I have developed an ASPNET WebAPI service that uses form authentication with cookies.
I also have a main website which authenticates against my ASPNET WebAPI and serves some content from it.
So my workflow basically is:
Client/Browser authenticates against the main website.
Main website (server) authenticates against ASPNET WebAPI and receives an authentication cookie.
After logging in the client will need to access some content of the ASPNET WebAPI via server and also via browser.
I would like to know if it is possible to re-use the same cookie that the server received in the browser. Ideally my website server receives the cookie and push it to the client browser. I am assuming that ASPNET Authorisation cookies are not IP-specific, since the client browser and the server IPs are different.
Thanks.
It should be possible by modifying your configuration such as:
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="yourdomain.com"
timeout="30" />
Remember that both sites must be on the same domain, and the cookie path must be set to a common root or /.
Related
I have two ASP.NET applications hosted in our server. In first application (say A), I have a hyperlink to open the second application (say B).
I am using window.open to open B.
window.open(myurl, "mywindow", "menubar=1,scrollbars=yes,resizable=1");
When B is opened, A gets logged out.
I hosted B in another server and opened it from A, now A does not get logged out.
I am pretty sure that it is an issue with session.
I actually need to host both applications in one server. Am I missing any configuration?
Session state and forms authentication are 2 different things, and each one has a separate cookie. Session state has nothing to do with whether or not the user is logged in.
You should be adjusting the Forms Authentication cookie settings if you want each application to have a separate cookie name:
<authentication mode="Forms">
<forms loginUrl="member_login.aspx"
cookieless="UseCookies"
name=".ASPXFORMSAUTH" /> <!-- Change the cookie name here -->
</authentication>
I have 2 asp.net web applications using Forms Authentication setup to have cross application authentication. I have placed the following code in webApp1 and webApp2 web.config files within the
system.web tag.
<forms timeout="11520" loginUrl="https://App1/logon.aspx" cookieless="AutoDetect" name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="fsenet.companyname.net" />
</authentication>
<machineKey
decryption="AES"
validation="SHA1"
decryptionKey="306C1FA852AB3B0115150DD8BA30821CDFD125538A0C606DACA53DBB3C3E0AD2"
validationKey="61A8E04A146AFFAB81B6AD19654F99EA7370807F18F5002725DAB98B8EFD19C711337E26948E26D1D174B159973EA0BE8CC9CAA6AAF513BF84E44B2247792265" />
Scenario 1 Works: If I try to access a page on webApp2 and I'm un-authenticated it will redirect me back to webApp1 logon page, I then logon and are redirected back to the page on webApp2, All works as expected when using this redirect method.
Scenario 2 Problem: If I Log on using webApp1 and have a link on a page within webApp1 and try to navigate to a page within webApp2 I automatically get redirected back to the logon page. As I understand it I should be already authenticated to access the page on webApp2 and should not be asked to authenticate again.
I use this code to identify if I'm authenticated
User.Identity.IsAuthenticated.ToString()
Scenario 2 shows False reason for redirection and Scenario 1 shows True.
Am I missing some setting that allows me to access the content on webApp2 after Authenticating with webApp1?
It is very important that you set FBA settings correctly for cross-application SSO. There are already blog posts covering such tricks, and I can see that you missed multiple steps, and then one app cannot get the authenticated info from another.
http://geekswithblogs.net/bjackett/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx
Ok what I was doing wrong was not access both sites with the same domain e.g. while I was debugging I was logging in via
http:/localhost/Site1
(localhost being the mistake) and then linking from their to http://domianname.net/Site2/Page1.aspx when I should have been accessing them both via http://domianname.net/Site1 and http://domianname.net/Site2/Page1.aspx (Both the with the domain) which allows the authentication cookie to be picked up from the correct location I believe.
I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:
in the [directory security tab] -> [Authentication Methods] I have:
the anonymous access Enabled
Integrated windows authentication Enabled
Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?
EDIT
I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!
Here is a check list for using ASP.NET Forms Authentication on IIS6
Configure IIS:
In IIS, Site Properties -> Directory Security -> Authentication and Access Control
Enable Anonymous Access
Disable all Authenticated access methods
Configure Forms Authentication:
Configure Forms Authentication in your site's web.config:
<authentication mode="Forms">
<forms name="MySite"
path="/"
loginUrl="~/logon.aspx"
protection="All"
timeout="30"
slidingExpiration="true" />
</authentication>
Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.
Configure Session Timeout:
You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.
<sessionState mode="InProc" timeout="40" />
Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.
The anonymous access should be enabled, I don't think integrated windows authentication makes a difference but if you're not going to need it then it's best to turn it off. The important thing to remember is to make sure it's turned on in web.config:
<authentication mode="Forms" />
Here's a basic tutorial that might be useful:
Overview of Forms Authentication
Anonymous access -> checked
All other option on the security tab -> unchecked
Note, forms authentication is done by .NET - not by IIS. Also, Windows Authentication MUST be off as well.
Rather technical explanaitions by MS.
I have an ASP.NET application. As well as local users accessing the application directly, I want to expose it to external users through a reverse proxy (which is running on a different machine in the DMZ)
for example, say internal users use the URL http://intranet1/myApplication/default.aspx, external users might use the URL http://www.mycompany.com/externalApplication/default.aspx
this is quite simple to set up with URL rerwiting, but there is a problem when forms authentication is turned on. if an external user hits the URL site, forms auth tries to automatically send them to the login page which redirects them to the relative url /myApplication/LoginPage.aspx. as far as the web app is concerned, the application root is at /myApplication not /externalApplication. Of course the external user coming in through the firewall does not understand this URL so the request fails with a 404
is there a sensible solution for this?
You should not redirect to "/myApplication/LoginPage.aspx" but to "~/Login.aspx", so it would be correctly mapped depends on which URL is user hits on.
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="2880" />
</authentication>
Per a question I posted yesterday, our website's DNS structure has changed to round-robin DNS which literally swaps back and and forth between two production servers. Our web.config for both prod servers has:
<sessionState mode="SQLServer" ... > pointing to the same shared DB
A machineKey on each server that is consistent between the two (this was the main point of my post yesterday).
[update] The same domain in the <forms domain=".mydomain.com" ... > tag
When we use the login feature on the site, the login actually makes a web service request to a 3rd website that authenticates a user. If the resulting response says it was a successful login, then we use FormsAuthentication to log the user in:
FormsAuthentication.SetAuthCookie(strUserID, true);
Our issue is that on some pages we see we are logged in, others we're not. Is this something indicative of either us not completing a final step to share session between two prod servers or could our SQL server session DB be broken?
Thanks in advance
UPDATE:
Our code to determine if the user is logged in is quite basic:
HttpContext.Current.User.Identity.IsAuthenticated
UPDATE 2:
When I hit prod1.mysite.com (or prod2.mysite.com) I get a cookie called "ASP.NET_SessionId" but when I hit the live public URL, www.mysite.com, I don't get this cookie. Is this part of the problem?
RESOLUTION:
It turns out that everything we did here was all correct and that our live site which uses Akamai was being cached in various states due to Akamai's cache configuration. Sharing your logged in state between servers has been confirmed to work.
One thing you could do is use the Firebug add-on for Firefox to ensure that the authentication cookie is being sent to the browser as expected after logging in although as you are seeing that you are logged in on some pages I would expect this to be the case.
Another thing to check would be that the domain is set correctly for the authentication cookie and that it is valid for all pages on your website.
This is typically set in you web.config in the forms tags, example below and should be same on each server in the web farm.
<authentication mode="Forms">
<forms name="yourAuthCookie" loginUrl="/login.aspx" protection="All" path="/" domain="mydomain.com" timeout="30"/>
</authentication>
If this is all correct then it is possible that session is not being shared correctly between your servers although the settings that your have described in your question appear to cover what is needed.