FormsAuthentication with different time out for different users - forms-authentication

In ASP.NET MVC 4, Is it possible to have a different time out period for different user types?
I have an app where both users and customers will log in. Customers will tend to be fairly transient and be on the site for a short period of time, whereas users will need to remain logged in for several hours.
Is there a way to do this?
I should point out that I am not using MembershipServices. I'm handling user authentication manually.
Hope you can help,
Simon.

Short answer yes.
But you're not using the standard membership provider so you have to engineer this functionality in yourself depending on what you've done.
The standard provider allows you to set the expiry date of the authentication token (see http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.expiration.aspx). The token is then written to the users browser in a cookie with the same expiry date. The expiry date is included in the token itself as otherwise the token would work forever as only the browser knows the cookies expiry date.
When the token expires, the user has to relogin.

Related

is it good to use Session for storing a logged in user id? Or is there a simpler way?

We have a log-in form in ASP.Net Webforms. and when user logs in we save the user id to session state.
Session["CurrentUserId"] = user.Id;
So this is how we know a user is logged in.
if(Session["CurrentUserId"] == null) Redirect("Login.aspx");
This is all we use Session for. I am storing session in DynamoDB because we have many load balanced servers. But sometimes DynamoDB gets overloaded or gives errors. So I trying to get rid of session state to avoid these errors and to simplify a login process.
So what alternatives are there? How do modern websites log people in and remember they are logged in, and timeout after x minutes?
Is there a way to use a secure cookie to just do it? And how would you expire it if user doesnt do anything for 20 minutes? It has to work over a collection of web servers.
Storing user ID in session is not necessarily bad but has to be combined with other things in order to secure the site against things like session fixation attack and CSRF (also known as "session riding"). It is also problematic in a web farm if you are using in-proc session state.
In ASP.NET web forms, the standard way to authenticate is to use forms authentication, which places an encrypted cookie ("authentication ticket") on the browser. You may also want to put the user ID somewhere in session and compare it to the authentication ticket in order to ensure they match.
if you using the standard FBA login providers?
You can get user logon ID with this:
Membership.GetUser.ProviderUserKey
And you can get user email with this:
Membership.GetUser.Email
So, the user logon id can be fetched with above.
As for session() being a bottle neck?
Well, it not all that bad - you not "updating" the session() value by doing this, so it certainly does not have to be written back each time (for a post) and also it means that a lock on session() during post backs etc. should not occur.
I would however consider one of the above two approaches, since then session() re-sets or anything else would not matter to get the user ID, or email.
As noted, this much depends on what security and authentication provider you are using here.

asp.net MVC FormsAuthentication for claim based authentication

We are using Gigya to authenticate the user which will provide us with user Id and email. Then we pass the user detail to our CRM Web Service which will return the user data from CRM.
We then need to create a session for the user so that we can identify whether the user is logged in or not. If not logged in then redirect to Gigya for login/register etc.
Now, given that we are not using any ASP.NET Membership or similar, I'm thinking how we are going to secure the member pages. One way I can think of is store the user detail in session. Then check if user detail exists in session, if doesn't exist prompt for login.
I'm also thinking whether:
I can use FormsAuthentication.SetAuthCookie or similar to create a asp.net session
Or is there better way to achieve this.
Also, if I use FormsAuthentication.Logout will it clear all my session and cookies even though I'm not using asp.net membership provider?
Goal:
To be able to create a session for the user
Able to authorize user based on user role which we get from CRM.
Able to logout the user on Lout button click.
First, and this is very very very important from a security perspective.
Authentication != Session.
They are different concepts. Second,
NEVER USE SESSION for AUTHENTICATION
see first rule. FormsAuthentication has nothing. Zero. Zilch. Nada. To do with session management. Nor does it have anything to do with Membership or credential verification. All it does is store a cookie that ASP.NET can decode to verify that the user is authenticated or nor. This cookie is set by your application when it has validated the users credentials.
FormsAuthentication.Logout() does not clear sessions, because as I already said, they have nothing to do with each other. You have to clear the session by calling Session.Abandon().
Session is about storing data for a user, and is not secure. Session is volatile, and IIS can discard it whenever it feels like, for any reason, at any time. You cannot depend on Session to be there from request to the next.
Authentication is encrypted, and strictly about proving the user has been authenticated.
Authentication can transcend sessions. It can be good for hours, weeks, months... Your session is only good for the time you are currently there (if IIS doesn't kill it earlier).

How do I find out if the current AUTH cookie is "permanent"?

I have a ASP.NET website where after a specific user action, I have to issue a new AUTH cookie almost identical to the one the user already currently has. I'm having trouble finding out whether the current AUTH cookie is supposed to be persisted or not. Any ideas on how to do this?
If the cookie expiration isn't set, then it's session.
If you are trying to discover it's life via the browser, you can use firebug with the firecookie plugin. Or the web developer tool will also enumerate all the cookies on a page.
Any cookie that is not session will have Expires field. If you send it into feature date - you will get it "permanent" until the time expires. If you want to maintain "permanent" cookie status you would refresh it on next user login and shift it further into the future. One month is usually enough

Does a forms auth ticket survive a trip to WorldPay?

I've got a site that uses Forms Authentication (with a custom membership provider, but that's not important right now). In the secure part of the website, the customer can purchase goods and pay for them via WorldPay.
Once they come back from WorldPay, if there's a link back into the secure part of the website, can I reasonably expect the forms auth ticket (stored in a session cookie) to have survived (timeout notwithstanding)?
The ticket is set thus:
FormsAuthentication.SetAuthCookie(username, false);
FormsAuthentication.RedirectFromLoginPage(username, false);
The work is part of a redevelopment, and I would rather have a quick "yes/no/maybe" answer before writing lots of code that may not be required - we do not want to have the user log back into the secure part of the site so we recreate their login based on the information returned from WorldPay. Obviously, if the user is going to be remembered, I don't have to write that code - I'm quite lazy ;-)
Thank you for any suggestions,
Mike K.
Forms Authentication uses a cookie.
A session cookie (which is stored in memory) lives as long as the session does not timeout and you do not close the browser.
You may also be able to set the life time of the cookie, then it will be written to disk, and available to all browser instances. In this case you will also be logged out if the session timesout on the server.
If you're calling
FormsAuthentication.SetAuthCookie(username, false);
then the cookie will survive for as long as the value specified in your web.config or until the user logs-out.
If you redirect them to a 3rd-party site during the course of their visit to your site, this cookie will remain. The 3rd-party site won't have access to your auth cookie.
In short, they will still be logged-in on your site when WorldPay redirects them back.
Even shorter: yes.
Hope this helps.
The other answers here seem to point out to this being a non-issue, but I thought I'd just add that if you're posting data to their gateway, any variables which start with MC_ will be returned to you on the other side. I'm not sure if this helps or not!

ASP.Net session and cookies for keeping someone logged in

I've got an existing site I'm taking over, and right now it stores, in a session variable, the id of the currently logged in user (if logged in at all -- otherwise I'm sure it is empty string or null or something).
The client now wants, after someone is logged in, to "keep" them logged in on that computer for an indefinite amount of time.
ASP.net Sessions have a maximum idle time of 1 day, I believe. The website isn't written all that well in the Flash portion (whole front end is flash) and the flash will process a login, then, as long as the flash isn't reloaded, assume that the user is still "logged in".
I think my solution is to ALSO store a client side cookie with some GUID value and hold in the database the associated user id...sort of like a session that never expires. So, when the page is loaded, I can check my cookie, use that to select the userid out of the database, and if we find one, then set the session value that says user 23 is logged in.
Does anyone see any issues with this perspective? Would you recommend something different? I really don't want to refactor a bunch of the existing code, but just slip this in on top...
PS -- security is not really a concern. The only reason they have people log in is so we can track orders by a person, but no money changes hands through this website. There is also no personal information that a user can view or edit, either.
This is how I do it. I actually have a cookie that holds their login and password, this way I can automatically log them in should they not be logged in. I expire the cookie after a couple of days of inactivity. The downside is that everyone forgets their password because the only time they really have to enter their password is when they come back from extended time-off.
This is for an internal application, with the same customer demands that you have and this works ... and makes the customer happy.
One thing we may end up doing is just using Windows authenication, might actually work better in this circumstance.
That's the way I do it, but the problem with it (at least I think its a problem) is that when you store the username and password in a cookie there is not any encrypting when you add the cookie. If you look at the cookies in your browser the username and password are displayed there plain as day. Is it possible to get some kind of encrypting on the cookies you store? Or how would you handle this?
Check this blog posting out http://timmaxey.net/archive/2009/03/06/asp.net-cookie-auto-log-in.aspx basically you needs to save the cookie with a guid a series, and a token, the token, in my case, changes all the time, the series is something that is generated based on something, like the guid and id combo or whatever, then the guid is always stored with the user. There is a cookie table to stored this info etc... pretty secure, not 100%, but pretty good... Tim Maxey
I recommend using the Enterprise Library Crypto App Block to store an encrypted cookie which is nothing more than a GUID. Get the GUID, and use a session table in the database to track user info.
At the session start event, get the user info and cache it.
Using the session object is not recommend for user info because it won't work on a web farm, unless you use a database for session state.
You're basically rolling your own session state at that point, and I'm fine with that. However, I would not go the route of storing the username/password in a cookie (even if encrypted). There's no way to expire that from the server-side. You can always remove your row in the table to force a user to log in again, but if they hold the username/password they hold the keys to the kingdom.

Resources