I have a website which users upload large files on it. In order to keep site responsive, I have separated upload part from the main part. Now there are two websites with two different app pools but both app pools are using the same user identity to run. The problem is now users must first login into the main site and in order to upload they have to login again!
How can I auto login a user which has already logged in the main site?
I'm using ASP.NET MVC but with Old ASP.NET membership on Windows Server 2016 (IIS 10) and here is my web.config:
<membership>
<providers>
<clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="NewsDb" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="3" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
to share form authenticate in different websites, you need to make sure your websites are under same main domain, otherwise you will need to implement a lot of codes
check your <authentication> node in your web.config
for your main website with login page
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="{your_auth_cookie_name}" timeout="120" slidingExpiration="true" domain=".yourdomain.com" enableCrossAppRedirects="true"/>
</authentication>
for your upload site
<authentication mode="Forms">
<forms loginUrl="https://mainsite/login.aspx" name="{your_auth_cookie_name}" timeout="120" slidingExpiration="true" domain=".yourdomain.com" enableCrossAppRedirects="true"/>
</authentication>
if your deployed your websites on different server, you may need unify the machine key to make sure the decryption of auth cookie is correct
Related
I am working on a website that has multiple applications, one of them uses asp.net membership.
In another application I want to get the name of the current user, so I added the following to the web.config so I can get 'User.Identity.Name', note that both apps using same applicationName.
<membership defaultProvider="CustomProvider">
<providers>
<add name="CustomProvider" type="myNamespace.CustomProvider" applicationName="/appname" />
</providers>
</membership>
<machineKey validationKey="vv" decryptionKey="dd" validation="SHA1" decryption="Auto" />
What should I do to be able to get the current user identity in the second app?
Update:
the structure in the website as following:
the estore app is adding the forms cookie
I added same machine element in both config (estor config and bol config)
same authentication element:
<authentication mode="Forms">
<forms loginUrl="~/account/" slidingExpiration="true" timeout="10080" requireSSL="true" />
</authentication>
Update 2:
I tried to set the domain although it is not needed because all apps in the same domain but still not working, this is a snapshot for cookies with domain has been set:
I just took my local, functioning umbraco installation and copied it over to the testing environment.
Suddenly ALL requests to my umbraco site, meaning css, javascript etc redirect to the login.aspx page. So the website is non-functional, unless you login. If you manage to login using the no-css form, then everything is back to normal.
Web.config says
<authentication mode="Forms">
<forms name="yourAuthCookie" loginUrl="login.aspx" protection="All" path="/" timeout="120" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
Changing * to ? makes no difference. What could be the matter here? My setup is 2 configuration mirroring IIS7 web servers, looking at a common UNC path.
I think you should check permissions setting of your environment, because if you get redirect for all resources, even for static files - usually it is common permissions problem.
/install/default.aspx?installStep=validatePermissions
or for 4.7+
/install/?installStep=filepermissions
http://our.umbraco.org/wiki/reference/files-and-folders/permissions/perform-permissions-check
It can be a issue with file permissions. As a temporary solution try and set all files to "Everyone" - Modify.
All paths are only accessible with authentication, so you have to exclude js and css from authentication in your web.config, e.g.:
<configuration>
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
You need to specify allow users="?" to allow anonymous users.
Check also the section membership...
My web.config contains:
<membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Another Type" passwordFormat="Hashed" />
<add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" passwordFormat="Hashed" />
</providers>
</membership>
You need to:
Create a login page (like any other ASP.NET site).
Create records in
"Members" section (at least one member type, member group and
member).
Define the restricted access on content nodes (menu "Public
access").
I recently experienced this also on a test Umbraco site. Discovered it was owing to the files attempting to access being stored on the disk encrypted (using Windows 7 in my test environment).
Fixed by selecting all site files and folders in Explorer, Properties, Advanced (on General tab), uncheck "Encrypt contents to secure data". Resources could then be accessed on the Umbraco without any authentication redirects.
I have an admin site set up as a virtual applcation inside of another website.
I would like visitors to the sub directory (the virtual application) to be promtped for credentials using the same Forms authentication set up on the main parent site
Have tried all sorts of things but can't get it to work, including
Removing all <authentication mode="Forms">, <authorization>, <membership> and <roles> sections from the virtual-app web.config
Copying the same <authentication mode="Forms">, <authorization>, <membership> and <roles> sections from the parent to the virtual-app web.config
Using a virtual directory instead of virtual application
But I never get promted for credentials
Anyone know how to get this setup?
thanks
UPDATE:
Have now got it to inherit permissions from the parent, by deleting the application name in IIS (to make it a virtual directory rather than a virtual application)
However, this screws all the paths in the admin site
e.g. I get the following error
The file '/Site.master' does not exist.
So should I be using a virtual directory (which seems to inherit authentication from the parent)?
Or a virtual application (which currently doesn't inherit auth from the parent but has the correct relative paths)?
Here's the parent config
<membership defaultProvider="SqlServerMembershipProvider">
<providers>
<add connectionStringName="xxxxxxxx" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</membership>
<roleManager enabled="true" defaultProvider="SqlServerRoleProvider">
<providers>
<add connectionStringName="xxxxxxx" applicationName="/" name="SqlServerRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</roleManager>
<authentication mode="Forms">
<forms name=".EPiServerLogin" loginUrl="login.aspx" timeout="120"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I needed to use a single sign on solution, as described here
http://www.codeproject.com/KB/aspnet/SingleSignon.aspx
The main point being, each site needs to use the same encryption key for the cookie values. So this machineKey element needs to be added to each site involved in the Single Sign On
How have you configured authorization?
Also, I assume you're not already authenticated in the parent site?
In the admin subdirectory you should have something like the following in your web.config (obviously you may have more information in there as well):
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
This will deny all anonymous users, but allow all authenticated users access. You can easily extend this if you are using a Role Provider to only allow certain roles:
<allow roles="Admin" />
<deny users="*" />
Note that you need the "Deny all users" in there, as the default behaviour is to allow all users. Authorization works "top down" in that it starts at the top of the list, and as soon as it finds a match, it stops processing, so if the user is in the "Admin" role, it will not get to the "Deny all users" rule.
You can also configure this in the root web.config using a <location> element.
Responding to comments
And your authentication/authorization all works in the parent site?
Could you edit your question to include (sanitised) web.config sections you've tried so we can see if there's anything obvious missing - for example, if you're using Roles to lock down the admin area, you have enabled it (<roleManager enabled="true">, defaults to false).
We do what you're trying to do quite often here.
We do it this way : The root level is a virtual application, it contains the master web.config and global.ascx. We have a normal folder, 'Admin' inside of that. Inside of that, we have a small web.config, it only contains <authorization> XML information. You'll need a login page somewhere, either the root or Admin folder.
I was a little confused in your post about whether there are three applications/directories involved (app, parent app, app's admin), or only two (app & it's admin). I'm making a critical assumption here that it's two. If you do have the three, it's going to be some more work to get this thing going.
I have two asp.net applications on one IIS server and I would like to use the same back end asp_security database and membership provider. I've read that all I have to do is reference the same application name in both web configs as I'm doing now, but I must be doing something wrong
In each applications web.config I have this section.
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="membership"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="/"
requiresUniqueEmail="false"
minRequiredPasswordLength="5"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
</providers>
</membership>
When I log in from application A and browse to application B application B doesn't seem to know anything about me or my credentials from application A. Anyone have any ideas what I'm doing incorrectly?
Just for closure sake I will answer how I did achieved the goal of what my original question meant to ask for.
I had two asp.net applications on one IIS server. It was my goal to make it so when user logged onto app1 their user credentials would be available in app2. Configuring the asp.net membership provider is only one step of what I was looking for. Even if both apps were using the same back end database and provider I still wouldn't be authenticated when I hit app2. What I was looking for was a Single Sign On solution.
Once you have both apps pointing at your asp_membership database by placing the following in the system.web section of your web config
<authentication mode="Forms" />
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="membership"
applicationName="/"
/>
</providers>
</membership>
<roleManager enabled="true" />
make sure both have the same applicationname property set.
I was using IIS 6 so I configured it to autogenerate a machine key for both applications. Because both of these applications live on the same machine the key would be identical, this is the critical part to making the SSO work. After setting up IIS the following was added to my web.config
<machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />
That was all there was to it. Once that was done I could log into app1 and then browse to app2 and keep my security credentials.
Thanks for the push in the right direction.
If my understanding serves me correctly, the users authentication credentails are stored within the HTTP context of each application. So switching between the two applications will not automatically authenticate the user, since a new context will be created when you switch to app B.
What I believe may the correct approach would be to use the DefaultCredentials (or UseDefaultCredentials property to True) of the current user prior to switching to app B.
When you say switch what do you mean eg. open a different browser window and access app B or request a page from appB from appA?
I'm new to User Roles Management. I was reading my Wrox Programming book on asp.net 3.5 user role management...but it was hard to follow along, as I do not have a local server set up to test on (I do...but...thats a separate question), but rather currently test on a remote server (where the website is hosted, theres not enough hits where I can get away with testing on a live server).
Any ways...Where do I begin in user role management. I'm not necessarily asking to be given a 30 pg hard description, but more of a summary. My GoDaddy hosting account seems to offer asp.net schemea SQL database set up for user role management, but I have yet to learn how to integrate it into my development.
Any input would be appreciated.
I would open up Visual Studio, create a new ASP.NET Web Application project, and click the "Configure ASP.NET" button on the top-right hand corner of the Solution Explorer. If you navigate to the Security section, you can start creating Users and Roles. The tool basically describes exactly how they work to you.
Here's the first place I'd go:
http://www.asp.net/Learn/Security/
Check out tutorials 9 through 11.
You can use SqlRoleProviders and SqlMembershipProviders with the .NET default management, or you can write your own providers.
http://www.odetocode.com/Articles/427.aspx
http://msdn.microsoft.com/en-us/library/aa478949.aspx
Then these are used in conjunction with asp .net forms authentication.
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Common/Login.aspx" timeout="450" />
</authentication>
<authorization>
<deny users="?" />
<allow roles="Admin" />
</authorization>
The configuration of all of this is via the web.config your membership and roles may be similar to this if you use the out of the box aspnetdb.
<membership defaultProvider="IDTSqlMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="IDTSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlMembershipConnectionString"
applicationName="ConsumerSynergy"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="20"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="IDTSqlRoleProvider" cacheRolesInCookie="true" cookieProtection="All">
<providers>
<clear/>
<add
name="IDTSqlRoleProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlMembershipConnectionString"
applicationName="ConsumerSynergy"/>
</providers>
</roleManager>
My personal favorite about roles.
Examining ASP.NET's Membership, Roles, and Profile - Part 2
https://web.archive.org/web/20210417083524/https://www.4guysfromrolla.com/articles/121405-1.aspx