we're using ASP.NET Membership for authentication at the root domain (www.domain.com) and the redirecting the user to a subdomain (sub.domain.com). When the user logins in from www they are being redirected to the login page on the subdomain when they should be showing as logged in instead.
Both the machine key and the forms element in the web.config are identical.
In the event log we get
Forms authentication failed for the request. Reason: The ticket supplied was invalid.
turns out it was a MS Security update that did it.
UPDATE
security update available
What's worked for me is to set the domain attribute of the forms element to be .domain.com. This should allow the user to log in on at www.domain.com and then be logged in when accessing sub.domain.com. I've tested this having hacked my hosts file and it works okay.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" domain=".domain.com" />
</authentication>
Related
I have 2 asp.net web applications using Forms Authentication setup to have cross application authentication. I have placed the following code in webApp1 and webApp2 web.config files within the
system.web tag.
<forms timeout="11520" loginUrl="https://App1/logon.aspx" cookieless="AutoDetect" name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="fsenet.companyname.net" />
</authentication>
<machineKey
decryption="AES"
validation="SHA1"
decryptionKey="306C1FA852AB3B0115150DD8BA30821CDFD125538A0C606DACA53DBB3C3E0AD2"
validationKey="61A8E04A146AFFAB81B6AD19654F99EA7370807F18F5002725DAB98B8EFD19C711337E26948E26D1D174B159973EA0BE8CC9CAA6AAF513BF84E44B2247792265" />
Scenario 1 Works: If I try to access a page on webApp2 and I'm un-authenticated it will redirect me back to webApp1 logon page, I then logon and are redirected back to the page on webApp2, All works as expected when using this redirect method.
Scenario 2 Problem: If I Log on using webApp1 and have a link on a page within webApp1 and try to navigate to a page within webApp2 I automatically get redirected back to the logon page. As I understand it I should be already authenticated to access the page on webApp2 and should not be asked to authenticate again.
I use this code to identify if I'm authenticated
User.Identity.IsAuthenticated.ToString()
Scenario 2 shows False reason for redirection and Scenario 1 shows True.
Am I missing some setting that allows me to access the content on webApp2 after Authenticating with webApp1?
It is very important that you set FBA settings correctly for cross-application SSO. There are already blog posts covering such tricks, and I can see that you missed multiple steps, and then one app cannot get the authenticated info from another.
http://geekswithblogs.net/bjackett/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx
Ok what I was doing wrong was not access both sites with the same domain e.g. while I was debugging I was logging in via
http:/localhost/Site1
(localhost being the mistake) and then linking from their to http://domianname.net/Site2/Page1.aspx when I should have been accessing them both via http://domianname.net/Site1 and http://domianname.net/Site2/Page1.aspx (Both the with the domain) which allows the authentication cookie to be picked up from the correct location I believe.
I have two text boxes (user and password) and drop-down list (domain) to authenticate user using Adcive Directory and database. Now when user clicks "Login" button his credentials are checked in Active Directory and if its authinticated, next method checks if user exists in database and checs its role. I would like to remove the logon page and enable automatically authentication using Windows authentication. I have changed the web.config file and chenged
<authentication mode="Forms">
<forms loginUrl="~/LogIn.aspx" timeout="60" name="AuthCookie"/>
</authentication>
to
<authentication mode="Windows"></authentication>
<identity impersonate="true"/>
Now I would like to know how can I check if user exists in the database and check its role?
Thank you for your replies.
You'll need to implement your own authentication provider that will wrap both an AD backend and your own application's account database. You'll want to disable IIS' built-in Windows Authentication provider because your version will provide the implementation to use.
In ASP.NET web app, I have login.aspx.
I force that every user access through Login.aspx, setting that on web.config:
<authentication mode="Forms">
<forms name="coockie_aut" loginUrl="login.aspx" protection="All" path="/" timeout="60" slidingExpiration="true"/>
</authentication>
My question is:
Using form authentication and loginurl, would it prevent from trying to hack any web page without accessing first Login.aspx? Does it mean that allways allways there will be forced to access Login.aspx first?
That depends what you mean by "hack". Default Forms Authentication will redirect any request with no session authentication token to the login page. There are all kinds of session stealing, man-in-the-middle, brute-force, and other varieties of attacks that you may still be vulnerable to.
I have a shopping cart asp.net application presently i manage login system by simply making a DB table with 2 field username and password and in my web.config file redirect all the user to login page by authentication and authorization tag
<authentication mode="Forms" >
<forms defaultUrl="default.aspx" loginUrl="login1.aspx" cookieless="AutoDetect" ></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
and on my login page simply compare username/pwd entered by user with database entry and if the user is correct calling the function
FormsAuthentication.RedirectFromLoginPage(username, true);
that redirect the user to home page it works very fine on my local system and i have no issue.But recently i hosted my application online and there is some issue with my login system.When i login into the site its ok but after some time user is automatically thrown out of site to the login page and he has to login again.
It sounds like your users are bumping up against a cookie expiry. Add the following attributes to your <forms> element:
<forms defaultUrl="default.aspx" loginUrl="login1.aspx" cookieless="AutoDetect" slidingExpiration="true" timeout="60" />
By default, sliding expiration SHOULD be set to true, but if it's not, 30 minutes after a user logs in, their authentication will expire no matter if they've visited other site pages since that time. By default, the timeout period is also supposed to be set to 30 minutes from last refresh, so if your user is idle for 30 minutes, they will have to renew the authentication cookie in order to access secured content. You can extend this to whatever value you like, such as "60" in the above example.
You can find out more about these attributes at the MSDN reference page.
I have an ASP.NET application. As well as local users accessing the application directly, I want to expose it to external users through a reverse proxy (which is running on a different machine in the DMZ)
for example, say internal users use the URL http://intranet1/myApplication/default.aspx, external users might use the URL http://www.mycompany.com/externalApplication/default.aspx
this is quite simple to set up with URL rerwiting, but there is a problem when forms authentication is turned on. if an external user hits the URL site, forms auth tries to automatically send them to the login page which redirects them to the relative url /myApplication/LoginPage.aspx. as far as the web app is concerned, the application root is at /myApplication not /externalApplication. Of course the external user coming in through the firewall does not understand this URL so the request fails with a 404
is there a sensible solution for this?
You should not redirect to "/myApplication/LoginPage.aspx" but to "~/Login.aspx", so it would be correctly mapped depends on which URL is user hits on.
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="2880" />
</authentication>