Routing with ASP.NET Web Forms with Forms Authentication - asp.net

FYI - This is not MVC.
I am using web form authentication and have the following in my web.config.
<authentication mode="Forms">
<forms loginUrl="~/en/Admin/Login" timeout="2880" defaultUrl="/DashBoard" />
</authentication>
I am also using Routing for bilingual/culture.
My route looks like this:
RouteTable.Routes.MapPageRoute(
routeName, "{lang}/Admin/Login", "/Admin/Login.aspx", true, defaults, constraints, dataTokens);
If a user tries to access a restricted page they will be redirected to /en/Admin/Login based the value in the web.config. My problem is if a user is viewing the site in french, the page is redirected to the English log in page when it needs to redirect to /fr/Admin/Login.
Is there any way around this as the entire site needs to be bilingual?

On the default (en//admin/login) page, parse the referring URL and redirect as needed. (Assuming locale is determined on your site by the culture marker in the URL path.) Eg,
var referrer = Request.QueryString["ReturnUrl"];
if (!string.IsNullOrEmpty(referrer))
{
if (!referrer.Contains("/Admin/Login"))
{
if (referrer.Contains("/fr/")) Response.Redirect("/fr/Admin/Login");
else if (referrer.Contains("/de/")) Response.Redirect("/de/Admin/Login");
// etc.
}
}
Of course that could be improved/simplified by using a regular expression to parse the referrer and checking against valid locales.

I found a similar issue with a few work arounds, but no true solution.
How to redirect to a dynamic login URL in ASP.NET MVC
Here's my solution:
1) I added a session variable to keep track of what language the user has selected.
(Ex: Session["lang"] = "fr")
2) I made my login page /admin/default.aspx in the web.config like below:
<authentication mode="Forms">
<forms loginUrl="~/Admin/Default.aspx" timeout="2880" defaultUrl="/en/DashBoard" />
</authentication>
3) In my page load event for /admin/default.aspx I determine what language is set and redirect to the actual login page using the language from the session.
if (HttpContext.Current.User.Identity.IsAuthenticated)
// Redirect to dashboard
...
else
{
string returnUrl = "";
if (Request.QueryString["ReturnUrl"] != null)
returnUrl = "?ReturnUrl=" + Request.QueryString["returnUrl"].ToString();
string selectedLanguage = "";
if (Session["lang"] != null)
selectedLanguage = Session["lang"].ToString();
else
selectedLanguage = "en";
string loginURL = ConfigurationManager.AppSettings["Auth.LoginUrl"].ToString();
loginURL = loginURL.Replace("{lang}", selectedLanguage);
Response.Redirect(loginURL + returnUrl);
}

Related

Form Authentication issue

Trying to use form authentication to only allow access to a page once they have logged in via the login page. When I login and attempt the redirect it just redirects me back to the login page.
Web Login Control
protected void WebGenLogin_Authenticate(object sender, AuthenticateEventArgs e)
{
//Verify user against active directory
if (new AD().validate(WebGenLogin.UserName, WebGenLogin.Password))
{
Session["UserAuthentication"] = WebGenLogin.UserName;
Session.Timeout = 30;
FormsAuthentication.RedirectFromLoginPage(WebGenLogin.UserName, WebGenLogin.RememberMeSet);
Response.Redirect("~/WebGen/Gen/Create.aspx");
}
else
{
Session["UserAuthentication"] = "";
Response.Redirect("http://thekickback.com/rickroll/rickroll.php");
}
}
Create.aspx Web.config
<authentication mode="Forms">
<forms defaultUrl="~/WebGen/Gen/Create.aspx" loginUrl="../Login.aspx" slidingExpiration="true" timeout="30" />
</authentication>
Can you try this:
if (new AD().validate(WebGenLogin.UserName, WebGenLogin.Password))
{
Session["UserAuthentication"] = WebGenLogin.UserName;
Session.Timeout = 30;
FormsAuthentication.SetAuthCookie(WebGenLogin.UserName, false);
FormsAuthentication.RedirectFromLoginPage(WebGenLogin.UserName, WebGenLogin.RememberMeSet);
***SNIP***
I don't know what type of object AD() calls into, but you may not be using the default ASP.NET membership functionality. As I recall, the ValidateUser method on the membership class has the side-effect of actually logging the user in if it returns true.
After authenticating the user, you may need to set HttpContext.User to a new IPrincipal representing the user, and then call FormsAuthentication.SetAuthCookie() before redirecting them.
Ok I figured it out. It had nothing to do with my code. I did however remove storing the username in the session.
What I have to do was change the root site on IIS to an application.
Authentication mode line was placed in the root with Login.aspx
Create.aspx was in another folder. I removed the authentication mode from it's Web.config and just put in the deny section and all is working correctly.
The code actually worked. Found it to be an issue with IIS. Needed to turn the entire folder structure into an application rather than other parts of it.

Proper creation of a cross-domain forms authentication cookie

I'm just creating a simple test between two server. Basically if a user has already authenticated I want to be able to pass them between applications. I changed the keys to hide them
I have three questions:
What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for?
Is the below code valid for creating a cross domain authentication cookie?
Do I have my web.config setup properly?
My code:
if (authenticated == true)
{
//FormsAuthentication.SetAuthCookie(userName, false);
bool IsPersistent = true;
DateTime expirationDate = new DateTime();
if (IsPersistent)
expirationDate = DateTime.Now.AddYears(1);
else
expirationDate = DateTime.Now.AddMinutes(300);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
userAuthName,
DateTime.Now,
expirationDate,
IsPersistent,
userAuthName,
FormsAuthentication.FormsCookiePath);
string eth = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, eth);
if (IsPersistent)
cookie.Expires = ticket.Expiration;
cookie.Domain = ".myDomain.com";
Response.SetCookie(cookie);
Response.Cookies.Add(cookie);
Response.Redirect("successpage.aspx");
}
My config:
<authentication mode="Forms">
<forms loginUrl="~/Default.aspx" timeout="2880" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>
</authentication>
<customErrors mode="Off" defaultRedirect="failure.aspx" />
<machineKey decryptionKey="#" validationKey="*" validation="SHA1" decryption="AES"/>
What is the proper way to validate the cookie across domain application.
For example, when the user lands at successpage.aspx what should I be checking for ?
There shouldn't be anything to check. Forms authentication mechanism will retrieve the ticket from the cookie, check if it is valid. If not present, or invalid, user will redirected to ~/Default.aspx .
This will work provided your cookie matches the configuration of your web.config
Is the below code valid for creating a cross domain authentication cookie ?
I think you shouldn't try to override the settings of your web.config by manually handling the cookie. I think there are better ways for handling cookie persistence (see below for web.config) and you are just implementing a part of the Forms authentication API (loosing web.config for SSL for example )
here, your manual cookie is not HttpOnly : you could for example be subject to cookie theft through XSS
FormsAuthentication has its own way of handling the cookie (see the TimeOut attribute description in http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx) Your cookie persistence mechanism will be overwritten by this automatic behavior
Your code should just be :
if (authenticated)
{
bool isPersistent = whateverIwant;
FormsAuthentication.SetAuthCookie(userName, isPersistent );
Response.Redirect("successpage.aspx");
}
Do I have my web.config setup properly?
It should be ok for the domain attribute, as long as you want to share authentication among direct subdomains of mydomain.com (it won't work for x.y.mydomain.com), and mydomain.com is not in the public suffix list ( http://publicsuffix.org/list/ )
I would change the timeout and slidingExpiration attributes to :
<forms loginUrl="~/Default.aspx" timeout="525600" slidingExpiration="false" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>
I guess it is a good way to handle the choice between one year persistent cookies and session cookies. See https://stackoverflow.com/a/3748723/1236044 for more info

Sharing ASP.NET cookies across sub-domains

I have two sites, both on the same domain, but with different sub-domains.
site1.mydomain.example
site2.mydomain.example
Once I'm authenticated on each, I look at the cookies included in subsequent request and they are identical for each site.
However, if I log into the first site, and then navigate to the other, I expect my cookie from site 1 to be sent with the request to site2, but this is not the case. Here are the properties of my cookies.
Logging into Site1, this cookie then exists
Name = MySite
Domain =
Has Keys = False
HttpOnly = False
Path = /
Value = 1C41854066B03D8CC5679EA92DE1EF427DAC65D1BA0E672899E27C57245C1F0B7E93AB01B5563363AB4815A8F4BDE9D293FD261E03F8E60B8497ABBA964D8D315CCE1C8DD220C7176E21DC361935CF6
Expires = 1/1/0001 12:00:00 AM
Logging into Site2, these cookies then exists.
Name = MySite
Domain =
Has Keys = False
HttpOnly = False
Path = /
Value = C8C69F87F993166C4D044D33F21ED96463D5E4EB41E1D986BF508DA0CBD5C2CA7D782F59F3BC96871108997E899FF7401C0D8615705BDB353B56C7E164D2302EE6731F41705016105AD99F4E0578ECD2
Expires = 1/1/0001 12:00:00 AM
I've set the domain on each (doesn't show up in a request cookie as it's only needed on the client).
I've made sure my Forms setting for each are identical
I've made sure my machine key settings are the same in both web configs.
I'm at a loss on why this isn't working. What is it that a cookie contains that the client will send it for one sub-domain and not the other when they are both using the same auth cookies so far as I can tell?
Please comment if there is more info you'd like to see. I've been struggling with this for two days now. According to this article this should be working.
code added
Here is my config file setting for my authentication. This is used in both sites.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn"
defaultUrl="~/Home/Index"
name="MySite"
protection="All"
path="/"
domain="mydomain.example"
enableCrossAppRedirects="true"
timeout="2880"
/>
And here is my code to create the cookie in Site1.
//Add a cookie that the Site2 will use for Authentication
var cookie = FormsAuthentication.GetAuthCookie(userName, true);
cookie.Name = "MySite";
cookie.HttpOnly = false;
cookie.Expires = DateTime.Now.AddHours(24);
cookie.Domain = "mydomain.example";
HttpContext.Response.Cookies.Add(cookie);
HttpContext.Response.Redirect(site2Url,true);
UPDATE 2:
I noticed something strange while testing. When I add a cookie to the response for site1, it get's added to this directory...
C:\Users\jreddy\AppData\Roaming\Microsoft\Windows\Cookies
When I add a cookie to the response for site, it gets added to this directory...
C:\Users\jreddy\AppData\Roaming\Microsoft\Windows\Cookies\Low
That could be my problem. Could it be that one of my sites is included in the local intranet zone?
UPDATE 3: Problem found, solution unknown
It seems that my problem has to do with my second site being part of the Local Intranet Zone. If I go to Site1 using Firefox it works, but I have to enter my Windows credentials. If I go thru IE, my credentials are picked up automatically, but the cookies can't be read by site2. I may ask this in another question.
Set the property of Domain to .mydomain.example in each Cookies of two subdomains websites. Like:
Response.Cookies["test"].Value = "some value";
Response.Cookies["test"].Domain = ".mysite.example";
In Site A:
HttpCookie hc = new HttpCookie("strName", "value");
hc.Domain = ".mydomain.example"; // must start with "."
hc.Expires = DateTime.Now.AddMonths(3);
HttpContext.Current.Response.Cookies.Add(hc);
In Site B:
HttpContext.Current.Request.Cookies["strName"].Value
Add new cookie and specify domain like this
HttpCookie cookie = new HttpCookie("cookiename", "value");
cookie.Domain = "domain.example";
For forms authentication set this in web.config
<forms name=".ASPXAUTH"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
domain="domain.example">
</forms>
The cookie will be accessible to all the subdomains.
In order for each domain to decrypt the the cookie, all web.config files must use the same encryption/decryption algorithm and key. (how to create a machine key)
Example:
// do not wrap these values like this in the web.config
// only wrapping for code visibility on SO
<machineKey
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75
D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281
B"
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719
F"
validation="SHA1"
decryption="AES"
/>
For easier deployments, these values can be stored in a separate file:
<machineKey configSource="machinekey.config"/>
For added security you can also encrypt the machine key for further protection..
If you're using Forms authentication on all of your sub domains, all you need to do is to add domain=".mydomain.example" property to the <forms> node in your web.config
Note the leading period in .mydomain.example
This simple change by itself will make your authentication cookie valid in all sub-domains; no need to manually set any cookies.
I've created a HttpContext extension method that will write a sub domain safe cookie.
Blog post and discussion
public static class HttpContextBaseExtenstions
{
public static void SetSubdomainSafeCookie(this HttpContextBase context, string name, string value)
{
var domain = String.Empty;
if (context.Request.IsLocal)
{
var domainSegments = context.Request.Url.Host.Split('.');
domain = "." + String.Join(".", domainSegments.Skip(1));
}
else
{
domain = context.Request.Url.Host;
}
var cookie = new HttpCookie(name, value)
{
Domain = domain
};
context.Response.SetCookie(cookie);
}
}
// usage
public class MyController : Controller
{
public ActionResult Index()
{
this.Context.SetSubdomainSafeCookie("id", Guid.NewGuid().ToString());
return View();
}
}

FormsAuthentication.RedirectFromLoginPage to a custom page

Hi i'm using the FormsAuthentication.RedirectFromLoginPage for the user login and for redirect to default.aspx page.
I want that if a user called admin do the login is redirected to the page admin.aspx
Is it possible?
Try this, I think it's the closest you will get with a simple solution:
FormsAuthentication.SetAuthCookie(username, true);
Response.Redirect("mypage.aspx");
Authenticating Users
Assuming you have gone through my previous article mentioned above, you have a login page. Now when user clicks Login button Authenticate method fires, lets see code for that method.
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
string userName = Login1.UserName;
string password = Login1.Password;
bool rememberUserName = Login1.RememberMeSet;
// for this demo purpose, I am storing user details into xml file
string dataPath = Server.MapPath("~/App_Data/UserInformation.xml");
DataSet dSet = new DataSet();
dSet.ReadXml(dataPath);
DataRow[] rows = dSet.Tables[0].Select(" UserName = '" + userName + "' AND Password = '" + password + "'");
// record validated
if (rows.Length > 0)
{
// get the role now
string roles = rows[0]["Roles"].ToString();
// Create forms authentication ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
userName, // Username to be associated with this ticket
DateTime.Now, // Date/time ticket was issued
DateTime.Now.AddMinutes(50), // Date and time the cookie will expire
rememberUserName, // if user has chcked rememebr me then create persistent cookie
roles, // store the user data, in this case roles of the user
FormsAuthentication.FormsCookiePath); // Cookie path specified in the web.config file in <Forms> tag if any.
// To give more security it is suggested to hash it
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies); // Hashed ticket
// Add the cookie to the response, user browser
Response.Cookies.Add(cookie); // Get the requested page from the url
string returnUrl = Request.QueryString["ReturnUrl"];
// check if it exists, if not then redirect to default page
if (returnUrl == null) returnUrl = "~/Default.aspx";
Response.Redirect(returnUrl);
}
else // wrong username and password
{
// do nothing, Login control will automatically show the failure message
// if you are not using Login control, show the failure message explicitely
}
}
you can check it by placing hard core role name or by fetching user roll from database. i have modified this for my entity framework.
TestEntities entities = new TestEntities();
var user = (from s in entities.UserTables
where s.UserName == loginControl.UserName
&& s.Password == loginControl.Password
select s).SingleOrDefault();
and placed the user role as:
user.Role
Along this you have do some changes in the Global.asax file
Till now we have set the Forms Authentication ticket with required details even the user roles into the cookie, now how to retrive that information on every request and find that a request is coming from which role type? To do that we need to use Application_AuthenticateRequest event of the Global.asx file. See the code below.
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// look if any security information exists for this request
if (HttpContext.Current.User != null)
{
// see if this user is authenticated, any authenticated cookie (ticket) exists for this user
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
// see if the authentication is done using FormsAuthentication
if (HttpContext.Current.User.Identity is FormsIdentity)
{
// Get the roles stored for this request from the ticket
// get the identity of the user
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
// get the forms authetication ticket of the user
FormsAuthenticationTicket ticket = identity.Ticket;
// get the roles stored as UserData into the ticket
string[] roles = ticket.UserData.Split(',');
// create generic principal and assign it to the current request
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);
}
}
}
}
In this even, after checking if user exists, he/she is authenticated and the identy type of th user is FormsIdentity, I am getting the current Identity of the user and getting the ticket I have set at the time of Authentiacting. Once I have the authenticated ticket, I just got the UserData from the ticket and split it to get roles (remember, we had stored the roles as comma separated values). Now, we have current users roles so we can pass the roles of the current user into the GenericPrincipal object along with the current identity and assign this to the curent user object. This will enable us to use the IsInRole method to check if a particular user belongs to a particular role or not.
How to Check if user has a particular role?
To check if a user belong to a particulr role, use below code. This code will return true if the current record is coming from the user who is authenticated and has role as admin.
HttpContext.Current.User.IsInRole( "admin" )
How to check if user is authenticated?
To check if the user is authenticated or not, use below code.
HttpContext.Current.User.Identity.IsAuthenticated
To get UserName of the Authenticated User
HttpContext.Current.User.Identity.Name
Remember on thing .. this code require some webconfig settings in the forms tag as:
Add following Authentication setting into your web.config file under .
<authentication mode="Forms">
<forms defaultUrl="default.aspx" loginUrl="~/login.aspx" slidingExpiration="true" timeout="20" ></forms>
</authentication>
For every user if you want to secure a particular folder, you can place setting for them either in parent web.config file (root folder) or web.config file of that folder.
Specify Role settings for the folder in root web.config file (in this case for Admin)
<location path="Admin">
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Write this code outside but under tag in the root's web.config file. Here, I am specifying that if the path contains the name of folder Admin then only user with "admin" roles are allowed and all other users are denied.
Specify Role settings for the folder in folder specific web.config file (in this case for User)
<system.web>
<authorization>
<allow roles="User"/>
<deny users="*"/>
</authorization>
</system.web>
Write this code into web.config file user folder. You can specify the setting for the user in root's web.config file too, the way I have done for the Admin above. This is just another way of specifying the settings. This settings should be placed under tag.
Specify setting for Authenticated user
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Write this code into web.config file of the Secure folder. This is specifying that all anonymous users are denied for this folder and only Authenticated users are allowed irrespective of their roles.
hope this will give you little idea to solve your problem. it is working fine for me.
hope you will also solve your problem.
If you are using the ASP.NET MembershipProvider login control, you can write your logic in the LoggedIn event
<asp:Login id="Login1" runat="server" OnLoggedIn="OnLoggedIn"></asp:Login>
protecetd void OnLoggedIn(object sender, EventArgs e)
{
if(Roles.IsUserInRole(User.Identity.Name, "Administrators"))
{
//Redirect to admin page
Response.Redirect("~/Admin.aspx");
}
}
Don't forget to put some protection on the admin.aspx page aswell, incase someone types in the url directly
The default behavior is to redirect to the originally requested resource, so if a user tried to access 'admin.aspx' and isn't authenticated, the user is sent to the login page. After successfully authenticating, the user is sent to the originally requested url (admin.aspx).
user -> "admin.aspx" -> noauth -> login -> "admin.aspx"
So instead of manually trying to send users somewhere, is using this default behavior not going to work for you? The default behavior is actually "robust" (it can be "admin2.aspx", "admin3.aspx" and so on... you can have any number of "protected resources" and the built in process handles all of it....)

Object Moved error while consuming a webservice

I've a quick question and request you all to respond soon.
I've developed a web service with Form based authentication as below.
1.An entry in web.config as below.
<authentication mode="Forms">
<forms loginUrl="Loginpage.aspx" name=".AuthAspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Forms">
<forms loginUrl="Loginpage.aspx" name=".AuthAspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
2.In Login Page user is validate on button click event as follows.
if (txtUserName.Text == "test" && txtPassword.Text == "test")
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, // Ticket version
txtUserName.Text,// Username to be associated with this ticket
DateTime.Now, // Date/time ticket was issued
DateTime.Now.AddMinutes(50), // Date and time the cookie will expire
false, // if user has chcked rememebr me then create persistent cookie
"", // store the user data, in this case roles of the user
FormsAuthentication.FormsCookiePath); // Cookie path specified in the web.config file in <Forms> tag if any.
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies); // Hashed ticket
Response.Cookies.Add(cookie);
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "~/Default.aspx";
Response.Redirect(returnUrl);
}
3.Webservice has a default webmethod.
[WebMethod]
public string HelloWorld()
{
return "Hello World";
}
4.From a webApplication I am making a call to webservice by creating proxy after adding the webreferance of the above webservice.
localhost.Service1 service = new localhost.Service1();
service.AllowAutoRedirect = false;
NetworkCredential credentials = new NetworkCredential("test", "test");
service.Credentials = credentials;
string hello = service.HelloWorld();
Response.Write(hello);
and here while consuming it in a web application the below exception is thrown from webservice proxy.
<html><head><title>Object moved</title></head><body>
<h2>Object moved to here.</h2>
</body></html>
Could you please share any thoughts to fix it?
You need to set
service.AllowAutoRedirect = true
If you are planning to redirect in your code.
Just tried this and worked: Go to the website where you are hosting the web service in IIS, click on Session State, change the Cookie Setting's Mode to Use Cookies. Done.
You need to set both
service.AllowAutoRedirect = true;
service.CookieContainer = new CookieContainer();

Resources