I have an ASP.NET application. As well as local users accessing the application directly, I want to expose it to external users through a reverse proxy (which is running on a different machine in the DMZ)
for example, say internal users use the URL http://intranet1/myApplication/default.aspx, external users might use the URL http://www.mycompany.com/externalApplication/default.aspx
this is quite simple to set up with URL rerwiting, but there is a problem when forms authentication is turned on. if an external user hits the URL site, forms auth tries to automatically send them to the login page which redirects them to the relative url /myApplication/LoginPage.aspx. as far as the web app is concerned, the application root is at /myApplication not /externalApplication. Of course the external user coming in through the firewall does not understand this URL so the request fails with a 404
is there a sensible solution for this?
You should not redirect to "/myApplication/LoginPage.aspx" but to "~/Login.aspx", so it would be correctly mapped depends on which URL is user hits on.
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="2880" />
</authentication>
Related
I have two ASP.NET applications hosted in our server. In first application (say A), I have a hyperlink to open the second application (say B).
I am using window.open to open B.
window.open(myurl, "mywindow", "menubar=1,scrollbars=yes,resizable=1");
When B is opened, A gets logged out.
I hosted B in another server and opened it from A, now A does not get logged out.
I am pretty sure that it is an issue with session.
I actually need to host both applications in one server. Am I missing any configuration?
Session state and forms authentication are 2 different things, and each one has a separate cookie. Session state has nothing to do with whether or not the user is logged in.
You should be adjusting the Forms Authentication cookie settings if you want each application to have a separate cookie name:
<authentication mode="Forms">
<forms loginUrl="member_login.aspx"
cookieless="UseCookies"
name=".ASPXFORMSAUTH" /> <!-- Change the cookie name here -->
</authentication>
I have 2 asp.net web applications using Forms Authentication setup to have cross application authentication. I have placed the following code in webApp1 and webApp2 web.config files within the
system.web tag.
<forms timeout="11520" loginUrl="https://App1/logon.aspx" cookieless="AutoDetect" name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="fsenet.companyname.net" />
</authentication>
<machineKey
decryption="AES"
validation="SHA1"
decryptionKey="306C1FA852AB3B0115150DD8BA30821CDFD125538A0C606DACA53DBB3C3E0AD2"
validationKey="61A8E04A146AFFAB81B6AD19654F99EA7370807F18F5002725DAB98B8EFD19C711337E26948E26D1D174B159973EA0BE8CC9CAA6AAF513BF84E44B2247792265" />
Scenario 1 Works: If I try to access a page on webApp2 and I'm un-authenticated it will redirect me back to webApp1 logon page, I then logon and are redirected back to the page on webApp2, All works as expected when using this redirect method.
Scenario 2 Problem: If I Log on using webApp1 and have a link on a page within webApp1 and try to navigate to a page within webApp2 I automatically get redirected back to the logon page. As I understand it I should be already authenticated to access the page on webApp2 and should not be asked to authenticate again.
I use this code to identify if I'm authenticated
User.Identity.IsAuthenticated.ToString()
Scenario 2 shows False reason for redirection and Scenario 1 shows True.
Am I missing some setting that allows me to access the content on webApp2 after Authenticating with webApp1?
It is very important that you set FBA settings correctly for cross-application SSO. There are already blog posts covering such tricks, and I can see that you missed multiple steps, and then one app cannot get the authenticated info from another.
http://geekswithblogs.net/bjackett/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx
Ok what I was doing wrong was not access both sites with the same domain e.g. while I was debugging I was logging in via
http:/localhost/Site1
(localhost being the mistake) and then linking from their to http://domianname.net/Site2/Page1.aspx when I should have been accessing them both via http://domianname.net/Site1 and http://domianname.net/Site2/Page1.aspx (Both the with the domain) which allows the authentication cookie to be picked up from the correct location I believe.
I have developed an ASPNET WebAPI service that uses form authentication with cookies.
I also have a main website which authenticates against my ASPNET WebAPI and serves some content from it.
So my workflow basically is:
Client/Browser authenticates against the main website.
Main website (server) authenticates against ASPNET WebAPI and receives an authentication cookie.
After logging in the client will need to access some content of the ASPNET WebAPI via server and also via browser.
I would like to know if it is possible to re-use the same cookie that the server received in the browser. Ideally my website server receives the cookie and push it to the client browser. I am assuming that ASPNET Authorisation cookies are not IP-specific, since the client browser and the server IPs are different.
Thanks.
It should be possible by modifying your configuration such as:
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="yourdomain.com"
timeout="30" />
Remember that both sites must be on the same domain, and the cookie path must be set to a common root or /.
we're using ASP.NET Membership for authentication at the root domain (www.domain.com) and the redirecting the user to a subdomain (sub.domain.com). When the user logins in from www they are being redirected to the login page on the subdomain when they should be showing as logged in instead.
Both the machine key and the forms element in the web.config are identical.
In the event log we get
Forms authentication failed for the request. Reason: The ticket supplied was invalid.
turns out it was a MS Security update that did it.
UPDATE
security update available
What's worked for me is to set the domain attribute of the forms element to be .domain.com. This should allow the user to log in on at www.domain.com and then be logged in when accessing sub.domain.com. I've tested this having hacked my hosts file and it works okay.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" domain=".domain.com" />
</authentication>
Per a question I posted yesterday, our website's DNS structure has changed to round-robin DNS which literally swaps back and and forth between two production servers. Our web.config for both prod servers has:
<sessionState mode="SQLServer" ... > pointing to the same shared DB
A machineKey on each server that is consistent between the two (this was the main point of my post yesterday).
[update] The same domain in the <forms domain=".mydomain.com" ... > tag
When we use the login feature on the site, the login actually makes a web service request to a 3rd website that authenticates a user. If the resulting response says it was a successful login, then we use FormsAuthentication to log the user in:
FormsAuthentication.SetAuthCookie(strUserID, true);
Our issue is that on some pages we see we are logged in, others we're not. Is this something indicative of either us not completing a final step to share session between two prod servers or could our SQL server session DB be broken?
Thanks in advance
UPDATE:
Our code to determine if the user is logged in is quite basic:
HttpContext.Current.User.Identity.IsAuthenticated
UPDATE 2:
When I hit prod1.mysite.com (or prod2.mysite.com) I get a cookie called "ASP.NET_SessionId" but when I hit the live public URL, www.mysite.com, I don't get this cookie. Is this part of the problem?
RESOLUTION:
It turns out that everything we did here was all correct and that our live site which uses Akamai was being cached in various states due to Akamai's cache configuration. Sharing your logged in state between servers has been confirmed to work.
One thing you could do is use the Firebug add-on for Firefox to ensure that the authentication cookie is being sent to the browser as expected after logging in although as you are seeing that you are logged in on some pages I would expect this to be the case.
Another thing to check would be that the domain is set correctly for the authentication cookie and that it is valid for all pages on your website.
This is typically set in you web.config in the forms tags, example below and should be same on each server in the web farm.
<authentication mode="Forms">
<forms name="yourAuthCookie" loginUrl="/login.aspx" protection="All" path="/" domain="mydomain.com" timeout="30"/>
</authentication>
If this is all correct then it is possible that session is not being shared correctly between your servers although the settings that your have described in your question appear to cover what is needed.