I have an ASP.NET MVC 3 application that is using windows authentication, configured in IIS 7.5. It prompts the user for their Windows Credentials when they first load the
page.
Now, I want to have the "session" timeout in XX minutes, so that the page
will again prompt them for their credentials if this timeout has elapsed.
I have tried setting the "Session.timeout = XX" in the page_load method of
the page I want to secure.
I notice that the "Session_End" method in Global.Asax does fire, but the
Authentication Ticket appears to "stay valid" even after the Session has
ended.
Is there a way to force the page to prompt again for Windows Credentials at
specified timeouts either by changing configurations in Web.Config or thru IIS?
Please let me know.
You don't have control over the allowed session duration when using Windows Authentication, as this is part of the authentication protocol (Kerberos). There are ways and workarounds, but none of them straightforward.
It seems that forcing a client-side document.execCommand("ClearAuthenticationCache"); might come closest to your needs.
As far as I know there is no easy way to achieve this. I've read on people trying to manually control when 401s are sent but from what I remember, I haven't found any reliable solution.
Related
I've got an app in MVC5 which uses forms authentication. Since rolling it out to a server, after being logged in for 5-10 minutes you are logged out; I would like the login to remain for minimum 1 day.
I suspect this is because the app pool is recycled after 5 minutes of inactivity; unfortunately this is a feature of our hosting and I have no control over it.
I've tried a number of things to work around this:
Set persistent to true on the login call, i.e. forcing it to
"Remember Me".
Set the session state to use a SQL Server database,
with a timeout of 1440.
Set timeout under to 1440 in the web.config.
Forced all three computers that use the site to trust the site in the browser, to make sure the cookie isn't being destroyed.
Set Session.Timeout to 1440 in global.asax.cs (probably redundant when this is also set in web.config)
A few points of background:
The site uses autofac to instantiate the database connection, which interacts with OWIN.
Pretty much everything else regarding the login comes from a standard visual studio setup, meaning I created a new web project and set authentication to forms.
The cookie is still there after being sent to the login screen.
The session is still there (in the database) after being sent to the login screen.
Does anyone know how I might fix this issue?
Asp.net forms authentication cookie not honoring timeout with IIS7
For anyone wondering, the fix here appears to have done the trick. Specifically, setting the machineKey in the web.config.
In my ASP.NET project, I am using Forms authentication. My main.master using LoginStatus control and web.config is set up for "Forms" authentication mode.
Before I log in, the control shows the text as "Login." After I log in, the control shows the text as "Logout." This is expected. However, after clicking around on a few links within the site, the control suddenly starts showing "Login" although I am still logged in. The session is still alive as some of the pages I visit dumps some session information.
Would appreciate if something can point me in the right direction. Regards.
If you are trying to redirect after setting a Session variable using
Response.Redirect("YourPage.aspx");
this may be causing the session token to gets lost, try using the overloaded version of Redirect:Response.Redirect("~/YourPage.aspx", false);
Another problem also may be miss configuration of application pool. If the application pool is configured as a web farm or a web garden (by setting the
maximum number of worker processes to more than one) and if you're
not using the session service or SQL sessions, incoming requests will
unpredictably go to one of the worker processes, and if it's not the
one the session was created on, it will get lost.
The solutions to this is either not to use a web garden if you don't need the
performance boost, or use one of the out of process session
providers.
For more information you can check the link of the original article below: http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_
Here's what I want to do (which I've done before but I'm clearly doing something that is not obvious to me...):
ASP .NET 3.5 Intranet Application
Want to have Windows Authentication against AD setup on the website
When the user requests the page, fetch the user's username with the following code:
System.Web.HttpContext.Current.User.Identity.Name
I have IIS 7.5 and have setup the web application, disabled anonymous access and enabled Windows Authentication.
When the page is requested, the prompt for username / password is entered.
I entered the details but the prompt keeps coming up and eventually comes back with 401.
What on earth have I missed?
It seems to be a broblem with the Authorization (dond confuse with Authentication they completely diffrent), becuse the Authentication has been passed successfully after you've written the right user name and password, please try to set the appropriate privilegs to the user you try to login with, then try again. You can do that by set ting the right roles in the Authorization tab in the Security/Application tool of ASP.NET or by defining it manually by creating the right class... You'd better also chack the IIS policy if you deal with production code on IIS. If this is not working please post the Authentication code you've written.
Figured out what was wrong. Was nothing to do with Authorization at all but I stupidly had written code a few days back throwing a 401 error when a certain condition was not met. Removing that proved that the setup done worked perfectly :)
I have a .NET 4 application that I am taking to IIS 7.5. In it, I have the following code:
HttpContext.Current.Request.ServerVariables["LOGON_USER"]
This code is in my global.asax file and is in my Application_BeginRequest method.
For my application, this is returning an empty string. That makes me think that I don't have my authentication setup. I go into the IIS admin manager, and I have Anonymous, Digest, and Forms Authentication disabled. I have ASP.NET Impersonation, Basic, and Windows Authentication enabled.
Any ideas regarding what I need to do to get the actual windows auth userid would be appreciated.
Wally
Take a look at this page http://msdn.microsoft.com/en-us/library/ms178473.aspx (somewhere in the middle)
It explains which events are executed when a request comes in. BeginRequest is one of the first events that are raised when a request comes in and this means that not every piece of information you might need is available yet. In your case try capturing the PostAuthenticateRequest and see if that works. Also, you might be interested in User.Identity.Name.
We have a web application running on ASP.NET 3.5. It is viewed by the world as one URL but in reality there are multiple IIS boxes hosting the application controlled by a load balancer.
My problem is that it is a sensitive application with strict security controls around it, and that post authentication if you open another browser to the same application and log in as someone else, the second login overwrites the first logins' session id value in the cookie, and then the first window crashes.
Any idea how I can get around this?
The session ID is placed in the cookie. If another browser window is opened and starts a second session the ID in the cookie will be replaced.
Also, logins should not be controlled via the session cookie. There is a Forms Authentication cookie for that purpose which is more secure as I recall.
Most web applications only allow one session per PC. Try logging into Yahoo Mail, Amazon or Ebay twice on the same machine and you will find the same problem. So ASP.NET is pretty much designed around the idea that there is one login per PC. Although, if you have multiple browsers installed on a machine, you can generally log into apps more than once because each browser keeps its own cookie collection.
edit: You might want to try cookieless sessions, in theory they might allow multiple sessions per PC, although I haven't tried it. But cookieless sessions come with plenty of problems and limitations of their own.
In short, there may be some hacky way to do what you want to do, but it will probably be fiddly and cause other problems elsewhere, because what you are asking for goes against the grain of ASP.NET's core design.