In ASP.NET web app, I have login.aspx.
I force that every user access through Login.aspx, setting that on web.config:
<authentication mode="Forms">
<forms name="coockie_aut" loginUrl="login.aspx" protection="All" path="/" timeout="60" slidingExpiration="true"/>
</authentication>
My question is:
Using form authentication and loginurl, would it prevent from trying to hack any web page without accessing first Login.aspx? Does it mean that allways allways there will be forced to access Login.aspx first?
That depends what you mean by "hack". Default Forms Authentication will redirect any request with no session authentication token to the login page. There are all kinds of session stealing, man-in-the-middle, brute-force, and other varieties of attacks that you may still be vulnerable to.
Related
On an ASP.NET website hosted on Azure, I need to secure a page so that only certain users can access it. Because of a javascript library used in the page, it will work correctly only when served over HTTP, but the ASP.NET authentication will not allow access unless the page is served over HTTPS.
To limit access to the secure page, I added a Web.config file to the folder containing the page:
<configuration>
<system.web>
<authorization>
<allow roles="Admin" />
<allow roles="Map Viewer" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
The main web.config file sets up forms authentication.
<authentication mode="Forms">
<forms loginUrl="~/account/login/"
requireSSL="true"
timeout="2880" />
</authentication>
This works like a charm if you access the secured page through https (e.g. https://example.com/Map). You are prompted to log in, you enter your credentials, and then you go to the page. As noted above, the page will not work correctly if served over http. However, ASP.NET authentication/authorization won't allow you to access it:
1. If you are not logged in and try to access the page over http, you are redirected to the site home page once you log in.
2. If you are logged in and try to access the page over http, you are shown the log in screen even though you are already logged in.
No other secure pages on the site require HTTP to work correctly, and this form-based authentication process has been working fine for those pages for years.
Set the requireSSL attribute to false, or remove it (requireSSL is false if no value is specified). If requireSSL is set to true, then the server will not accept authentication cookies unless they are sent to the server over an HTTPS connection. When this attribute is removed, the server will accept authentication cookies from both HTTP and HTTPS.
so I am building two different apps using MVC 4 and MVC 5 frameworks. They both are hosted under the same ip address.
Both of them are fighting for the cookie session (called by default .ASPXAUTH). So if I login on app1, app2 will sign out and viceversa.
I tried customizing the cookie name on the Web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" defaultUrl="~/Service/Index" name=".ASPXAUTH_Mobile" timeout="5" protection="All" cookieless="UseCookies" />
</authentication>
Which actually changed the cookie name on the app1, but it still got overriden by the cookie on app2 as soon as I sign onto the app2.
Any suggestions on getting both apps sessions to work at the same time?
I have a website that when the user registers, it creates the account, logs them in and then redirects them to Paypal to take a payment then Paypal returns them back to my site. However when the user returns to mysite, they are no longer authenticated. Can anyone tell me how I can make the authentication persist when returning from Paypal as I don't want the user to have to login straight after they have registered.
I am quite new to asp.net, so any help is really appreciated.
What kind of authentication do you use? Forms authentication, Windows etc. Show us your web.config. Also make sure that the cookieless setting is set to the right value for your authentication. If you use a cookie, then your users will remain logged in after coming back from PayPal. A sample forms authentication setting is attached below:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile" />
</authentication>
</system.web>
we're using ASP.NET Membership for authentication at the root domain (www.domain.com) and the redirecting the user to a subdomain (sub.domain.com). When the user logins in from www they are being redirected to the login page on the subdomain when they should be showing as logged in instead.
Both the machine key and the forms element in the web.config are identical.
In the event log we get
Forms authentication failed for the request. Reason: The ticket supplied was invalid.
turns out it was a MS Security update that did it.
UPDATE
security update available
What's worked for me is to set the domain attribute of the forms element to be .domain.com. This should allow the user to log in on at www.domain.com and then be logged in when accessing sub.domain.com. I've tested this having hacked my hosts file and it works okay.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" domain=".domain.com" />
</authentication>
I have a shopping cart asp.net application presently i manage login system by simply making a DB table with 2 field username and password and in my web.config file redirect all the user to login page by authentication and authorization tag
<authentication mode="Forms" >
<forms defaultUrl="default.aspx" loginUrl="login1.aspx" cookieless="AutoDetect" ></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
and on my login page simply compare username/pwd entered by user with database entry and if the user is correct calling the function
FormsAuthentication.RedirectFromLoginPage(username, true);
that redirect the user to home page it works very fine on my local system and i have no issue.But recently i hosted my application online and there is some issue with my login system.When i login into the site its ok but after some time user is automatically thrown out of site to the login page and he has to login again.
It sounds like your users are bumping up against a cookie expiry. Add the following attributes to your <forms> element:
<forms defaultUrl="default.aspx" loginUrl="login1.aspx" cookieless="AutoDetect" slidingExpiration="true" timeout="60" />
By default, sliding expiration SHOULD be set to true, but if it's not, 30 minutes after a user logs in, their authentication will expire no matter if they've visited other site pages since that time. By default, the timeout period is also supposed to be set to 30 minutes from last refresh, so if your user is idle for 30 minutes, they will have to renew the authentication cookie in order to access secured content. You can extend this to whatever value you like, such as "60" in the above example.
You can find out more about these attributes at the MSDN reference page.