I have an ASP.NET MVC2 app using jQueryMobile. It is a secure app, and i'm using the ASP.NET authentication within the MVC2 framework.
I am using standard authentication via the web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
I am securing certain controllers using the Authorize attribute:
[Authorize]
public class ClientController : Controller
All my web pages as based upon the same master page, which has a top-level container div as follows:
<div class="page" data-role="page">
It all works perfectly on Chrome. However, on the iPad the authentication does not work. It seems that the authentication cookie never gets stored on the client. The iPad keeps displaying the logon page, even if I type correct credentials. I have tried setting Safari Accept Cookies settings to 'Always' too.
Has anyone had any success deploying a jQueryMobile app using ASP.NET MVC2 authentication on an iPad? Thanks.
Edit: Ok, I have ascertained that the cookie is indeed being stored on the client, but it appears that jQueryMobile+Safari are somehow consipring to continually display the login page rather than redirecting me to the page that should be shown according to the logon redirect.
I believe I have the answer. With regard to the iPad, you need to specifically set web.config to force the use of cookies. My authentication setting in web.config now looks like this:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880"
cookieless="UseCookies"
/>
</authentication>
It is the cookieless="UseCookies" entry that solved the problem. The default value for this is UseDeviceProfile. It must have been the case that an iPad does not have a consistent UseDeviceProfile regime. On the iPad, sometimes it worked, sometimes it didn't. Don't ask me why. It now seems to be consistently working.
I agree with Journeyman, thats what I used. However if they add the website to the Homescreen, then these settings still do not work.
some have asserted they don't store the cookie in that case.
see related Q: iPhone/iPad WebApps don't allow cookies?
Related
I'm trying to find how to use the Chrome/IE basic login authentication form for an asp.net page. I can find lots of examples of custom built login controls and forms where the web.config and redirects to the page, eg
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
</forms>
</authentication>
How do I do this using so it looks like the following? (1st image is in Chrome, second is in IE). I'm aware this isn't secure but just wanted to know how it's done.
I believe you need to use Windows Authentication (not Forms Authentication) to make this happen, at least on IIS 8 and earlier.
I am working on several asp.net sites simultaniously. All of them use cookie-based (out of the box) authentication mechnism. When a web site on localhost:4587 was being bedduged in VS I have logged in as an "admin" user and did some testing.
The next day I am opening different project for debugging that runs on localhost. And when I attempt to access the MVC controller action that is marked with Authorization atribute, the system assumes the current user is "admin" and is looking for it's roles based on a custom provider. But on this site, there isn't even a user named "admin". How can I make sure cookies from other sites don't make it to Role check in ASP.NET MVC application?
I would suggest it is always a good practice to delete all localhost cookies after testing. As explained here : asp.net cookies, authentication and session timeouts , you can also add details to the authentication cookie to ensure it is discarded after a session, ie when you close the browser or to differentiate between two sites. Another approach to avoid cookies 'clashing' is to use two different browsers : Chrome for the one and a Comodo Dragon or Chromium for the other.
Give your forms tag a unique name in each application
<authentication mode="Forms">
<forms name="myVeryUniqueNameForApp1" />
</authentication>
<authentication mode="Forms">
<forms name="myCompletelyUniqueNameForApp2" />
</authentication>
I'am using Intelligencia rewriter for ASP.NET. Now I added forms authentication to the project and for some reason on the seo friendly pages (.html) the Request.IsAuthenticated property is always false. I can see that the cookie is created fine with fiddler. When i visit any other .aspx page I can see that the same property is true. Obviously this is related to the rewriter, however I could not find any solution for it at all.
I spent quite some time on this reading all the solutions out there on the Internet, but in my case it finally boiled down to being a missing web.config setting :
<authentication mode="Forms">
<forms loginUrl="~/User/LogIn" timeout="2880" />
</authentication>
If there's no authentication specified, no authentication will be used although you might have a auth cookie present.
Check out Troubleshooting Forms Authentication and the FormsAuthLogger.
For reference, Microsoft has a detailed article on what are the moving parts and processes.
I use asp.net cookie in my application here is my web config :
<authentication mode="Forms">
<forms path="/"
defaultUrl="Default.aspx"
loginUrl="Login.aspx"
name=".ASPXAUTH"
slidingExpiration="true"
timeout="3000"
domain="www.mysite.com"
cookieless="UseDeviceProfile"/>
</authentication>
it works fine but I have a problem, after some days when a user has been working with the site application, suddenly my login control didn't work. I found out it will work after deleting temporary files.
Edit : Please pay attention to domain when User request www.mysite.com every thing is okay but without "www" login doesn't work. in firefox they are working very good. this is IE problem.
How I can solve this ?
It's about your Host and server (IIS Service provider), it seems like they change some default script files in your "aspnet_client\system_web\2_0_50727" folder like "WebUIValidation.js" or "SmartNav.js". Those are ASP.net default scripts. If you change your Host provider, you will see its working good and (Cross Browser).
I'm working on a website built with pure HTML and CSS, and I need a way to restrict access to pages located within particular directories within the site. The solution I came up with was, of course, ASP.NET Forms Authorization. I created the default Visual Studio log in form and set up the users, roles, and access restrictions with Visual Studio's wizard. The problem is, I can't log in to the website with the credentials that I have set.
I'm using IIS 7.
I'd guess (since I don't have IIS7 handy ATM) that you'd need to turn off Anonomyous Auth, and enable Forms Auth in the IIS7 sections.
At what point did you insert your login/password? Did you have a look at the tables that where created? Althought your password must be encrypted, maybe it's worth just checking if your user was actually created.
At what point did you insert your login/password? Did you have a look at the tables that where created? Althought your password must be encrypted, maybe it's worth just checking if your user was actually created.
Forms Authentication does not require any form of user database.
Steve, can you please paste in your forms authentication web.config section, also any relevant code to the ASP.NET Login control you were using.
There is not enough information to troubleshoot here yet :)
The web.config section is pretty useless as far as I can tell:
<authentication mode="Forms" />
I looked in IIS 7, and in the Authentication section it says: Anonymous Authentication = Enabled, ASP.NET Impersonation = Disabled, Basic Authentication = Disabled, Forms Authentication = Disabled.
Also, I have made no changes to the code other than dragging a Login object onto the designer and changing the page it points at to index.html.
Currently, the log in fails by displaying the log in failed text.
EDIT: Earlier when I would try to navigate directly to a page that is restricted, I would receive a blue page saying that I had insufficient permissions. Now I can see the pages that are restricted without logging in even though I have anon access denied.
Steve,
I don't think the issue is with your IIS settings. Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
Try this in your web.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="~/login.aspx" defaultUrl="~/">
<credentials passwordFormat="Clear">
<user name="YourUsername" password="superSecret" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<system.web>
</configuration>
There are better ways to implement forms authentication than hardcoding a username and password into your web.config, but this should work for getting you started.