I am a fresher in ASP.NET. I have one issue about the forms authentication, I have a web application(HPE) with forms authentication, which is already deployed into IIS,
There is a Eligibility web site in the web server,which is developed in classic ASP, it uses forms authentication. That main web site has link to web applications such as HPE,CHDP,BCCDP etc. When i click a HPE link, I would redirect to HPE application, i set the HPE ticket timeout to be 20 minutes(the same with main site).
When i stay in the HPE for over 20 minutes (doing something to keep HPE ticket valid), i click side bar CHDP link (which points to CHDP application), it would directly goes to timeout page instead of CHDP app. Are there any ways that i can go to other pages in main site while i stay in HPE application for 20 minites?
Below is the authentication part for HPE in web.config
<system.web>
<authentication mode="Forms">
<forms name=".HPEAUTH" loginUrl="Logout.aspx?go=login" timeout="20" defaultUrl="/Eligibility/Cookiemonster.asp" requireSSL="false" protection="All" path="/" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Sorry that i didn't find any web.config file in the Eligibility(main site) directory. Any idea or though would be greatly appreciated.
To use the same authentication cookie across multiple applications, you will have to ensure that the machineKey section of your web.config file is set to the same thing on all apps.
From MSDN:
The following example shows the Authentication section of a Web.config
file. Unless otherwise noted, the name, protection, path,
validationKey, validation, decryptionKey, and decryption attributes
must be identical across all applications. Similarly, the encryption
and validation key values and the encryption scheme and validation
scheme used for authentication tickets (cookie data) must be the same.
If the settings do not match, authentication tickets cannot be shared.
For information about how to generate values for the validationKey and
decryptionKey attributes, see How To: Configure MachineKey in ASP.NET
2.0. (This topic applies to ASP.NET version 2.0 and to later versions.)
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
</configuration>
Related
I have a asp.net webform application (ProA). It was built some time ago by someone else, although I can access source code. Now, I finished another application which is a MVC5 (ProB).
ProA uses asp.net membership for authenticate users. ProB is not using any membership. Now, we want to add user authenticate to ProB, and also some parts of ProB is using username as parameter for some data.
Now, we want to force user login from ProA, then maybe click a link/button, redirect the user to ProB. In ProB, we create an authorize filter to verify the user has the right, then show the pages.
I have tried to use forms authentiction across applications, described in: Forms Authentication Across Applications . But it does not work. The changes I made in web.config is:
<authentication mode="Forms">
<forms name="X.ASPXAUTH" loginUrl="~/Login.aspx" path="/"
protection="All"
enableCrossAppRedirects="true"
/>
</authentication>
Could it be because that one is webform and the other is MVC? Also, ProB actually does not have any membership installed yet, does it affect this form authentiction?
Any other suggestions?
Thanks.
--- Added more info:
1) I'm testing on my local machine. I run both sites in VS2012. What should I use for domain? "localhost"? ".localhost"? or, not use domain at all? seems not working.
2) I added a button on ProA, when clicked, use this redirect to ProB:
HttpContext.Current.Response.Redirect("http://localhost:12345/", false);
Is this the correct way? The HttpContext has the user identity.
3) Does ProB have to have membership? Now, ProB does NOT have membership feature, is it the reason?
You shouldn't have any issues with sharing the authentication across web forms and MVC apps. The underlying technology is the same, .Net uses an encrypted to cookie which has the forms auth ticket.
Read the following MSDN article: https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
The main things to note are the domain reference and the machineKey config.
The domain attribute of the forms auth config allows the browser to include that auth cookie with the requests sent to each site. Then the machineKey portion is the part that handles the encryption/decryption.
Both sites must have the config setup up identically for this to work, and also be running on the same domain i.e. xyz.contoso.com and abc.contoso.com
web.config
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="[your key here]"
decryptionKey="[your key here]"
validation="SHA1" />
</system.web>
</configuration>
EDIT
Use the following link to generate your machine keys: http://www.developerfusion.com/tools/generatemachinekey/
I would like know how SetAuthCookie works for different application on same server?
Currently I have two similar applications with different virtual directories.
How can I make it so that if I login to one of them then it doesn't ask me for login on the other application, and the same for logout?
It is possible if both applications are hosted on the same top level domain. You should specify this domain in your web.config of both applications:
<forms
name="name"
loginUrl="URL"
defaultUrl="URL"
domain="example.com">
</forms>
This way the forms authentication cookie will be emitted with the domain property setup and the client will effectively send it between the 2 applications. Another pre-requisite is that both applications share the same machine keys so that an authentication cookie that was encrypted by the first application can be successfully decrypted by the second application. If both applications are hosted on the same server you could set those machine keys in machine.config, if not then you could set them in web.config of each application:
<system.web>
<machineKey decryption="AES" decryptionKey="C03B1AB0BC1ACCD18EA915CBD87373010AD0DEC430A69871,IsolateApps" validation="AES" validationKey="C0ED7C430148AD4BC6505085DA4FD0DD3EE2453B566FC4EA4C7B3C2DCAB2025A79C774370CA884DF909CE9A3D379E544B7890D0A1CEE164141D3A966999DC625,IsolateApps" />
</system.web>
I've also covered this in the following answer.
Even the post is old but there is an easy solution add "name" in the form tag in web.config, coz if you dont give a name to the cookie it will have a default one
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" name="client" />
</authentication>
for the other application put another name, it works perfectly with me. good luck
ASP.NET: I have created a website with login authentication. Before the user can visit any of the pages in it he needs to login first. How do I prompt the user to login first before he can view any of the contents of the website?
The Examining ASP.NET's Membership, Roles, and Profile series is a good starting point. It covers all the security part of ASP.NET and your required stuff, Login before visiting the page via LoginUrl as your login page. starting doing this How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
Some setting to be made in web.config and then handle of these things on code behind.
<forms name=".ASPXAUTH" loginUrl="login.aspx"
defaultUrl="default.aspx" protection="All" timeout="30" path="/"
requireSSL="false" slidingExpiration="true"
cookieless="UseDeviceProfile" domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="SHA1" />
</forms>
Add the following element under the element in the Web.config file. This allows all authenticated users to access your Web site.
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>`
code behind
if (Membership.ValidateUser(username, password))
{
// User has supplied valid credentials
// In the following method call, the second Boolean parameter
// determines whether a persistent authentication cookie
// is created.
FormsAuthentication.RedirectFromLoginPage(username, rememberMeIsChecked);
}
Reference:
Starting ASP.NET Forms Authentication
ASP.NET Authentication
Explained: Forms Authentication in ASP.NET 2.0
Try to do this in your web.config
If we want to deny access to anonymous users, configure the Authorization section in the following manner,
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
For more info look here
This is huge subject to cover on posting code example here so I would recommend following steps.
Use asp.net mvc3, learn how membership provider work, customize it if to fit your needs, user role provider to assign users to specific groups which you will use to protect specific area of site.
Create roles and assign them to user and after that you can secure pages using decorated [Authorize] attributes or secure for selected users like this
[Authorize(Roles = "Admin, Super User")]
Use your web.config in configuration system.web section to indicate what membership and role provider is used in app.
This is short info, but I hope that you have concise mental picture now.
I'm working on a web application that is using Forms authentication.
<authentication mode="Forms">
<forms slidingExpiration="true"
loginUrl="~/User.aspx/LogOn"
timeout="15"
name="authToken" />
</authentication>
I'm seeing this cookie set in my browser when I log in:
The question is what happens when I put this website in a load balanced model? Where is the ASP.net session cookie being set? I didn't explicitly do it in code, so I assume it's happening behind the scenes somewhere in ASP.Net.
Also, If the session cookie is set by web server A, I assume web server B won't recognize it and treat it as an invalid session. If this is the case, I probably don't want to use it, right?
You'll have to set the machine key to be the same and the name to be the same on both machines...if this is done you should have no problems load balancing with forms auth.
<authentication mode="Forms">
<forms loginUrl="~/Login/Index" defaultUrl="~/"
name=".myportal"
protection="All" slidingExpiration="true" timeout="20" path="/"
requireSSL="false"></forms>
</authentication>
<machineKey validationKey="534766AC57A2A2F6A71E6F0757A6DFF55526F7D30A467A5CDE102D0B50E0B58D613C12E27E7E778D137058E" decryptionKey="7059303602C4B0B3459A20F9CB631" decryption="Auto" validation="SHA1"/>
Sessions can get slightly more complicated. You can store the ASP.Net session state in the database or use a shared session provider to make it available for load balancing as well.
Here is a good article on storing session state in the DB: http://idunno.org/articles/277.aspx
When I copy my URL and paste in other browser, the page opens which should not happen. This shows lack of security. I want the forms authentication. How to do that?
If you set cookieless="true" (or UseDeviceProfile and browser has cookies disabled) in your web.config file, authentication information is appended to the URL and this url will be valid across other browsers. If you use cookies to identify users, then only the current browser will have the user authenticated.
You need to set this up in your web.config file:
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
As described in this MSDN article.
Forms Authentication is not a newly added concept in asp.net 3.5. It is tried and tested technique in existence from asp.net 1.0. There are lot of books and tutorials available to show you how to do this. The simplest way you can achieve this is using membership provider models such as SqlMembershipProvider. Models provide you ready-made infrastructure which you can use for authentication.