I am building a simple asp.net mvc3 application using Form authentication. After publishing it to IIS 7.5, I find that even after I restart the application pool for my web site(stop it and then start). A logined user doesn't need to re-login. That's not what I expect and I don't remember I had configured the cookie to be persistent.
I use the simple asp.net mvc3 web application template and haven't done much thing to config authentication. Below is some codes related to authentication:
in web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
in LogOn action:
FormsAuthentication.SetAuthCookie(userName, false);
I think I have got your answer, cookie is set at client side and resetting server IIS will not destroy the cookie as it is not available on server. You can set cookie expiration time and it will get destroy at client side.I hope this clears the situation.
Related
I have migrated a website from IIS 7 on MS Server 2008 to IIS 10 on MS Server 2019 and I am unable to set the session state cookie.
I've configured the Session State feature in IIS at the app pool level and at the site level to use InProc for session state, with a named cookie. I've also tried to add this configuration into the web.config file directly.
This is the section of the web.config I have set:
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Account/Login" name=".MYSITEAUTH" protection="All" slidingExpiration="true" />
</authentication>
A cookie is being set on the client, but not with the .MYSITEAUTH property of the user.
This is the config of IIS for the site's Session State:
My hypothesis is that this is a configuration issue due to the same code and database not working on two different machines with the same web.config..?
Does anyone have any good steps to follow to enable asp.net session cookies on the client or any gotchas for setting this up in IIS 10 with Server 2019? No idea why this could be any different to the existing configuration but it is certainly something to do with IIS pushing out cookies.
Thanks!
I am working on several asp.net sites simultaniously. All of them use cookie-based (out of the box) authentication mechnism. When a web site on localhost:4587 was being bedduged in VS I have logged in as an "admin" user and did some testing.
The next day I am opening different project for debugging that runs on localhost. And when I attempt to access the MVC controller action that is marked with Authorization atribute, the system assumes the current user is "admin" and is looking for it's roles based on a custom provider. But on this site, there isn't even a user named "admin". How can I make sure cookies from other sites don't make it to Role check in ASP.NET MVC application?
I would suggest it is always a good practice to delete all localhost cookies after testing. As explained here : asp.net cookies, authentication and session timeouts , you can also add details to the authentication cookie to ensure it is discarded after a session, ie when you close the browser or to differentiate between two sites. Another approach to avoid cookies 'clashing' is to use two different browsers : Chrome for the one and a Comodo Dragon or Chromium for the other.
Give your forms tag a unique name in each application
<authentication mode="Forms">
<forms name="myVeryUniqueNameForApp1" />
</authentication>
<authentication mode="Forms">
<forms name="myCompletelyUniqueNameForApp2" />
</authentication>
Hi have form authenticaion for my site, and it works fine on localhost and godaddy, but after moving to another hosting it stop working.
After login in admin area after 2-3 minutes I redirecting back to login screen.
Does anybody know if I change some settings on IIS or what is the source of the problem?
My code looks like
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="10000" slidingExpiration="true"/>
</authentication>
FormsAuthentication.SetAuthCookie(userName, rememberMe);
If your application domain is being shut down and you have no machineKey section in Web.config (or validationKey/decryptionKey="AutoGenerate") you will get new validationKey/decriptionKey after every application start and authentication cookies will become invalid. Visit http://aspnetresources.com/tools/keycreator.aspx and add generated machineKey section into your Web.config.
I'm running the latest version of YetAnotherForum in a folder beneath my main WebApplication. The subfolder is configured as an application in IIS and navigating to the folder and logging in works wonderfully. YAF is setup with a membership provider and uses Forms Authentication.
What I'm trying to do now is to auto login a user into the forum from the main website. The main website uses custom authentication through sessions and cookies. It doesn't use any of the built in ASP.NET authentication or membership components.
So basically what I want to happen is that when a user click on a link to access the forums, they're sent to a processing page that authenticates them into the YAF Application before it sends them over to the subfolder.
Even though the main app doesn't use the built in authentications pieces, I've still set the authentication mode to forms and made sure the tag beneath that matches the one in the YAF web.config. Then, on the processing page I'm calling FormsAuthentication.SetAuthCookie(username, true), then redirecting. But YAF kicks me back to the login page anyway. Not sure where to go from here.
Main site is:
example.com/
web.config:
<authentication mode="Forms">
<forms name=".YAFNET_Authentication" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
YAF is:
example.com/yaf (Seperate WebApplication in IIS)
web.config
<authentication mode="Forms">
<forms name=".YAFNET_Authentication" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
Processing page is: (in pseudo)
example.com/autoLogin.aspx.cs
public void AutLogin(){
string userName = doStuffToGetUsername();
YAFStuff.CreateUserIfNeeeded(userName);
FormsAuthentication.SetAuthCookie(userName, true);
Response.Redirect("/yaf/");
}
I'd been searching Google for 2 days trying to sort this out, but I finally stumbled onto the solution. I needed a MachineKey that matched on both web.config files for the encryption process.
http://forum.yetanotherforum.net/yaf_postst8780_Custom-membership-and-role-provider-with-YAF-Profile-provider.aspx
Sweet!
I hope this is not to paradoxal, but I don't know how this should be done...
I have a VS2008 ASP.NET MVC Project with the following Web.Config entry:
<authentication mode="Windows">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
This makes the visitor logon automatically with their DOMAIN\username login which they used to logon to Windows. (Right?)
This works with my development server (http://localhost:xxxx), but not with my IIS server (http://localhost). Probably because the development server is 'started' by my local user (which has ActiveDirectory read-rights on the domain) and because IIS is 'started' by the IUSR_WORKSTATION user which does not. (Right?)
If all of the above is true, how can I impersonate the IIS user (for instance to my own username) to solely authenticate the current user with the Windows login name? (like the example below)?
Or should the IUSR_WORKSTATION user be granted ActiveDirectory? read-rights (not preferred as I will be switching servers / IUSR_ users a lot)
<identity impersonate="true" userName="DOMAIN\myuser" password="mypass"/>
<authentication mode="Windows">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
<identity impersonate="false"/>
Windows authentication is poorly named (IMO). It's not using Windows as the authentication, but rather it delegates the authentication process to IIS. So you need to configure IIS's authentication, which then flows down to ASP.NET
How you do this depends on your version of IIS, in IIS7 expand out the tree and click your web site, then click Authentication and enable Windows Authentication