Sharing asp.net authentication on different apps on different sub-domains - asp.net

I have 2 applications. One on asp.net webforms main.test.com which should provide authentication, user logs in and I can use the cookie to authenticate on my asp.net mvc app located at myApp.test.com.
All I'd like to do is able to access the cookie so I can get the userId that was stored in it using the FormsAuthentication.
They use normal authentication provided by microsoft;
<authentication mode="Forms">
<forms domain="test.com" loginUrl="Default.aspx" protection="All" path="/" requireSSL="false" timeout="45" name=".ASPXAUTH" slidingExpiration="true" defaultUrl="Default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
</authentication>
This cookie should be accessible to any submain on test.com right?

Make sure you set your machine keys in each application so they can each decrypt each others data.
http://msdn.microsoft.com/en-us/library/ff649308.aspx
Then make sure you have set your cookie name and path the same in each. Job done, an auth ticket generated in either application should span them both
http://msdn.microsoft.com/en-us/library/ff647070.aspx
Edit: Forgot a bit:
In your web config also set the domain attribute of the httpCookies node to test.com

in the form tag add
domain=".test.com"

Related

RedirectFromLoginPage() does not issue auth cookie for base domain

Say I have 2 sites and want to implement SSO between them. They are hosted at site1.localhost and site2.localhost. From what I've read so far I only needed the following in my web.config:
<authentication mode="Forms">
<forms loginUrl="/Login.aspx" domain=".localhost" path="/" />
<machineKey .../>
</authentication>
However, the following call does not issue authentication cookie at all:
FormsAuthentication.RedirectFromLoginPage(InputEmail.Text, true);
If I remove domain attribute from forms element the cookie is perfectly issued for site1.localhost domain. What am I missing?
p.s.
Windows 7 x64, ASP.NET 4.0, integrated pipeline, no extra modules/handlers
Update:
The following call returns a cookie with proper domain set (.localhost):
HttpCookie httpCookie = FormsAuthentication.GetAuthCookie(InputEmail.Text, true )
How is that possible?
Cookies need at least a 2 part domain name. If your sites were site1.local.domain & site2.local.domain, then you could issue a cookie for .local.domain. You cannot issue a cookie for .localhost

MVC3: How to stop session expiring after 30 mins?

I am trying to change the time it takes for my session to expire. My views are verifying session with <Authorize()>, which works great.
I am doing my session creation as follows:
FormsAuthentication.SetAuthCookie(model.UserName, True)
Return RedirectToAction("Welcome", "Home")
My password is verified with
FormsAuthentication.Authenticate(username, password)
My route web.config has inside system.web
<sessionState timeout="7200"></sessionState>
MY authorization node is as follows:
<authentication mode="Forms">
<forms loginUrl="~/Home/Login" timeout="7200" cookieless="UseCookies" name=".LoginCookie" slidingExpiration="true" >
<credentials passwordFormat="Clear">
<user name="user" password="pass" />
</credentials>
</forms>
</authentication>
Once logged in I can even verify the specific cookie 'LoginCookie' is set to expire in a few days, yet still, if I am inactive for 30 minutes, my user is getting sent to the login page.
Finally, this appears to work fine in Visual Studio, as it always has for sites I have done, but for some reason once in IIS it doesn't (production environment).
Any help on something I may have missed is really appreciated.
That's probably when your IIS apppool is set to recycle. Cache variables are then lost unless they are stored in SQL server or State Server.
Check the settings in the AppPool within IIS. You can extend the idle timeout if required.
Also read this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;324772

Forms Auth premature cookie expiration

I'm having trouble with a site that just went to production. For some reason, although the settings seem to be correct for a 15 minutes session timeout, users are reporting that in about 5 minutes they have to log in again.
What can I check? how can I troubleshoot this? I can't reproduce it locally, or in our QA environment. Are there IIS settings I could check? browser settings on the client?
below is my web.config entry for the authentication. Thanks!
<authentication mode="Forms">
<forms loginUrl="~/admin/Login" cookieless="UseCookies" requireSSL="false" timeout="15" slidingExpiration="true" name="{C8226EAB-2423-45ce-8A1D-3BC227F1BEE9}"/>
</authentication>
You'll need to add a machine key to your web.config file. It' getting autogenerated with each app pool recycle and causing your auth ticket cookie values to fail.
This is similar to the following question:
figuring out why asp.net authentication ticket is expiring
Well I think that you need also to set the settings of domain name. Do not set www.yourdomain.com, because this way if a user get on yourdomain.com is get diferent cookie.
Set it to root name with our the www: yourdomain.com
<authentication mode="Forms">
<forms
path="/"
domain="yourdoman.com" // <- maybe this key is the reason
/>
</authentication>
Make suer the session is set to at least 15 minutes as well in IIS Manager.

Where is .ASPXAUTH cookie

In javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,
I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,
if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.
Thanks
The authentication cookie is marked with http-only, meaning it cannot be accessed by javascript. If you want to check is the user is authenticated, simply output a javascript variable, an hidden field or whatever you prefer from your code-behind. You can then check this easily in JS.
There is a .ASPXAUTH cookie set, you are obviously correct. It is used to determine if a user if logged in.
To get what you need look over your web.config for the config section:
<authentication mode="Forms">
<forms
loginUrl="~/login.aspx"
protection="All"
timeout="30"
name="ExampleSite.FormsAuthentication"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="index.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"
/>
</authentication>
When the user is successfully authenticated a cookie will be set based off the name="ExampleSite.FormsAuthentication" parameter. It will expire after logging out or after the session expires. You will see a cookie on Chrome/FFX or whatever browser you are using called ExampleSite.FormsAuthentication with an encrypted value. Obviously the name parameter you are using will be different and not ExampleSite.FormsAuthentication but you get the idea.
You could always check and see if the cookie exists. As mentioned be careful of the http-only (with relation to JS). As you can also override that value in the web.config so you can access it with JS.
<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />

Best way to keep ASP.Net Session Active

What is the best way to keep asp.net or asp.net mvc session active until user logs out?
*User should be able to activate session even after browser or computer restarts...
In another words, what is the best way to implement REMEMBER ME...
You can set the timeout setting to a higher value, but you can't make the difference between a session_end caused by a timeout or by a user that ends his session.
The solution to your problem is probably to restore the user's session in the session_start method in Global.asax.
You can use membership provider for this purpose and set a cookie file at the user browser and check it for authentication
Another idea is to send keep-alive request in background via iframe / ajax / image tag every minute or so.
The best way to be able to do this is to use cookies in your authentication strategy to indicate that a user is logged in. Set your website to use forms authentication, and set the pertinent attributes to use cookies. It can be done in your Web.config file:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
For more information read this: How To: Use Membership in ASP.NET 2.0

Resources