I am building a website with VS2013 RC and MVC 5 and am trying to use formsAuthentification without registering permanent users on my site.
I'm posting to my company's api to authenticate user's names and passwords. When this comes back successfully, I want to issue an authorization cookie with:
System.Web.Security.FormsAuthentication.SetAuthCookie(username, false);
I see the .ASPXAUTH=... cookie after this is called.
But, I can not get into the #if(User.Identity.IsAuthenticated) or alternatively #if(Request.IsAuthenticated) block on the template's _LoginPartial.cshtml page.
This technique did work for me in MVC 4 and I am trying to bend it to fit MVC 5's OWIN authentication.
I needed to enable forms authentication in the web.config
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
...
</system.web>
If you don't want to fight against MVC5 new authentication mode (OWIN) you can find your answer in this link
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux#disqus_thread
I tried all the above solutions ,but the thing that solves my problem was commenting this in web.config
<modules>
<remove name="FormsAuthentication"/>
</modules>
Those who still have this issue and have tried all above approaches I do recommend try add to the Web.Config file in the section authentication forms cookieless="UseCookies". In my case it worked fine.
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" cookieless="UseCookies" timeout="2880" />
</authentication>
...
</system.web>
Related
We upgraded from MVC3 to MVC4 using the new membership framework.
The session is timing out after 5 minutes.
I tried to set the session to one week, set the sliding session to true, nothing helped.
Godady say they don't support MVC4, but I am not sure if that matters, since this should be related to IIS. What is the difference between MVC3 and MVC4 that is creating this behavior?
Edited:
Here is my config file:
<trust level="Full" />
<authentication mode="Forms">
<forms loginUrl="~/Home/LogOn" timeout="2880" slidingExpiration="true"/>
</authentication>
<sessionState timeout="2880" />
hey #MBen you read this article that may help you.
http://www.dotnet-tricks.com/Tutorial/mvc/906b060113-Controlling-Session-Behavior-in-Asp.Net-MVC4.html
I have an asp project wish contain a login page. My problem is, i need to configure the web.config to accept my new login page
Can you help me figure out my problem?
try this
<system.web>
<authentication mode="Forms">
<forms loginUrl="myLogin.aspx" />
</authentication>
....
</system.web>
Take a look to the Microsoft knowledge base
We have an internal ASP.NET Webforms application running on a Windows 2008/IIS7 server which has been running fine until we installed MVC3.
Now any requests redirect to /Account/Login?ReturnUrl=%2f.
The website is Webforms not MVC. Because it is an internal only site we have Windows Authentication enabled for the root folder.
We have several other websites on the same server that have not been affected by this problem, but this is the only site where the root folder is set to Windows Authentication.
I solved the problem by adding the following lines to the AppSettings section of my web.config file:
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
I fixed it this way
Go to IIS
Select your Project
Click on "Authentication"
Click on "Anonymous Authentication" > Edit > select "Application
pool identity" instead of "Specific User".
Done.
Updated answer for MVC 4, heavily borrowed from this page and ASP.NET MVC issue with configuration of forms authentication section (and answered on both pages)
<appSettings>
...
<add key="PreserveLoginUrl" value="true" />
</appSettings>
...
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="43200" /> <!--43,200 in minutes - 30 days-->
</authentication>
Just remove
<authorization>
<deny users="?"/>
</authorization>
from your web.config file
that did for me
It's resolved the IIS request auto redirect to default page(default.aspx or login page)
By adding the following lines to the AppSettings section of my web.config file:
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
My solution was to add the tag
[AllowAnonymous]
over my GET request for the Register page. It was originally missing from the code I was mantaining!
A solve this adding in the option defaultURL the path my application
<forms loginUrl="/Users/Login" protection="All" timeout="2880" name="001WVCookie" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="/Home/Index" cookieless="UseCookies" enableCrossAppRedirects="false" />
We added some WCF SOAP related things to an existing IIS site and it caused this problem, with the site refusing to honour the web.config authentication redirect.
We tried the various fixes listed without success, and invented a work around of mapping the new weird URL back to the one we've been using for years:
<urlMappings enabled="true">
<add mappedUrl="~/loginout.aspx" url="~/Account/Login"/>
</urlMappings>
That worked but it's ugly. Eventually we traced it down to a web.config entry added by Visual Studio some time earlier:
<add key="webpages:Enabled" value="true" />
As we'd been unable to work out precisely what that does, we took it out, which solved the problem for us immediately.
Open web.config,then Change
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
To
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="2880" />
</authentication>
change to ~/Default.aspx
Be ware with this:
RegisterGlobalFilters(GlobalFilterCollection filters) {
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
}
After 4 hours, of trying everything... Windows 2008 R2 the files were green in Window Explorer. The files were marked for encryption and arching that came from the zip file. unchecking those options in the file property fixed the issue for me.
If nothing works then add authentication mode="Windows" in your system.web attribute in your Web.Config file. hope it will work for you.
Drezus - you solved it for me. Thanks so much.
In your AccountController, login should look like this:
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
Similar setup, identical problem. Some installations would work, but most would start redirecting (http 302) to /Account/Login?ReturnUrl=%2f after a successful login, even though we're not using Forms Authentication. In my case after trying everything else, the solution was to switch the Application Pool Managed Pipeline Mode from from Integrated to Classic, which cleared up the problem immediately.
I'm using the ASP.NET Login Controls and Forms Authentication for membership/credentials for an ASP.NET web application. It keeps redirecting to a Login.aspx page at the root of my application that does not exist. My login page is within a folder.
Use the LoginUrl property for the forms item?
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx" loginUrl="~/login.aspx" timeout="1440" ></forms>
</authentication>
I found the answer at CoderSource.net. I had to put the correct path into my web.config file.
<?xml version="1.0"?>
<configuration>
<system.web>
...
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Forms">
<forms loginUrl="~/FolderName/Login.aspx" />
</authentication>
...
</system.web>
...
</configuration>
I'm working on a internal web based tool for my company. Part of this tool is another application (The Cruise Control Dashboard) that runs in its own Virtual Directory under my root application.
I wanted to limit access to this internal application by setting up Forms Authentication on it, and having a login form in the root application.
I put the following into the root applications web.config:
<location path="ccnet">
<system.web>
<authentication mode="Forms">
<forms loginUrl="/default.aspx" timeout="5000"/>
</authentication>
<authorization>
<allow users="?"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
However, the Forms Authentication does not appear to be working, it does not redirect back to the login page when I access that application directly.
I have a feeling I have the <allow> and <deny> tags set wrong. Can someone clarify?
You might also need to put path="/" in the
That was it!
So, Summary, inorder todo this;
In root web.config add:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />
This must be done because by default it is "AutoGenerate,IsolateApps".
Second, you must name the form Auth cookie the same in both, I did this all in my root, using the location tag:
<authentication mode="Forms">
<forms name="ccAuth" loginUrl="/default.aspx" path="/" timeout="5000"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Finally:
<location path="ccnet">
<system.web>
<authentication mode="Forms">
<forms name="ccAuth" loginUrl="/default.aspx" path="/" timeout="5000"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Thanks everyone for your help. This was a stumper.
FormsAuthentication encrypts the tokens that it gives to the user, and by default it encrypts keys different for each application. To get Forms Auth to work across applications, there are a couple of things you need to do:
Firstly, set the Forms Auth "name" the same on all Applications. This is done with:
<authentication mode="Forms">
<forms name="{name}" path="/" ...>
</authentication>
Set the "name" to be the same in both applications web.configs.
Secondly, you need to tell both applications to use the same key when encrypting. This is a bit confusing. When I was setting this up, all I had to do was add the following to both web.configs:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />
According to the docs, thats the default value, but it didnt work for me unless I specified it.
You might also need to put path="/" in the <forms tag(s) I think. Sorry, its been a while since i've done this
That does not work, it still allows all users, (Authenticated or not) to access.
I would think you could even omit the allow tag, as it's redundant. Just:
<deny users="?"/>
Where does that code sit Jonathan? In my experience I have a login control and in the OnAuthenticate event I would set Authenticated to false...
If CustomAuthenticate(Login1.UserName, Login1.Password) Then
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
Else
e.Authenticated = False
End If
But that's using the Microsoft Way
you are allowing all unauthenticated. You might be looking for something like this
<deny users="?"/>
What is the file extension for this cruise control application? If it is not a file type that ASP.NET is registered to handle (e.g. jsp, java, etc), then ASP.NET will not act as an authentication mechanism (on IIS 5 and 6). For example, for static html files, unless you have wildcard mapping implemented, IIS does all the authentication and authorization and serves up the file without involving the ASP.NET isapi extension. IIS7 can use the new integrated pipeline mode to intercept all requests. For IIS6, you'll want to look at Scott Gu's article on the matter.
None of the above suggestions worked for me. Turns out in the root web.config set:
<forms loginUrl="/pages/login.aspx" enableCrossAppRedirects="true"...
and make sure that both the root and child app have in system.web
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1"/>
which turns off the IsolateApps default.
Then everything just worked!