Configure ASP.NET shared session between IPs (rather than hostnames) - asp.net

I have a working shared session setup. However, some of my users want to navigate to the servers using their internal IPs rather than their hostnames. This breaks my shared session due to my <httpCookies domain=".abc.def.com" /> web.config element.
The element means a users' session is shared when they navigate from old.abc.def.com/index to new.abc.def.com/index. However, if my users want to navigate from 192.168.1.2/index to 192.168.1.3/index, the session is lost.
Is there a way to share the session across IPs? I haven't read anything that gives me hope for this.

I'm afraid that's impossible due to browsers security restrictions. According to RFC specification setting cookie from one domain to another is validated against these domain matching rules - https://www.rfc-editor.org/rfc/rfc6265#section-5.1.3

Related

Asp.net website loses session on changing client url

I have an asp.net website running on IIS7 and have been having an issue with some users from a university suddenly losing their session. The one thing all these instances have in common is that the user's client url/host address, that they are accessing our website from, changes half way through their session. To be clear, this is what I am recording on their page access:
Request.UserHostAddress.ToString()
Session state is tracked using the standard asp.net cookie. The relevant line in web.config:
<sessionState mode="InProc" timeout="40"/>
The website doesn't use frames, and is run from a single server (i.e. not a web farm) using a single worker process (i.e. no web gardening). It only occurs periodically to a single user while other user's sessions remain open at the same time.
I've added cookies to the list of things to be logged for the site as per this article on troubleshooting Session loss. A couple of questions:
Is it possible that it is the university that is dropping the session cookies and our server isn't even receiving them? And if so, would enabling the logging of cookies pick this up?
Is it possible that IIS drops the cookies if they don't match the previous url associated with it?
The cookie keeps the connection with the session and its associate with the domain. In some cases the domain maybe called with www. in front and in some other case not - and the cookie will be lost, so an the session.
To avoid that place on web.config the domain name as
<httpCookies domain="domainname.com" .... />
with out the www. to keep the cookies with or with out it.
Now because you use InProc that is run as a service and keep the session on memory and not on a database, this service is known that is drop the session for some reasons. To avoid that you must use a database to keep your session.
Other case can be a move from https to http and if you have place the cookie only to be secure, will be lost again.
related Share session between ashx and aspx

Sharing Session state between web applications on seperate servers

Is it possible to share Session state between web applications on separate servers? One of the web sites is using session state to maintain user credentials/info session state, the other is using forms authentication to maintain this information. Without modifications to the website using session storage, is it possible for the website using forms auth to read/access the session state on the other server? If not, which I assume is the answer, would it be possible if they ran on the same server? (i.e. the same app pool)?
Note: Both applications are under the same domain name (one of them will be a sub-domain)
As a note, the reason this is being asked is because a client is requesting a "single sign-on" approach between two websites. We're using forms authentication and the other site (which we cannot modify at this moment) is maintaining credentials/logon information in session
ASP.NET 4
IIS 7.5
Assuming the latter, you could try something like this:
first, make sure all the appliations are running in the same domain. If not, all bets are off. I don't know if there's a simple way to configure the domain property of the session cookie yet, so you may have to do it yourself, by setting the cookie domain property to the domain:
Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";
you'll need to make sure that each application is configured to use either a common state server, or a db-backed session.
please follow the link : How to share session state across subdomains

Set domain of session cookie dynamically in ASP.NET

I use session objects in my web application which are traced by ASP.NET session cookie internally as we all know. So access to that cookie is essential to have access to session objects. I want my asp.net application work under http:// and http://www or any subdomain (domain is unknown to me at development time).
Can't be done. The session cookie only works for 1 domain and 1 domain only.
You could, however, write your own session management system and maybe accomplish shared session that way. I still don't think you'd be able re-use the cookie because the browser won't even send it in the first place.
After some more thought I've decided that I'm not sure. :) Perhaps if both subdomains map to the same ASP.NET application you could get share session to work. All you'd have to do is set your cookies as such:
<httpCookies domain=".maindomain.com">
If the different subdomians don't map to the same app, I think you'd definitely have to write your own session management.
Clearly, at this point you should take everything I've written with a grain of salt. I'm only leaving my answer up for you to get some ideas and so that people may comment on the correctness of it.
Why don't you leave domain field empty? That way you won't bind your cookies to some specific domain and will be able to play well whatever the domain of your site will be.

ASP.NET Session and Cookies in Multi-tenant application

I'm working on a multi-tenant ASP.NET MVC application.
So far we have been using HttpContext to store a few objects for the request (technically partitioned by tenant).
However, we will need to use TempData (uses Session) and set authentication cookies.
Our spec:
A tenant can have multiple urls (tenant1.myapp.com or mycustomdomain.com)
Authentication cookies should NOT be shared by tenants
Ideally, a tenant's authentication cookie should be shared by any one of their urls
Is Session domain aware? It seems to be.
Can I set multiple domains on an authentication cookie?
Advice on anything else that may catch me out would be appreciated. Really I just need to understand what needs to be partitioned for each tenant (up to now I've partitioned the file system, database and cache per tenant).
Thanks
Ben
Is Session domain aware?
By default Session is tracked by cookies and because cookies are restricted to the same domain the session is not only domain aware but also application-aware meaning that if you have two applications on the same domain they won't share session.
Can I set multiple domains on an authentication cookie?
No. Cookies cannot be shared between domains. But contrary to sessions you can share them among multiple applications on the same domain (by setting the domain attribute to the top level domain in the <forms> tag in web.config). This is what allows to achieve single sign on between applications on the same domain. If you wanted to achieve single sign on between applications on different domains you will need different approach.
you may want to look into Session Partitioning.
<configuration>
<system.web>
<sessionState
mode="StateServer"
partitionResolverType=
"IndustryStrengthSessionState.PartitionResolver" />
</system.web>
</configuration>
But I don't believe you can share sessions across domains out of the box. You will likely need to add custom session synchronization, where each domains session is linked by a custom algorithm to the same user/tenant etc.

One application, different domains: how to preserve sessions on ASP.NET?

I have an application with different sections. Each section is accessed through a domain. Example: www.section1.com, www.section2.com, www.section3.com. I need to preserve the session when the user navigates from one to another URL. The application is the same in IIS. How to accomplish that?
You will need to pass on the session-cookie, and re-set that cookie on the new domain. That will make the session live over several domains (assuming you use the same app).
Example:
Link from section1.com:
<a href="http://www.section2.com/?s=askdjh3k4jh234kjh">
then, OnSessionStart (or OnRequestStart) check for query-parameter s and attach session to it. Meaning, just manually set cookie ASP.NET_SESSIONID to the value you pass on.
This has severe security-implications, so don't allow this unless you know what you're doing. another solution might be to store something into a common backend (database?) and pass around the user with a token that represents the actual session (and set the cookie based on that token), that you generate on a middle-page when navigating away from section1.com -> transferusertonewdomain.aspx -> section2.com/?token=randomTokenThatMatchSessionInDatabase
That would prevent that anyone could hijack a session by jsut knowing the value of the cookie. However, that is possible never the less if you're somewhat familiar with a computer anyway.
If you have multiple domains (and not just subdomains, which are easier), you're going to have more complications doing this than you'd like, because you can't share cookies across different domains.
The usual workaround is to embed a link an image on the other domains that are served by an asp.net page (or HttpHandler if you like). That page should contain a querystring with a unique token and a hashed version of that data appended with some shared secret. Then, that page will set a cookie on the response appropriate to for that domain to associate itself with appropriate data. It will serve typically a 1x1 transparent image as the response. Usually you only want to do this upon login to one of the sites.
Unless you do some customizations, session is specific to an application regardless of session mode you are using. Here's an article that talks about how to customize SQL session so that you can use session across multiple applications.
You should start by change the sessionState from being "InProc" to either StateServer or SqlServer, ensure that the MachineKeys are identical across all sites (domains and servers), and then set up the relevant backend systems to capture the state information.
More information can be found on:
Session-State Modes
ASP.NET State Management Overview
You could use a cookie to pass it, still researching to find out how. I will repost.
** EDIT
There is another Stack Overflow question, see if it helps, 315132
It basically asks
I need to share SSO information
between two different domains with a
cookie, can this be done in PHP and
how?
the answer given was
On both domains, place an image or
other web element that is pulled from
the other domain. Use the URL to
notify the other domain that user X is
on domain A, and let domain B
associate that user ID with that user
on their system.
It's a little complex to carry out
correctly, but if you think it through
it'll work out very well.
Vinko points out in a comment
(thanks!) that I shouldn't take it for
granted that you understand the
security risks involved. If this
information is of any value to anyone,
then you should make sure you use
proper encryption, authentication, etc
to avoid releasing sensitive
information and to avoid various
attacks (replay, man in the middle,
etc). This shouldn't be too onerous
since you control both websites and
you can select a secure secret key for
both, since the communication is only
going between the two servers via this
special URL. Keep it in mind though.
The user is Adam Davis.

Resources