Using Forms Authentication with localhost with WebForms - asp.net

I am working on an old application that uses Forms Authentication and I'm trying to get it working locally as a web site in Visual Studio 2012. It seems to run OK using the internal debugger on http://localhost:54006/. Images, html, etc are served out. Unfortunately with login, I think there is some cookie issue that is preventing it from thinking I'm logged in. I noted that in the web.config there was the wrong domain set. I've changed that to read localhost, but I still haven't had any luck.
<authentication mode="Forms">
<forms loginUrl="/" path="/" slidingExpiration="true" timeout="480" name=".ASPXAUTH_ADD" domain=".localhost" enableCrossAppRedirects="true">
</forms>
</authentication>
Does that setting look okay for running this from Visual Studio at http://localhost:54006/? It does not complain about a bad username or password. It works in production with a different domain attribute set. Is the correct domain attribute for localhost ".localhost"?
Thanks in advance for any help or guidance.
EDIT: I was able to get it working by simply removing the domain attribute rather than trying to set it. Why does that work?

"Gets the value of the domain of the forms-authentication cookie." "The default value is the current domain."
the msdn example gives the value "contoso.com."
looks like a good top answer here (more detail).
another (similar) answer here.

Related

Request.IsAuthenticated returns false when using Intelligencia rewriter for ASP.NET

I'am using Intelligencia rewriter for ASP.NET. Now I added forms authentication to the project and for some reason on the seo friendly pages (.html) the Request.IsAuthenticated property is always false. I can see that the cookie is created fine with fiddler. When i visit any other .aspx page I can see that the same property is true. Obviously this is related to the rewriter, however I could not find any solution for it at all.
I spent quite some time on this reading all the solutions out there on the Internet, but in my case it finally boiled down to being a missing web.config setting :
<authentication mode="Forms">
<forms loginUrl="~/User/LogIn" timeout="2880" />
</authentication>
If there's no authentication specified, no authentication will be used although you might have a auth cookie present.
Check out Troubleshooting Forms Authentication and the FormsAuthLogger.
For reference, Microsoft has a detailed article on what are the moving parts and processes.

Get currently logged in user asp.net

I´m having a bit of trouble and I would like to see if you all could help me out!
For my WebApp in ASP.net, I need to be able to get the user name.
I had been able to do it through:
user = Principal.WindowsIdentity.GetCurrent.Name.ToString on my developement machine, but when i go to production, it shows ASP.net as user...
I also tried with
user = Context.User.Identity.Name.ToString
and in dev station i get a blank string, and in production, I get "AppPool/ASP.net4.0
Any Ideas as to how i could get this working?
This WebApp is supposed to work in the Intranet.
make sure that you've enabled Windows Authentication in your web.config (check your .config.xxx transforms too). You should see this tag in your web.config:
<system.web>
...
<authentication mode="Windows" />
...
</system.web>

Asp.Net appears to drop the FormsAuthenticationCookie in same domain

I have a pair of websites I am building in Asp.Net. In development, they are both on my machine. One is hosted in IIS and one is in IISExpress. I have configured both websites to use FormsAuthentication, and set the same authentication and httpCookies elements in each web.config:
<authentication mode="Forms">
<forms loginUrl="~/LogOn" timeout="2880" domain=".mydomain" />
</authentication>
<httpCookies domain=".mydomain" requireSSL="false"/>
However, after a standard FormsAuthentication.SetAuthCookie , the second site cannot read the .ASPXAUTH cookie from the first. It CAN read the same Asp.Net_SessionID cookie from the other website. So, one cookie is being passed across applications, but the second is not.
Additionally, when the debugger is attached to the second application and it receives the redirect from the from the first site, the Chrome debugger shows both cookies, Fiddler reports that both cookies were transmitted, and the Response.Headers["cookie'] contains the .ASPXAUTH cookie.
How can I effect this cross-application sign-on? In production, these two sites will answer on separate sub-domains.
I've found the answer to my problem.
IISExpress and IIS use separate MachineKey values, even though they are originating on the same physical machine. To solve my problem, I generated a MachineKey entry at http://aspnetresources.com/tools/machineKey and dropped the same MachineKey element into all participating application's web.config files.
Thanks to Robert Smith #smithrobs on Twitter for suggesting I check this line of the problem.

ASP.NET 4.0 Single sign on betwen parent website and child web-application fails

I've got the following structure
www.website.com --> ASP.NET 4.0 Web-site
www.website.com/blog --> NET 4.0, Web-Application
Both do form-authentication against the same SQL database and use the framework ASP.NET memberships and roles. I can log into each portion just fine (same user/password) but the authentication doesn't carry over i.e. if I log into / and then click a link to /blog/, /blog/ thinks I'm Anonymous and prompts for login again. I've done the basics
i.e.
Identical <authentication mode="Forms"> in both the site as well as app web.configs
Identical <machineKey> section (yes, identical validationKey and decryptionKey)
So I then inspected the cookies generated and noticed that website and the web application seem to be working on different cookies.
Cookies created by website.com/blog
.ASPXFORMSAUTH-27604f05-86ad-47ef-9e05-950bb762570c
.ASPXROLES
Cookies created by website.com
.ASPXFORMSAUTH
I think this is the problem, although I see it despite having identical <authentication> sections which looks like
<authentication mode="Forms">
<forms timeout="30" slidingExpiration="true" name=".ASPXFORMSAUTH" enableCrossAppRedirects="true" protection="All" cookieless="UseCookies"/>
</authentication>
I did read several other posts like
Single Sign On with Forms Authentication
as well as
http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
There were also a few other posts I can't recall now. I've gone through them (all?) but am still stuck. I can gladly supply more debug data if needed.
Would really appreciate any tips someone might have! I think I'm hitting a wall on this one!
Ok, so I was able to answer my own question after beating around it for longer.
Basically, BlogEngine.NET 2.5 (my web-app) seems to be overriding the .NET 4.0 framework way of doing things. There are a couple of things you need to fix, all within BlogEngine.Core\Security\Security.cs (download the BlogEngine.NET source code)
Part 1: Fix cookie name
In there is a method FormsAuthCookieName which I changed as follows:
File: BlogEngine.Core\Security\Security.cs
Method: FormsAuthCookieName()
// return FormsAuthentication.FormsCookieName + "-" + Blog.CurrentInstance.Id.ToString();
return FormsAuthentication.FormsCookieName;
This ensures that the cookie names are the same. One hurdle down ...
Part 2: Avoid web-app/BlogEngine.NET's login page/controls/code
Instead of directing users log into the BlogEngine.Net's login.aspx (www.website.com\blog\account\login.aspx), I pointed all login links to my main website's login.aspx page (www.website.com\login.aspx). In case you're wondering how to implement you own site-wide authentication, this is a super-quick guide
msdn.microsoft.com/en-us/library/ff184050.aspx.
I also had to add something like this to both the website web.config as well as the web-app web.config, so anytime a protected resource is accessed (from website or web app) my own global /login/aspx is used.
<authentication mode="Forms">
<forms timeout="30" loginUrl="/login.aspx" blah blah />
</authentication>
Now, my own generic, site-wide user login controls will be creating the (.NET framework standard) authentication cookies and the (user) role cookies. By avoiding the BlogEngine.NET's login.aspx we're cleaner plus we avoid calling this code which is problematic.
File: BlogEngine.Core\Security\Security.cs
Method: AuthenticateUser(string username, string password, bool rememberMe)
Details:That code adds a "blog instance" into the cookie, so so if you have multiple blogs on the same domain, this prevents user1 authenticated on blog instance 1 from NOT being automatically authenticated on blog instance 2. I'm guessing most will only have one blog per domain (www.domain.com\blog!), so this is unnecessary. More importantly, that check breaks our single sign-on.
Two hurdles down ...
Part 3: Fix Per-access authorization check
Now, our site wide, standardized login.aspx doesn't add the specific BlogEngine.NET instance ID (see above). This would have been ok, except that there is still some BlogEngine.NET code that specifically looks for that. We don't need that check either, so lets remove that offending check...
File: BlogEngine.Core\Security\Security.cs
Method: void Init(HttpApplication context)
// Comment line below to revert to only-framework/default processing
//context.AuthenticateRequest += ContextAuthenticateRequest;
So at this point you should have
All logins handled by a single, site wide login.aspx
All authentication cookies and user role cookies created by the above site wide login.aspx
All such cookies encrypted and protected per of both the website & web-app web.configs (which should match!)
Which in turn allows single sign on :) !! Hooray !
In addition: in both web.configs you must insert machinekey with the same validationKey and the same decryptionKey.

ASP.NET authentication cookies not stored when using jQueryMobile on iPad

I have an ASP.NET MVC2 app using jQueryMobile. It is a secure app, and i'm using the ASP.NET authentication within the MVC2 framework.
I am using standard authentication via the web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
I am securing certain controllers using the Authorize attribute:
[Authorize]
public class ClientController : Controller
All my web pages as based upon the same master page, which has a top-level container div as follows:
<div class="page" data-role="page">
It all works perfectly on Chrome. However, on the iPad the authentication does not work. It seems that the authentication cookie never gets stored on the client. The iPad keeps displaying the logon page, even if I type correct credentials. I have tried setting Safari Accept Cookies settings to 'Always' too.
Has anyone had any success deploying a jQueryMobile app using ASP.NET MVC2 authentication on an iPad? Thanks.
Edit: Ok, I have ascertained that the cookie is indeed being stored on the client, but it appears that jQueryMobile+Safari are somehow consipring to continually display the login page rather than redirecting me to the page that should be shown according to the logon redirect.
I believe I have the answer. With regard to the iPad, you need to specifically set web.config to force the use of cookies. My authentication setting in web.config now looks like this:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880"
cookieless="UseCookies"
/>
</authentication>
It is the cookieless="UseCookies" entry that solved the problem. The default value for this is UseDeviceProfile. It must have been the case that an iPad does not have a consistent UseDeviceProfile regime. On the iPad, sometimes it worked, sometimes it didn't. Don't ask me why. It now seems to be consistently working.
I agree with Journeyman, thats what I used. However if they add the website to the Homescreen, then these settings still do not work.
some have asserted they don't store the cookie in that case.
see related Q: iPhone/iPad WebApps don't allow cookies?

Resources