I need to integrate two ASP.NET sites user-wise. I have a Web Pages ASP.NET 4 site that allows users to login. It has a custom user provider. Now I have written an ASP.NET MVC3 site that needs to work seamlessly with the Web Pages site and to only allow certain actions to be called by certain users that come from Web Pages site's user provider. As a final resort, MVC site can access user datastore of the Web Pages site.
P.S. I can configure ASP.NET MVC site to be in a sub-folder of a Web Pages site in IIS if this is necessary.
To setup FormsAuthentication to be used across multiple sub-domains, configure the following:
Specify the domain of the Authentication cookie without a particular sub-domain - allows the browser to access the Authentication ticket from any sub-domain:
<!-- ... -->
<authentication mode="Forms">
<forms loginUrl="/Index" domain="authtest.com"> ... </forms>
<!-- ... -->
</authentication>
<!-- ... -->
Make sure the separate applications use the same machine keys so they can encrypt/decrypt the authentication ticket properly:
<!-- ... -->
<system.web>
<machineKey validationKey=" ... 3D26FD5F940C2FD0AF8065F29A"
decryptionKey=" ... 940CD33EBCE5065F2F2334D"
validation="SHA1" decryption="AES" />
<!-- ... -->
</system.web>
<!-- ... -->
Everything else is standard ASP.Net Authentication details/configurations.
Related
I have a asp.net webform application (ProA). It was built some time ago by someone else, although I can access source code. Now, I finished another application which is a MVC5 (ProB).
ProA uses asp.net membership for authenticate users. ProB is not using any membership. Now, we want to add user authenticate to ProB, and also some parts of ProB is using username as parameter for some data.
Now, we want to force user login from ProA, then maybe click a link/button, redirect the user to ProB. In ProB, we create an authorize filter to verify the user has the right, then show the pages.
I have tried to use forms authentiction across applications, described in: Forms Authentication Across Applications . But it does not work. The changes I made in web.config is:
<authentication mode="Forms">
<forms name="X.ASPXAUTH" loginUrl="~/Login.aspx" path="/"
protection="All"
enableCrossAppRedirects="true"
/>
</authentication>
Could it be because that one is webform and the other is MVC? Also, ProB actually does not have any membership installed yet, does it affect this form authentiction?
Any other suggestions?
Thanks.
--- Added more info:
1) I'm testing on my local machine. I run both sites in VS2012. What should I use for domain? "localhost"? ".localhost"? or, not use domain at all? seems not working.
2) I added a button on ProA, when clicked, use this redirect to ProB:
HttpContext.Current.Response.Redirect("http://localhost:12345/", false);
Is this the correct way? The HttpContext has the user identity.
3) Does ProB have to have membership? Now, ProB does NOT have membership feature, is it the reason?
You shouldn't have any issues with sharing the authentication across web forms and MVC apps. The underlying technology is the same, .Net uses an encrypted to cookie which has the forms auth ticket.
Read the following MSDN article: https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
The main things to note are the domain reference and the machineKey config.
The domain attribute of the forms auth config allows the browser to include that auth cookie with the requests sent to each site. Then the machineKey portion is the part that handles the encryption/decryption.
Both sites must have the config setup up identically for this to work, and also be running on the same domain i.e. xyz.contoso.com and abc.contoso.com
web.config
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="[your key here]"
decryptionKey="[your key here]"
validation="SHA1" />
</system.web>
</configuration>
EDIT
Use the following link to generate your machine keys: http://www.developerfusion.com/tools/generatemachinekey/
I am working on several asp.net sites simultaniously. All of them use cookie-based (out of the box) authentication mechnism. When a web site on localhost:4587 was being bedduged in VS I have logged in as an "admin" user and did some testing.
The next day I am opening different project for debugging that runs on localhost. And when I attempt to access the MVC controller action that is marked with Authorization atribute, the system assumes the current user is "admin" and is looking for it's roles based on a custom provider. But on this site, there isn't even a user named "admin". How can I make sure cookies from other sites don't make it to Role check in ASP.NET MVC application?
I would suggest it is always a good practice to delete all localhost cookies after testing. As explained here : asp.net cookies, authentication and session timeouts , you can also add details to the authentication cookie to ensure it is discarded after a session, ie when you close the browser or to differentiate between two sites. Another approach to avoid cookies 'clashing' is to use two different browsers : Chrome for the one and a Comodo Dragon or Chromium for the other.
Give your forms tag a unique name in each application
<authentication mode="Forms">
<forms name="myVeryUniqueNameForApp1" />
</authentication>
<authentication mode="Forms">
<forms name="myCompletelyUniqueNameForApp2" />
</authentication>
Previously, I have implemented two separate ASP.NET Web Applications, one as a virtual application in a subfolder of the other, which successfully shared forms authentication as described at http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
(basically, setting up identical <forms> sections in the Web.config, and keys in the <machineKey> section)
Now, I am trying to do something similar to get BlogEngine.NET (which is a Web Site, not a Web Application) to work sharing forms authentication with a Web Application of mine. I have tried both putting it as a virtual application in a subfolder, and setting it up as a separate IIS site (same domain name, different port number), but I can't get the authentication to work at all: when I go to the blog while logged in to my Web Application, Page.User.Identity.IsAuthenticated is always still "false".
I'm really not sure how to even start debugging this, since the forms authentication is handled before any of my code runs.
<authentication> section of the two Web.configs are the same:
<authentication mode="Forms">
<forms path="/" domain="localhost" timeout="129600" name=".WebSiteName"
protection="All" slidingExpiration="true" loginUrl="/admin/login.aspx"
cookieless="UseCookies"/>
</authentication>
And <machineKey> also:
<machineKey validationKey="DD45C42ACEAF1E208E9B78288177EBF9C8C7C54C6D05BA2FBA90B5348B8F6987216CB098056891CFE81DC33E37C5F9A2BF1845DBF902C6E4BBFEC2341FFA3635"
decryptionKey="0C69852D8BE0948D545C35B932D394102802FAF7FA46E99B4E5B5E12546E4620"
validation="SHA1" decryption="AES" />
Does anyone have any suggestions as to what I should check or try?
This was a good resource for this issue: http://blogs.msdn.com/b/cliffgreen/archive/2011/03/29/reporting-services-single-sign-on-sso-authentication-part-1.aspx
Note there are links within this article that are useful to read.
I'm seeing some new behavior in Forms Authentication after upgrading to .NET 4.0. This occurs only on IIS 6, not on 7.
Background - In web.config, we configure Forms Authentication, and then use <authorization> tags to globally deny anonymous/unauthenticated users access. Then we explicitly allow access to a login.aspx page using a <location> tag. Generally, this works fine, as it did when we were on .NET 2.0 (3.5).
The issue only occurs when we visit the root path of the site, ie "http://myserver/". Our default document is configured in IIS to be login.aspx. Under .NET 4.0, upon visiting that URL, we're redirected to "http://myserver/login.aspx?ReturnUrl=/". If you log in from here, you're logged in and returned back at the log in page (yuck).
Just wanted to post this here to see if anyone else is experiencing this. It's not listed on any "breaking changes" documentation I've been able to find. Either I'm missing something, or the UrlAuthorization module has changed and is no longer "smart" about IIS default documents.
You shouldn't have IIS defaulted to login.aspx.
ASP.NET have its own mechanisms for ensuring authenticated access.
In particular for any unauthenticated request to a content which requires authenticated users it will redirect it to the page specified in loginUrl attribute of the Web.config authentication\forms element.
...
<authentication mode="Forms" ...>
<forms name="login" loginUrl="login.aspx" ... />
</authentication>
...
('login.aspx' is a default value for that property)
I'm running the latest version of YetAnotherForum in a folder beneath my main WebApplication. The subfolder is configured as an application in IIS and navigating to the folder and logging in works wonderfully. YAF is setup with a membership provider and uses Forms Authentication.
What I'm trying to do now is to auto login a user into the forum from the main website. The main website uses custom authentication through sessions and cookies. It doesn't use any of the built in ASP.NET authentication or membership components.
So basically what I want to happen is that when a user click on a link to access the forums, they're sent to a processing page that authenticates them into the YAF Application before it sends them over to the subfolder.
Even though the main app doesn't use the built in authentications pieces, I've still set the authentication mode to forms and made sure the tag beneath that matches the one in the YAF web.config. Then, on the processing page I'm calling FormsAuthentication.SetAuthCookie(username, true), then redirecting. But YAF kicks me back to the login page anyway. Not sure where to go from here.
Main site is:
example.com/
web.config:
<authentication mode="Forms">
<forms name=".YAFNET_Authentication" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
YAF is:
example.com/yaf (Seperate WebApplication in IIS)
web.config
<authentication mode="Forms">
<forms name=".YAFNET_Authentication" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
Processing page is: (in pseudo)
example.com/autoLogin.aspx.cs
public void AutLogin(){
string userName = doStuffToGetUsername();
YAFStuff.CreateUserIfNeeeded(userName);
FormsAuthentication.SetAuthCookie(userName, true);
Response.Redirect("/yaf/");
}
I'd been searching Google for 2 days trying to sort this out, but I finally stumbled onto the solution. I needed a MachineKey that matched on both web.config files for the encryption process.
http://forum.yetanotherforum.net/yaf_postst8780_Custom-membership-and-role-provider-with-YAF-Profile-provider.aspx
Sweet!