ASP.Net MVC identity infinite redirect loop - asp.net

I have an ASP.Net MVC5 application, using the Identity "out of the box" template, as per ASP.Net Identity 2.0.0. I need to upgrade it to use the newer code that is in the latest ASP.Net MVC template, namely the use of the SignInManager class.
I have done some A|B comparisons between the code in my original app and the template generated in the latest, and ported over all that I could see what different.
However, I'm getting an odd error, I suspect OWIN related. When I try and Login or Register, it triggers a Redirect loop that eventually crashes the app with a security warning as the URL Query string has concatenated itself to death.
The URL is :
https://localhost:44302/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FAccount%252525252525252525252525252525252525252FLogin
Detailed Error Information:
Module    RequestFilteringModule
Notification    BeginRequest
Handler    ExtensionlessUrlHandler-Integrated-4.0
Error Code    0x00000000
I've used the exact same settings when referring to ReturnUrl in all methods.
For the most part, my applications' original AccountController and related security code was untouched from the original template.
My newer sample application runs fine on my local machine, so I’m not sure where the differences are.
I've seen posts suggesting that IIS Express configuration is to blame, but I've followed the cleanup advice, and also published to an Azure site with the same result.
I've been spending a lot of time trying to resolve this and haven't had any success so I thought I'd put it out there for some advice… thanks in advance for any & all help. Please let me know if you need to see more code.

I think your login action is missing [AllowAnonymous] attribute.

Do you have SSL setup locally?
Are authenticating on HTTPS then being redirected to HTTP which is killing the cookie & redirecting back to the HTTPS login page
Have you got something in the web.config for forms authentication redirect like
protection="All" requireSSL="true" loginUrl="~/Account/Login.aspx"
Do your cookies look ok?

Resolved... turns out the culprit was my Unity DI configuration.
I drilled deep to find the errors getting recursively thrown on each redirect, and it suggested the AccountController dependencies weren't being instantiated. I had a similiar issue last year Unity Container trying to resolve non registered type, throwing error , and so I looked further into the changed dependencies.
Following the suggested answer at Register IAuthenticationManager with Unity resolved the issue.
Thanks for the suggestions re: SSL / HTTPS / Filters, investigating these led me to the exceptions.

I also face this same issue before and solve by adding this line in web config
<add key="owin:AutomaticAppStartup" value="false"/>
It will disable OWIN startup discovery.
I hope it will work.
Also check in the IIS virtual directory. Check that anonymous user is enable or not, if disabled then enable it and problem will be solved.

Related

Controller User object is null on IIS Server

I have a site that is a mix of both MVC and WebForms that is utilizing forms authentication. Recently there was a need to switch from using WebForms to handle the authentication to MVC so I created an Account controller with a Login method and created the corresponding view. If someone was already authenticated and tried to visit "account/login", I wanted them to be redirected to the Index page of the controller so I have the following if statement at the top of the action:
if(User.Identity.IsAuthenticated)
There are no issues with this statement on my development machine; however, when I deploy this to the server, the User object is always null. I've searched on stackoverflow and the rest of the internet and have not yet found anything that has resolved the issue.
I should mention that the server this is running on is Windows Server 2008 Standard running IIS7.
Anyone have any ideas on why the User object is always null? I did see a stackoverflow post that mentioned it is because of the way IIS handles extensionless routes; however, when I tried to install the KB mentioned in that post it said the KB didn't apply to my server.
Okay - I finally figured out the issue.
I found a post here (http://forums.asp.net/t/1689878.aspx?HttpContext+Current+User+always+null+on+IIS+) that said the issue was because they didn't have runAllManagedModulesForAllRequests set to true. I don't want that set to true so I did a little more searching and ran across this stackoverflow posting: <modules runAllManagedModulesForAllRequests="true" /> Meaning
I checked my entry in the applicationHost.config file and found that it had the precondition of "managedHandler". Once I took that precondition off, then everything started working as expected. The odd thing is that in my development environment the precondition was there, yet it worked without issue. Perhaps it is because my dev box uses IIS 7.5 while the server uses IIS 7.0.

Unable to login to PiranhaCMS after setup

I've installed PiranhaCMS on an existing ASP.NET MVC5 application. Part from I had to install AutoMapper, the installation went through smouthly. I followed the Get Started instruction in the "Adding Piranha CMS to an existing application". I've tried using existing database, the incluede CE database, and event with a new database. It all comes down to the same problem, I get routed to "/manager/install" where I set up the admin user (which gets added to the sysuser table). After this I get routed to the "/manager" page where I get to sign in with the user i just created. When logging in, I get back to the same page. I assume, the user is not valid... but I get no exception or other information.
Any ideas?
try to remove this node in your web.config
system.webServer/modules
What worked for me was removing the system.webServer/modules like mentioned above and also changing
system.web/authentication mode="None"
to /authentication mode="Forms"
The authentication mechanism for the manager uses Forms authentication. Since you just get routed back to the login I'm guessing Forms auth isn't enabled so the cookie doesn't get set!
Removing system.webServer/modules will disable the way MVC application (such as in defulat template) manages loging in users. Having authentication mode to "Forms" is part of getting started tutorial.
It is quite possible (and is in my case) that replacting authentication is not desired behaviour.
The question is how to let those two authentification mechanisms live side by side. I know that we'll have to keep users separated. That is fine. But how to run run two authentications side by side?

Anti-forgery cookie issues after a deployment

I keep getting the below error after deploying my ASP.NET MVC project to Azure Web Sites
A required anti-forgery token was not supplied or was invalid.
This seems like it only happens with the following steps:
Open browser and navigate to site's login page (this page may need to stay open for some amount of time) - UPDATE: This does not appear to be needed
Deploy project
Try to login
Get error
I do have the machine key specified
<machineKey validationKey="[vKey]" decryptionKey="[dKey]" validation="SHA1" decryption="AES" />
so I thought that should protect me from this happening. Any thoughts?
UPDATE: I am publishing from Visual Studio and the destination URL was set to http://[appName].azurewebsites.net instead of the custom domain that I use for FB authentication. I am on the custom domain when I actually log in so maybe there is some sort of caching issue? Not sure. As it doesn't always seem to repro, it's hard to determine if that made any difference.
I added DonutOutputCache to the ExternalLoginsList thinking I was being clever. This is a lesson in YAGNI.

ASP.NET HttpHandler and WebResource.axd issues

I need a simple HttpHandler to handle specific non-existant paths in my ASP.NET project. I'm using sitefinity 4. I wrote the handler but whenever I try to run the site, I get a frustrating error
The WebResource.axd handler must be registered in the configuration to process this request.
I was putting the handler in the system.web part of the config but it looks liek VS2010 still uses IIS 6 for it's built in web server so I went ahead and switched it to use IIS 7 (local) and moved the registration of the handler to system.webServer and it works when I hit a non existant url but if I try to go to the site normally (valid url) I get that dang error again.
It worked once, giving me the correct site on a valid url but now it just continues to give me trouble.
How can I resolve this issue? I don't want to add that entry to the config as it wasn't there when I created the project and it only started when I added my handler.
EDIT: Only happens when I use Path="*" so how do I do a wildcard? I don't want to map a handler to catch a 404 page.
Froget it. No one seems to know even though I know i'm not the only one who has needed to do this. I got 404 to work but ONLY when I request a file, not a folder so thats a bust.
I found that Global.asax will hit under integrated mode so I just moved my code to the Application_BeginRequest() and it's working just fine. If anyone else has a better answer I will give them credit.
for iis7 and iis7.5, handlers are registered in system.webserver. the httphandlers and httpmodules in system.web are ignored and are used for IIS 6 and classic mode.
i hope this was helpful!

Why do I keep getting challenged for authentication on the main site when doing a HTTP POST to a sub application?

I hope somebody can assist in pointing out my ignorance by solving this problem... :)
I have just installed a new DNN site on http://www.digitalrefraction.com, and all is working fine there.
I also have an unrelated ASP.Net MVC 2.0 (with extensionless URLs - for what that is worth) application running in a subfolder on that domain, in the following URL:
http://www.digitalrefraction.com/refractor
I can do HTTP GET requests just fine to my sub application. However, the moment I do a POST I get an "Authentication Required" dialog box that says: "Enter a username and password for http://www.digitalrefraction.com".
Now I am confused. Why do POSTS and GETS to the main domain work fine, but then when I do a POST to the sub application, I get challenged for the main domain's authentication? But GETs to the sub application works!
Yes, I have checked the main DNN site's web.config, and have found no authorization entries at all. I tried adding some to allow anonymous access to /refractor, but that made no difference.
Also checked my sub applications web.config.
I am somewhat at a loss.
Note, I am talking about a sub application (sub folder), not a sub domain.
Any tips or ideas, or straight answers, will be greatly appreciated. :)
Thanx.
Ok, thanx to Cybernate, I re looked at the whole thing.
Essentially the login of my sub-app did not work, and as a result, the controller that handled the HTTP POST, and that required security, resulted in the challenge for authentication.
The reason that the login was not working was because of the whole nested application setup and inheriting from the root DNN site's web.config.
The specific problem; the app was throwing errors because of some settings it was inheriting from the root web.config, so I inserted a <clear /> at the top of some sections such as httpmodules to get rid of the inherited DNN modules. Turns out, there are some modules loaded by default that aren't the ones specified in the DNN's web.config. Some of them having to do with authentication. So clearring them basically broke my login.
In the end, instead of <clear /> I added a <remove ... /> for each of the DNN httpmodules that were configured in the DNN web.config. In this way I got rid of the stuff I didn't want / need, but still retained the modules that were needed for my app to work.
It was a serious pain, but glad it's over now! Advice: stay away from nested ASP.Net applications, unless you really need them.
Come to think of it, isn't there a setting (global to application scope) that means "DO NOT INHERIT ANY SETTING FROM ANY PARENT APPLICATION / web.config"? That would have been extremely helpful!

Resources