I'm developing a dropbox asp.net application, and it's working at least in localhost mode. But I'm facing a problem that I hope is only during localhost testing and won't (CAN NOT) occur in production. It's a bit difficult to explain so I will describe it in steps.
1) The browser is not running and I start the "logged in membership target page" in Debugger. It asks dropbox for login and permission. At this time, in my Oauth derived class, I store my drop box object with access token and secret in a session variable.
2) In my actual "logged in" page, I extract the object from the session and start using dropbox and it works fine.
3) Now suppose I stop debugging from Visual Studio 2012. Make some modifications to the code. Now I start again. This time the browser is already logged in to dropbox and the target page is displayed logged in. I see no "Allow" prompt from dropbox. But there is no session variable now to extract my drop box object because this is a new session. But for dropbox it is the already logged in session.
I want to confirm that this situation can only occur during localhost running and can not occur in real production app because it will always go from a web site in the browser which will have its own session. Or can it occur? What is the solution in that case.
Another doubt is, why doesn't dropbox ask for Allow prompt next time if the browser is open but the app is starting a new session. It must be getting the same access token and secret from somewhere. From where?
I think I found a workable solution. If I find that the session has been lost, I execute the following code and it logs off the user. Even if the situation might occur only in my local testing, this takes care of it.
FormsAuthentication.SignOut();
Response.Redirect("/");
return;
Related
My application uses a Angular frontend paired with a C# backend.
For determining who's currently sitting in front of the pc, I use C#/ASP.NET's Current.User.Identity .
Now, there is not a coding issue, my problem is that windows keeps handing out the wrong Identity. This happens since yesterday. My website keeps telling me I am IISAdmin, instead of my User Account that I am using right now.
I am guessing this probably stands in some relation to me adding a couple of network shares (quick access to the servers) using the credentials of IISAdmin and ticking the checkbox "Save Credentials".
Normally when I deploy patches I just connect to the server manually via explorer, and enter the credentials by hand. I have done this multiple times, this has never been an issue.
This is where it gets a little odd. I have tried starting Chrome explicitly as my User, and it just merged the window into the existing Chrome window I had already. Opened my web-app, IISAdmin.
I closed Chrome entirely, started it explicitly as my user again, IISAdmin.
Starting Chrome as a dummy account that I have access to, Chrome correctly opens a new Chrome window, and User.Identity confirms that I am logged in as said Dummy.
Internet Explorer behaves exactly the same way, so this is not browser-specific.
Even after a complete reboot this keeps remaining an issue. The network shares were removed after the restart, I am assuming they were temporary.
Windows should hand out my standard issue user account auth, not a highly powered super admin that's just saved somewhere.
After talking to some colleagues, they pointed me towards the solution.
If this happens to you:
Go to System Control / Credential Manager / Windows Credentials
(Golden Safe)
Delete the conflicting credentials
I was not aware of this at first, but when you create a network share and save the credentials, it saves them here.
What I didn't expect was that windows maps the file path to the server to the server's actual IP / DNS adress.
So whenever you connect to said server, Windows uses the saved creds it has, and because of the way Kerberos works, your existing token just get's handed around.
Hence making things a little mushy, even if you explicitly start Chrome as your normal user.
I have a web application (.net VB code) that utilizes session variables to store the username (here login name) and the profile (admin/client), authentication is handeled by asp membership. The application then relies on these session variables on the load events. This application has been running fine for a couple of years. However, recently users complain about occasional error messages after logging in and attempting to load a new page that needs one of these variables. It happens most frequently Chrome, but also IE and Firefox.
Users that experience the error need to log out and clear the browsing history, after that it works again. The error is not easy to replicate - I was able to trigger it on my machine 'violently' using the 'back' button a couple of times that eventually tripped it - then I had to clear my browsing history to get the application to work again.
What might cause this to happen?
the session gets set on the load event of the 'login' page with 'Session("Type") = "Admin"' and subsequent pages check for the value of Session "Type"
I understand that I could use a cookie instead, but I chose not to for security reasons. Could this be prevented using a cookie instead? or do I need to use the membership.getuser method to get the username and then look up the values in the database? That does not seem efficient.
Ideas?
FYI, the ASP.NET Session ID is stored in a cookie that travels back and forth with each request/response. The actual session state values for a given session are not stored in cookies ... they are stored on the server only. They could be stored in memory, or in a SQL database, depending on how you've configured ASP.NET Session State.
But Session State can get destroyed for a variety of reasons. IIS might suddenly decide to restart your Application Pool, for example, in which case all your Session State would be gone.
Basically, you need to write your web app to always handle the possibility that Session State may be empty. If it is empty, then you probably need to redirect the user to the login screen to enter his credentials again.
Clearing the browsing history should have no effect, so I can't explain why that would help get past the problem.
I have the oddest situation...
On my ASP.NET website when the application pool recycles the user is logged out. This is fine. I know this is suppose to happen. But when the user logs back in and selects any link within the website, they are logged back out immediately. They consistently get logged out. I don't know what causes this and I don't know how to fix it.
The odd part is the work-around. If I log in from a different computer or from the IIS Server itself than the user that is getting logged out can log back in.
Does anyone have any ideas as to what is happening?
Standard Forms Authentication in ASP.NET is cookie-based and should not be affected by the session vanishing. But, you're probably relying on something in the session to determine whether or not the user is logged in. If you're using in-process session storage (and it sounds like you are), then your application code might act strangely if you get in a state where the Forms Authentication cookie still exists and is valid but the session information is missing. Instead of going to a different computer, try blowing away your cookies and logging in again, and I would presume that your issue is resolved.
One step is to move to out-of-process session storage (such as the ASP.NET State Server, which is simple to use with a few config changes) or to eliminate session usage entirely (by depending on values stored in cookies, though there are security implications there to consider if these values are not encrypted). Then, take a close look at how your application code handles the condition where a login cookie is set but the session data is invalid.
It's a shot in the dark based on the information provided, but hopefully it puts you or someone else on the right track.
I discovered the problem. In the Security settings of the ASP.NET Configuration each user that logs in needed to have one of the roles defined in the "Description" field. This is very odd to me be but it seemed to do the trick. Anyone know why this needs to be done?
I have been asked to work of a very large web application and deploy it. The problem that I'm facing here is that when I deploy the application and more that 1 user logs into the system, the sessions seem to cross over i.e:
Person A logs in and works on the site, all good. When person B logs in, person A will then be logged in as person B as well.
I have been asked to work of a very large web application and deploy it. The problem that I'm facing here is that when I deploy the application and more that 1 user logs into the system, the sessions seem to cross over i.e:
Person A logs in and works on the site, all good. When person B logs in, person A will then be logged in as person B as well.
If anyone has experienced this behaviour before and can steer me in the right direction, that would be first prize, Second prize would be to show me how I can debug this situation so that I can find out where the problem is and fix it.
Some information about the application. From what I've been told and what I've seen within the app is that it started as a .Net 1.1 application and got upgraded to .Net 2 and that's why the log in system was done the way it is. (The application is huge and now complete and that's why I cant rewrite the whole user authentication process, it will just take to long and I don't know what effect it might have)
All the Logged in User information is stored in properties that have been added in the Global.asax.vb file. (could this be the problem?)
Any help here would be greatly appreciated
Sessions on the server doesn't cross over, so the actual reason has to be that there isn't actually two separate users, or that the information isn't actually stored in separate sessions.
Browser sessions
When you open a new browser window from another window in Internet Explorer, they are in the same browser instance, and thus still the same user. There is no way for the server to distinguish between the windows based on the session id, as they share the cookies and send the same id. You have to start a new instance to log in as a separate user.
In Firefox there is ever only one instance. Even if you try to start another instance, it will just open a window in the existing instance. Thus, you can not log in as separate users in separate windows.
Session objects
To store information in the user's session, you actually have to store it in the Session object. If you create properties in the GLobal object in global.asax, they are shared by all users. Even if you are in a method like Session_Start, the user doesn't have a separate instance of the Global object.
We had a similar situation in our code done by a vendor. In our case the probplem was due the use of global static variables assigned from session.
I don't suppose by any chance that when the user's identity is read from the session it's being stored in a static field rather than an instance field in a base class is it? And then being written back to the session from there? I've come across this before.
Is there a way to get the logged in user from a vb.net web application? IE, if someone logged in as "foo"/"bar" on their local machine accesses the site, I need code to get me "foo"/"bar". This is for a passthrough on our intranet, where everyone uses the same Active Directory.
Essentially, I need to harvest the username of the logged in user and check it against our ActiveDirectory instance. If that fails, I need to check for Request variables and check those (that part is fairly easy). Then if THAT fails, I need to show a login screen (I also have a handle on this).
I've already come across and discarded a couple solutions for the part I'm having trouble with:
request.serverVariables("LOGON_USER") - This only works if you have anonymous access turned off in IIS, and that must be on to use forms authentication (which I'm using).
http://www.thescarms.com/dotnet/IsInRole.aspx - This solution does not seem to work for some reason. I suspect the line AppDomain.CurrentDomain.SetPrincipalPolicy( Principal.PrincipalPolicy.WindowsPrincipal) is the issue, but the meaning of this line is buried so far I can't figure out what it's actually trying to do.
HttpRequest.LogonUserIdentity?
if you're using Forms Authentication, have you tried System.Web.HttpContext.Current.User.Identity.Name?
The web browser will not send the user's local credentials to the web server unless two things are true:
The web server asks for them (i.e. Anonymous Access is disabled, and Windows Integrated Authentication is enabled).
The web browser has been configured to send local credentials if asked (an Internet Explorer option, available in FireFox via plugin, not sure about other browsers). If the browser has not been configured to send the information and the web server asks, the user will be prompted within a pop-up login screen.