Im a newcommer in ASP.NET (Switched from Java/PHP) And tried to create a simple Login.
Now i get Stuck, are there any Sessions in ASP.NET to store if the User is logged in? Or how does the ASP.NET World store this information?
Greetings!
Yes! Read more on asp.net session. Generally we uses Form-authentication to authenticate and authorize the request in ASP.NET.
Articles/posts:
An Overview of Forms Authentication
Using Forms Authentication in ASP.NET
You can use session as well as cookie.
For cookies read this http://www.codeproject.com/KB/aspnet/Beginners_Cookies.aspx
For sessions assign like this
Session["adminid"]="value";
and retrieve value like this
string sessionval=Session["adminid"].toString();
Related
We are developing an asp.net webforms app. We want to avoid using session state if possible, passing values in the querystring.
Question: After a user logs in, how do we keep the user from linking and reusing a url.
Is there a token of some type we can set on login that expires after a certain time?
If you are using ASP.NET Forms authentication, you can set the timeout for the cookie in the web.config, as explained here:
https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/1d3t3c61(v=vs.100)
We are planning to start developing our new site with ASP.Net, MVC and AngularJS. I will also have a WebApi that i would like to use oAuth authentication with, because it is easy to to pass in token, plus may want to allow users to login with Google, Facebook etc in the future.
Questions
If i want to use oAuth on my WebApi (which is a separate application), what authentication method should i be using for my asp.net MVC website? oAuth? Forms? Both? And how do you implement this? On my API i wrote a simple oAuth provider that asks for a username and password and returns a token string.
Should my WebApi have a single sign on login page to interact with the website? Or should the login page be on the website? Should the login page use client side calls or server side calls?
What is actually within the oAuth token and how does it link to my website? Do I have to do something on the server once they login via Facebook/Google? Can I use this token on my server to determine which user is logged in?
Our website has many databases, all the same, but depending which user is logging in, depends on which database they can view data from. Is this easy to cope with using standard method/objects in ASP.Net MVC? Or is this going to force me in writing my own code?
Any advice would be appreciated as well!
If are you planning to use MVC 5 You could use Asp.Net Identity.
Take a look here: http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
I hope this could help you.
Diego
Your best bet :
This topic shows how to secure a web API using OAuth2 to authenticate
against a membership database for both local and social login
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I have a question connected with security.
Is it possible to implement authentication and authorization trough session variables without using forms authentication and forms authentication cookie stored in browser?
How is session id being sent in consecutive requests? Is it stored also in a cookie?
What are the drawbacks of using session instead of forms authentication for authentication?
Thank you
Using user session for authentication is a very bad idea from the security perspective. User session is maintained by a cookie (ASP.NET_SessionId), just like the authentication session (ASPXAUTH). However, ASP.NET has a lot of security safeguards built into the authentication session cookie management, such as encryption, validation, prevention of tampering, etc. None of these measures exist for the user session cookie, which makes it easy to break the site security.
There is absolutely no reason not to use forms authentication, it is actually more difficult to switch to using the session for authentication, because you have to custom code to support it.
Well, you got two questions.
Is it possible to implement authentication and authorization trough session variables without using forms authentication and forms authentication cookie stored in browser?
yes it's possible but we're not supposed to reinvent the wheel especially it is related to security. It's strongly recommended to use form authentication when possible unless you have strongly valid reasons.
How is session id being sent in consecutive requests? Is it stored also in a cookie? What are the drawbacks of using session instead of forms authentication for authentication?
to see the cookie.
step1: Create a new ASP.NET MVC project using internet template.
step2: Start it and create a new user and login.
step3: Open developer tools check the cookie section you can see two cookies
__RequestVerificationToken
.ASPXAUTH
.ASPXAUTH is the cookie that FormAuthentication consume to do the authentication. For all following requests to the server, the server will check this cookie to authenticate user.
You can specify "Remember me" when you login which will changes the life span of this cookie, if you don't tick it the life span is tied up to current session, if you tick it depends on the settings on the server side.
When studying ASP.net membership provider I faced with such a question and could not find an answer.
It is clear that We have Database, where provider stores information like name/pwd etc. , but how does it find the right key for the current user? Is it transfered via HTTP headers and saved in users' cookie?
Basically, the forms authentication ticket is contained inside a cookie. The cookie is stored at clients side, and sent back to server with the page request for authentication .
If you use ASP.NET Universal Providers' Membership, I would like to suggest to use ASP.Net Login control; it works right out of the box with Membership provider without writing any code.
best and secured way to pass the asp.net session token from page to page.
1. cookies (not secured)
2. url (not secured)
3. hidden fields ?
using hidded fields is right way to pass ?
how to pass using hidded fileds?
how to disble the session token in cookies and also in url (session state conguration)?
From my answer for similar question, "securing ASP.NET forms authentication token on client side?" :
Session:
Fast, Scalable, and Secure Session State Management for Your Web Applications