I have an iOS app that uses a UIWebView to display pages from a ASP.Net Site. The user logs into the site through the UIWebView, which creates the forms authentication cookie and authenticates any further page loads in the UIWebView.
I'm attempting to use this same cookie to authenticate some http requests that are done with a ASIHttpRequest.
Supposedly this should happens automatically, but it wasn't working. I'm now explicitly setting the cookie for ASP.NET_SessionId on the ASIHttpRequest, and the request is still not authenticated, it ends up redirected to a login page.
Is there something in the forms authentication cookie that would make it specific to the UIWebView where it wouldn't also work with an ASIHttpRequest?
Ah, apparently this was related to ASP.Net not recognizing that the UIWebView browser supported cookies. (even though the authentication mostly worked in the UIWebView)
I added the generic.browser file as seen in this other question -
Asp.Net Forms Authentication when using iPhone UIWebView
Related
I have forms authentication setup through a Web API project. The forms auth works fine to login the user to the web site (note: API server is not the same server as web server). However, the API services I have restricted to logged in users are returning a 401, because Request.IsAuthenticated = false when I send back the very same forms auth cookie the API server just set, back to itself.
I have no idea why this is happening. I verified the .ASPXAUTH cookie is being sent with the request. Forms Auth is setup consistently across API and Website; and the website picks up the forms auth cookie just fine. Why is my API server not recognizing my user as logged in, even though the API server itself set the cookie?
Figured it out. The issue was a browser conflict with one of my Chrome add-ons. Once I opened the site up in a incognito window sans add-ons, it worked as expected.
I have created an STS and a relying website that is able to authenticate using the STS via WIF. In all browsers but IE9 this works well. In IE9, after logging in and using the relying website for about 5 minutes (not consistent, but usually happens after 5 to 10 minutes) the user is redirected back to the STS to sign in again.
However, the user is not really signed out of the STS. If the user simply refreshes the sign in page of the STS, a new tab opens and takes them back to the relying website.
I am very puzzled by this behavior, and can only reproduce it in IE9. Any ideas what might be causing this?
It sounds like your session cookie is expiring too early. Can you check your site's web.config and see what persistentSessionLifetime you have set in the cookie handler (if any)?
This post has some detail:
How do I increase session timeout with W.I.F / SAML tokens / FedAuth cookie
Hi,
I need to determind how my site uses Cookies to inform the user in proper way.
The solutio is a ASP.NET MVC website using .NET Membership. Im storing data in sessions on server but nothing is saved manual to cookies on the client. I Supose however that the ASP.NET Membership is using cookies (for autologin) but im not sure witch data it really stores on the client?
Could you pleas explain or give me a link for this?
BestRegards
The forms authentication ticket (the cookie on the client) stores values such as the username and cookie expiration time along with some other boolean fields related to the remember me checkbox and sliding expiration. This is if you use cookie-based forms authentication which is the default and a typical choice. More information can be found at the following site:
Forms Authentication Explained
It is important to note that sessions and the forms authentication ticket (cookie) are not related in any way. You can have a session without being logged in and you can login and never touch the session object. This is an important difference.
EDIT
This cookie is not used for 'auto login'. After authentication, putting in a username and password, the cookie is created and is used for authorization - can you access these resources - throughout your site.
ASP.NET Membership enabled sites will have up to 3 cookies:
Session token
Authentication token
Roles cache (if enabled in
web.config)
To see them, open your site in the browser of your choice, login, and inspect the cookies. In IE its Tools -> Internet Options -> Settings (next to Browsing History) -> View Files
I have a desktop app
I authenticate using the wcf authentication service login method, by calling the desktop application.
Everything seems to work.
I then open internet explorer and try and browse to a protected page.
I get bounced to the login.
Why? How can I authenticate using the WCF Service?
Internet Explorer and your desktop app are not the same application, so the forms authentication cookie can't be read/encrypted/decrypted by both at the same time. A method you might try is to embed a web-browser control in your desktop app (even make it invisible if you like) and perform a post login through an HttpWebRequest object (formulating post headers etc). This would instantiate a web browser and generate an auth cookie at the same time your desktop app logs in. I can't vouch for the security of it though.
I need to ask:
I use Forms Authentication in my ASP.NET application.
but when I publish the web after the user login, if he didn't signout he just close the browser and after that he browse it again it will redirect him to default page.
How can I enforce redirecting him to the login page even if he didn't sign out?
You should see the documentation for forms authentication specified here. You can force the cookies to expire whenever you want setting the timeout attribute. Also, you could not use cookies at all by using the cookieless attribute. There are other optional attributes that could be useful for you, that might not be related to your question as well.
It will depend on whether or not their asp.net session id cookie still exists, or whether they have cookies enabled at all. To enforce redirecting to the login page you will need to find out how to make the cookies be lost when the browser is closed. In my experience this is the default behaviour anyway.
I will suggest you to check asp.net Membership,Profile and Role provider for specifically manage user Logins, Passwords and their profile.
This is one of the good articles from Scott Gu, you should bookmark when you want to work with Membership and Profiles.