I've set up the same site on two servers sitting behind a load balancer. I have the following in my web.config file
<sessionState mode="SQLServer" cookieless="false" allowCustomSqlDatabase="true"
sqlConnectionString="Data Source=server;Initial Catalog=ASPState;Persist Security
Info=True;User ID=user;Password=password" timeout="2880" sqlCommandTimeout="10" />
It appears to be working, I can see the ASPState tables populating when I log in, however I see that if I refresh several times after logging in it goes back and forth between being logged in and not logged in depending on which server I hit. Am I missing something?
I'm using the default webmatrix authentication built into MVC 4.
This ca be because you have different MachineKeys on your servers or the have the default value. And because of this you authentication cookies are encrypted in two different ways.
Try setting the machineKey in your web.config. Here is tool that helps generating the machineKey http://aspnetresources.com/tools/machineKey
As this post explains you will need to have the same Application ID on both servers.
"When you create applications that you expect to share session state using Sql Server, they need the same ID configured in IIS. This is because the session ID that is generated is generated based on the application ID. (Internally the application ID is something like LM/W3SVC/1
The two servers had different IDs for each application in IIS. The resolution is to change the ID under `Manage Website -> Advanced Settings' on each server."
Cheers
I'm working on a multi-tenant ASP.NET MVC application.
So far we have been using HttpContext to store a few objects for the request (technically partitioned by tenant).
However, we will need to use TempData (uses Session) and set authentication cookies.
Our spec:
A tenant can have multiple urls (tenant1.myapp.com or mycustomdomain.com)
Authentication cookies should NOT be shared by tenants
Ideally, a tenant's authentication cookie should be shared by any one of their urls
Is Session domain aware? It seems to be.
Can I set multiple domains on an authentication cookie?
Advice on anything else that may catch me out would be appreciated. Really I just need to understand what needs to be partitioned for each tenant (up to now I've partitioned the file system, database and cache per tenant).
Thanks
Ben
Is Session domain aware?
By default Session is tracked by cookies and because cookies are restricted to the same domain the session is not only domain aware but also application-aware meaning that if you have two applications on the same domain they won't share session.
Can I set multiple domains on an authentication cookie?
No. Cookies cannot be shared between domains. But contrary to sessions you can share them among multiple applications on the same domain (by setting the domain attribute to the top level domain in the <forms> tag in web.config). This is what allows to achieve single sign on between applications on the same domain. If you wanted to achieve single sign on between applications on different domains you will need different approach.
you may want to look into Session Partitioning.
<configuration>
<system.web>
<sessionState
mode="StateServer"
partitionResolverType=
"IndustryStrengthSessionState.PartitionResolver" />
</system.web>
</configuration>
But I don't believe you can share sessions across domains out of the box. You will likely need to add custom session synchronization, where each domains session is linked by a custom algorithm to the same user/tenant etc.
Per a question I posted yesterday, our website's DNS structure has changed to round-robin DNS which literally swaps back and and forth between two production servers. Our web.config for both prod servers has:
<sessionState mode="SQLServer" ... > pointing to the same shared DB
A machineKey on each server that is consistent between the two (this was the main point of my post yesterday).
[update] The same domain in the <forms domain=".mydomain.com" ... > tag
When we use the login feature on the site, the login actually makes a web service request to a 3rd website that authenticates a user. If the resulting response says it was a successful login, then we use FormsAuthentication to log the user in:
FormsAuthentication.SetAuthCookie(strUserID, true);
Our issue is that on some pages we see we are logged in, others we're not. Is this something indicative of either us not completing a final step to share session between two prod servers or could our SQL server session DB be broken?
Thanks in advance
UPDATE:
Our code to determine if the user is logged in is quite basic:
HttpContext.Current.User.Identity.IsAuthenticated
UPDATE 2:
When I hit prod1.mysite.com (or prod2.mysite.com) I get a cookie called "ASP.NET_SessionId" but when I hit the live public URL, www.mysite.com, I don't get this cookie. Is this part of the problem?
RESOLUTION:
It turns out that everything we did here was all correct and that our live site which uses Akamai was being cached in various states due to Akamai's cache configuration. Sharing your logged in state between servers has been confirmed to work.
One thing you could do is use the Firebug add-on for Firefox to ensure that the authentication cookie is being sent to the browser as expected after logging in although as you are seeing that you are logged in on some pages I would expect this to be the case.
Another thing to check would be that the domain is set correctly for the authentication cookie and that it is valid for all pages on your website.
This is typically set in you web.config in the forms tags, example below and should be same on each server in the web farm.
<authentication mode="Forms">
<forms name="yourAuthCookie" loginUrl="/login.aspx" protection="All" path="/" domain="mydomain.com" timeout="30"/>
</authentication>
If this is all correct then it is possible that session is not being shared correctly between your servers although the settings that your have described in your question appear to cover what is needed.
I have to build a small webapp for a company to maintain their business data... Only those within the company will be using it, but we are planning to host it in public domain, so that the employees can connect to app from various locations. (Till now I have built web apps that are hosted internally only)
I'm wondering whether I need to use a secured connection (https) or just the forms authentication is enough.
If you say https, I have some questions :
What should I do to prepare my website for https. (Do I need to alter the code / Config)
Is SSL and https one and the same...
Do I need to apply with someone to get some license or something.
Do I need to make all my pages secured or only the login page...
I was searching Internet for answer, but I was not able to get all these points... Any whitepaper or other references would also be helpful...
Feel free to ask incase you need more information.
Thanks
Raja
What should I do to prepare my website
for https. (Do I need to alter the
code / Config)
You should keep best practices for secure coding in mind (here is a good intro: http://www.owasp.org/index.php/Secure_Coding_Principles ), otherwise all you need is a correctly set up SSL certificate.
Is SSL and https one and the same..
Pretty much, yes.
Do I need to apply with someone to get
some license or something.
You can buy an SSL certificate from a certificate authority or use a self-signed certificate. The ones you can purchase vary wildly in price - from $10 to hundreds of dollars a year. You would need one of those if you set up an online shop, for example. Self-signed certificates are a viable option for an internal application. You can also use one of those for development. Here's a good tutorial on how to set up a self-signed certificate for IIS: Enabling SSL on IIS 7.0 Using Self-Signed Certificates
Do I need to make all my pages secured
or only the login page..
Use HTTPS for everything, not just the initial user login. It's not going to be too much of an overhead and it will mean the data that the users send/receive from your remotely hosted application cannot be read by outside parties if it is intercepted. Even Gmail now turns on HTTPS by default.
What kind of business data? Trade secrets or just stuff that they don't want people to see but if it got out, it wouldn't be a big deal? If we are talking trade secrets, financial information, customer information and stuff that's generally confidential. Then don't even go down that route.
I'm wondering whether I need to use a
secured connection (https) or just the
forms authentication is enough.
Use a secure connection all the way.
Do I need to alter the code / Config
Yes. Well may be not. You may want to have an expert do this for you.
Is SSL and https one and the same...
Mostly yes. People usually refer to those things as the same thing.
Do I need to apply with someone to get some license or something.
You probably want to have your certificate signed by a certificate authority. It will cost you or your client a bit of money.
Do I need to make all my pages secured or only the login page...
Use https throughout. Performance is usually not an issue if the site is meant for internal users.
I was searching Internet for answer,
but I was not able to get all these
points... Any whitepaper or other
references would also be helpful...
Start here for some pointers: http://www.owasp.org/index.php/Category:OWASP_Guide_Project
Note that SSL is a minuscule piece of making your web site secure once it is accessible from the internet. It does not prevent most sort of hacking.
I think you are getting confused with your site Authentication and SSL.
If you need to get your site into SSL, then you would need to install a SSL certificate into your web server. You can buy a certificate for yourself from one of the places like Symantec etc. The certificate would contain your public/private key pair, along with other things.
You wont need to do anything in your source code, and you can still continue to use your Form Authntication (or any other) in your site. Its just that, any data communication that takes place between the web server and the client will encrypted and signed using your certificate. People would use secure-HTTP (https://) to access your site.
View this for more info --> http://en.wikipedia.org/wiki/Transport_Layer_Security
For business data, if the data is private I would use a secured connection, otherwise a forms authentication is sufficient.
If you do decide to use a secured connection, please note that I do not have experience with securing websites, I am just recanting off what I encountered during my own personal experience. If I am wrong in anyway, please feel free to correct me.
What should I do to prepare my website for https. (Do I need to alter the code / Config)
In order to enable SSL (Secure Sockets Layer) for your website, you would need to set-up a certificate, code or config is not altered.
I have enabled SSL for an internal web-server, by using OpenSSL and ActivePerl from this online tutorial. If this is used for a larger audience (my audience was less than 10 people) and is in the public domain, I suggest seeking professional alternatives.
Is SSL and https one and the same...
Not exactly, but they go hand in hand! SSL ensures that data is encrypted and decrypted back and forth while you are viewing the website, https is the URI that is need to access the secure website. You will notice when you try to access http://secure.mydomain.com it displays an error message.
Do I need to apply with someone to get some license or something.
You would not need to obtain a license, but rather a certificate. You can look into companies that offer professional services with securing websites, such as VeriSign as an example.
Do I need to make all my pages secured or only the login page...
Once your certificate is enabled for mydomain.com every page that falls under *.mydomain.com will be secured.
4.Do I need to make all my pages secured or only the login page...
Just keep the login page under https
this will ensure there is no overhead when browsing other pages. the condition is you need to provide correct authentication settings in the web config. This is to ensure users who are not logged in will not be able to browse pages that would need authentication.
#balalakshmi mentioned about the correct authentication settings. Authentication is only half of the problem, the other half is authorization.
If you're using Forms Authentication and standard controls like <asp:Login> there are a couple of things you'll need to do to ensure that only your authenticated users can access secured pages.
In web.config, under the <system.web> section you'll need to disable anonymous access by default:
<authorization>
<deny users="?" />
</authorization>
Any pages that will be accessed anonymously (such as the Login.aspx page itself) will need to have an override that re-allows anonymous access. This requires a <location> element and must be located at the <configuration> level (outside the <system.web> section), like this:
<!-- Anonymous files -->
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Note that you'll also need to allow anonymous access to any style sheets or scripts that are used by the anonymous pages:
<!-- Anonymous folders -->
<location path="styles">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Be aware that the location's path attribute is relative to the web.config folder and cannot have a ~/ prefix, unlike most other path-type configuration attributes.
Try making a boot directory in PHP, as in
<?PHP
$ip = $_SERVER['REMOTE_ADDR'];
$privacy = ['BOOTSTRAP_CONFIG'];
$shell = ['BOOTSTRAP_OUTPUT'];
enter code here
if $ip == $privacy {
function $privacy int $ip = "https://";
} endif {
echo $shell
}
?>
Thats mainly it!
What settings do I need to accomplish the following?
IIS6 Server sits on Domain1
Users access from Domain2, eg Domain2\User
I want
WindowsIdentity ident = WindowsIdentity.GetCurrent();
to return Domain2\User not Domain1\IUSR_SERVER
Current Settings
I have the authentication in IIS configured as "Integrated Windows Authentication" checked, the rest clear, this works fine when on the same server as the IIS server.
In web.config:
<authentication mode="Windows"/>
<identity impersonate="true"/>
Cross domain these settings prompts for a login.
The two domains need to have a trust relationship created (if they are part of the same forest that should already exist), then there may be a need to configure some delegation (talking AD stuff here not .NET).
The authentication between client and server must use negotiate and kerberos, which in turn means clocks need to be with in 5 minutes of each other, again this shouldn't be a problem when both domains belong to the same forest.