receive any cookies that have been set by your web application on their computer on any previous visits, this happens on each and every request.
Authenticated users can be identified using cookies, usually what happens is... upon sign on, the server will set a cookie containing their identity. So when the authorized user requests to view "foo.com/topsecret" and the server receives that request, the server decrypts the data stored on the cookies and checks to see if its been tampered with... if all is good... access granted... if not... then it's simply denied.
In your case u can use the Session Variables and in login u can check all permission.
In your page you can add a check in Page_Load same this:
User myUser = (User)Session["User"];
string page = Path.GetFileName( Request.Url.AbsolutePath );
if(!myUser.pageSee.Contains(page)){
Response.Redirect("home.aspx");
}
you create a User class with proprerty a list of strings for the pages that you can view,
you may also add permissions for a single div.
I want to use the domain: aaaa.com to have a login form for the site at domain: cccc.com.
Note, I have full control of the server at cccc.com and have setup CORS on the server at cccc.com. I essentially have full control of the server at aaaa.com as well.
I am using jquery's $.ajax to send a POST to the cccc.com asp.net mvc 3 server. It looks like I get the right response back and I see the ASP.NET_SessionId and .ASPXAUTH cookies in the response. When I get the correct response in javascript with no login errors, I want to redirect to cccc.com/Home/Index using window.location. Everything seems to be working up to this point. Authentication, getting a correct response, etc. However when javascript redirects, cccc.com still wants me to login again. Why is this happening?
Is it because the authentication cookies belong to aaa.com? How can I work around this?
Thanks
Yes, the authentication cookies will belong to the other site, and are not shared.
If you had a subdomain of cccc.com instead of a completely separate domain, it would work if you set a domain-wide cookie.
As it is though, you will have to copy the cookie upon login, logout, and any other authentication methods that modify how the cookie is stored. If you're on a different server, you would also lose your ability to do sessions unless you have a session state server.
You could try copying the auth cookies with javascript after your POST to log in completes.
Here's the scenario
I have a page lets say login.aspx having a button called login, on click event of that button when I check for the SessionID its shows a specific value for example "A"
Now I am making a call to some external page and that page then calls this page again.
for instance once I click login button I call a twitter app and when user authorizes it, I am redirected back to the same page, but now when I am accessing the SessionID its a new ID.
I have no idea why this is happening, I just want to have the same SessionID
Are you adding any data to the session? You need to do so for the session ID to "stick".
You don't have multiple web servers, do you?
If so, and if you're not using a shared session state provider, you'd tend to see this kind of behaviour.
Edit.
OK, next question...
Is the URL that the Twitter authorisation is returning to using exactly the same domain name?
For example, if your application is running on http://127.0.0.1:1234/ and the return URL is http://localhost:1234/ ?
Edit2: Yes?
When you are redirected back from the Twitter app on 127.0.0.1, the ASP.NET session cookie isn't being passed back to the web server because the domain is different.
You need the domain that the app is running under to match the Twitter callback URL.
Reconfigure the Twitter callback URL to localhost:1234 and I think you should be OK.
Scenario:
I have a tricky situation where need to keep many modules happy [Google Analytics, etc, etc...]. Got a asp.net page in the project which initiates the request on the third party website (after clicking the Process button) and redirects the user to the third party website. Transaction is processed on their website and then the control is returned back to the current page on our site. You can relate this scenario with kind of Paypal processing too, but it's not paypal.
Issue:
If the session is time out, I want the user to be again authenticated when the control reaches our website after the processing is done on the third party website. So I am thinking of passing the authCookie information to the third party website and then when the control reaches our website back, I will have the authCookie information (imagine it is the scenario) and then want to log the user back in. Can I do that by just creating an authCookie again based on the username?
It really depends on the transaction processing system you are using. If you check the result of the transaction by calling their API, then the response usually have a user id or something that you can tie to user id. You can store the user name in the cookie, cookies are per domain or subdomain and it won't get sent to the transaction processing web site if it is in the different domain than yours, which is most likely the case. Get or derive the user name from the transaction result response, compare it to the one you obtain from your cookie. If they match up, sign in the user. Signing the user in just based on the cookie contents is risky in many respects. First of all anyone can set the cookie with any name in it to the browser. Second, if you are signing in a user just based on a cookie, you'll basically get never expiring session. This is not what you want. For added security you can check the transaction time from the transaction result response and refuse to sign in if it was too long ago.
Oh, and in you question you mention that you "need need to keep many modules happy" but you do not expand on as to what you mean by this. So I'm just simply ignoring this bit. Not sure what a happy module look like =)
I have site that users lots of ajax(jquery). Now if the user times out for whatever reason(walked about for 30mins or something). On there next action I want them to be returned to the login page.
I setup everything in the webconfig(returnUrl and timeout) and if they try to go to a page they have no premission to go to they get sent to the login page.
However I have the authorize tags on the methods in my controllers that are used for ajax requests. So if a user timesout they are no longer authenticated but they might be on that needed authentication since they logged in and walked away.
Now they could go and try to save something at this point that would do an ajax request. The authorize tag will stop them from doing this since they will fail authorization and the return url will kick in.
However eventhough the return url seems to be sent back to them they are not redirected to the signin page. So I am guessing since all this stuff is ajax thats why it is not working properly. So is there away I can fix this?
You need to check the Ajax error for a 403 response
Run a client-side function every 30 seconds using setTimeout, which should ask the server via AJAX if the session has been timed out. If it has, the client-side code could toss out any login cookie and redirect to the login page.
You can either code hard-code the login url into the client-side code, or have the server handler return the value from the web.config if it needs to timeout.
This still leaves the possibility that the user could try something in the 0-30 seconds between when the user actually times out and the client side code does its request to check. To prevent this as well, have the server send back the amount of time left in the session, that way your client-side code can make the decision to either check back again sooner, or do the client-side redirect before the server-side drop-dead time.