I've got an asp.net application which seems to forget that a user is logged in after a while.
I'm using the membership provider and when opt to "remember" the log in it remembers it during the session. I can even close the browser, restart and come back and it will still be logged in. But after a while it forgets and it seems to do it at any old time. I've once been logged in and when I went to a new page it was logged out.
The other strange things are:
On my development machine it remembers the log in forever. Even after IIS restarts and recompiles it will remember my login as expected.
I have another application on the same server that does remember the login forever. I compared how they handle login and they seem to be identical.
This leads me to believe that the issue has something to do with the server or perhaps something in the application not directly related to the login and membership code. What could I look at?
Edit:
Looked up the cookie using Fiddler and they seem to be ok.
An Authentication cookie created today expires 2 weeks from now, which is how my config is set up:
expires=Mon, 06-Sep-2010 01:47:51 GMT
Edit:
The problem seems to be that the app pool is recycling and the authentication cookie becomes invalid because it can no longer be read as the machine key has changed. The solution was to add a machineKey segment to the web.config and supply a static machine key.
There are two major possibilities.
Cookie expiration. If the cookie expires / goes away, then you are considered logged out.
Cookie invalidation. Login cookies are encrypted based on the machineKey value. If you do not specify a machineKey, a new one is regenerated each time the application pool starts up (or is recycled). That means that any login cookie encrypted with the old machineKey is now invalid, and you will not be considered logged in.
Check to see what the recycle settings are on your application pool in IIS and see if that corresponds with the timing of you not being logged in.
"Remember me" functionality is done using cookies. Cookies can be set with an expiration date. You need to look into how the cookie is being set (Fiddler is good for this, you can inspect the HTTP header when the cookie is set.)
Related
I've got an app in MVC5 which uses forms authentication. Since rolling it out to a server, after being logged in for 5-10 minutes you are logged out; I would like the login to remain for minimum 1 day.
I suspect this is because the app pool is recycled after 5 minutes of inactivity; unfortunately this is a feature of our hosting and I have no control over it.
I've tried a number of things to work around this:
Set persistent to true on the login call, i.e. forcing it to
"Remember Me".
Set the session state to use a SQL Server database,
with a timeout of 1440.
Set timeout under to 1440 in the web.config.
Forced all three computers that use the site to trust the site in the browser, to make sure the cookie isn't being destroyed.
Set Session.Timeout to 1440 in global.asax.cs (probably redundant when this is also set in web.config)
A few points of background:
The site uses autofac to instantiate the database connection, which interacts with OWIN.
Pretty much everything else regarding the login comes from a standard visual studio setup, meaning I created a new web project and set authentication to forms.
The cookie is still there after being sent to the login screen.
The session is still there (in the database) after being sent to the login screen.
Does anyone know how I might fix this issue?
Asp.net forms authentication cookie not honoring timeout with IIS7
For anyone wondering, the fix here appears to have done the trick. Specifically, setting the machineKey in the web.config.
This is probably a duplicate question, but since I can't find the answer in the questions from the past I am going to ask again.
In my ASP.NET application, when I authorize the user, I set the custom FormsAuthenticationTicket. The persistance variable is false, so the authentication cookie should only be valid for current session.
My question is when would this session end? I restart my IIS Express development server, I shut down the dev machine, etc, and the session seems to be still active and the user is authenticated with that cookie.
How come in my VS 2012 + IIS Express environment sessions are immortal?
That's not an issue. You can restart the server and as long as the authentication cookie is still valid, the user is considered logged in. Remember, HTTP is a disconnected protocol.
The cookie will be removed the moment the user logs out and you programmatically remove the cookie or when the user closes his browser.
In asp.net, I am able to login using forms authentication as usual, copy our auth cookie value, log out, add the cookie artificially to the client using the 'Edit This Cookie' addon for Chrome, refresh the (anonymous) landing page and hey presto i'm logged in again. This seems to be a vulnerability - is there any way of fixing it using the the standard forms auth or will I have to do something like use a custom Authorize attribute which overrides the existing one in asp.net mvc?
I don't think this is a bug per se. The following happens during forms authentication
You provide a username/password to the server
Server validates username/password
If valid, the server then sends an encrypted authentication ticket (cookie) to the client with the expiration time (set in the web.config forms authentication section) and username (all encrypted)
On each request that requires authorization, the cookie is decrypted on the server, expiration time is checked and username is used to see if authorized (or getting that role for the requested resource).
When you logout, the expiration time on the cookie is set in the past, therefore, it is not longer a valid cookie
Now, as to why you are seeing what you are seeing... You are copying the cookie before you logout. Thus your copied cookie never registers the logout (moved expiration time). When you reattach, you still have a valid auth cookie. Now, if your forms authentication timeout is set to...let's say 20 minutes...this method would fail if you copy the cookie and wait 21 minutes as by that time, it has expired.
Cookies are always vulerable and we can't do much about that. What we can do is prevent someone from stealing the cookies.
Regarding ASP.NET MVC it does a good job to avoid stealing cookies. Some of the main things it does by default as part of security are:
Encode the strings that are rendered to the view (if you are using Razor don't know about others) to prevent from XSS attacks.
Request validation (stop potentially dangerous data ever reaching the
application).
Preventing GET access for JSON data.
Preventing CSRF Using the Antiforgery Helpers
Regarding cookies Microsoft provides HttpOnly feature and this helps to hide the cookies from javascript. The Forms authentication that you are talking about is a HttpOnly cookie means someone can't steal that through JavaScript and it's more safe.
You can do that with any cookie/s. You can inspect/copy all the cookies from any given domain, and spoof if you want. You can do that to yourself (only) because its your PC (or user logged in to PC). Obviously if you're on a shared PC, that is a problem (across all your info).
The act of "copying your cookie" is in fact one way malware attempts to steal/hijack your identity (or current session on some web site). That said, unless you have some malware, you can't just "copy cookies" of someone else.
Assuming logout is done, you can ask users to close their browsers so the expired cookie is removed from the (file) system.
I have couple questions about security in ASP.net and in general.
Where are stored "Authorization" cookies? When I logined in the system and then decided to logout I suppose for this enough to delete cookies from my browser but this not work. Then I rethink that these cookies is supplied from browser stored passwords, but wrong again, since I don't see login/password info for my site there.
And since "Authorization" cookie is always returned in response for 401 code, user stays always logined in the system and I can't understand how to logout.
The timeout for ".ASPXAUTH" - 30 min is recommended, and then cookie expired. Though I login, then after recommended 30 minutes I need to login again (even with sliding property to true, I can just leave a page for more than 30 minutes). But when I login to the most of the sites (such as stackoverflow for example), I can enter here again without logining even after week delay. How it is implemented, is that sites just set timeout for much bigger timespan or there is some other techniques?
Thanks!
Answer to question 1:
Use FormsAuthentication.Signout(); to logout. This will delete the authentication cookie. The authentication cookie is stored in the http-request and in the response as every other cookie.
Rergarding your 2nd question: Your cookie should expire after 2880 minutes. I don't know why it expires after 30 minutes in your case. Also the sliding expiration normally works. Could your browser settings have some influence? Another possiblility could be that the Visual Studio internal web server does not behave like a real web server. Try your settings on IIS.
EDIT:
I think the answer to your 2nd question is here
I have the oddest situation...
On my ASP.NET website when the application pool recycles the user is logged out. This is fine. I know this is suppose to happen. But when the user logs back in and selects any link within the website, they are logged back out immediately. They consistently get logged out. I don't know what causes this and I don't know how to fix it.
The odd part is the work-around. If I log in from a different computer or from the IIS Server itself than the user that is getting logged out can log back in.
Does anyone have any ideas as to what is happening?
Standard Forms Authentication in ASP.NET is cookie-based and should not be affected by the session vanishing. But, you're probably relying on something in the session to determine whether or not the user is logged in. If you're using in-process session storage (and it sounds like you are), then your application code might act strangely if you get in a state where the Forms Authentication cookie still exists and is valid but the session information is missing. Instead of going to a different computer, try blowing away your cookies and logging in again, and I would presume that your issue is resolved.
One step is to move to out-of-process session storage (such as the ASP.NET State Server, which is simple to use with a few config changes) or to eliminate session usage entirely (by depending on values stored in cookies, though there are security implications there to consider if these values are not encrypted). Then, take a close look at how your application code handles the condition where a login cookie is set but the session data is invalid.
It's a shot in the dark based on the information provided, but hopefully it puts you or someone else on the right track.
I discovered the problem. In the Security settings of the ASP.NET Configuration each user that logs in needed to have one of the roles defined in the "Description" field. This is very odd to me be but it seemed to do the trick. Anyone know why this needs to be done?