I'm working on a web application that is using Forms authentication.
<authentication mode="Forms">
<forms slidingExpiration="true"
loginUrl="~/User.aspx/LogOn"
timeout="15"
name="authToken" />
</authentication>
I'm seeing this cookie set in my browser when I log in:
The question is what happens when I put this website in a load balanced model? Where is the ASP.net session cookie being set? I didn't explicitly do it in code, so I assume it's happening behind the scenes somewhere in ASP.Net.
Also, If the session cookie is set by web server A, I assume web server B won't recognize it and treat it as an invalid session. If this is the case, I probably don't want to use it, right?
You'll have to set the machine key to be the same and the name to be the same on both machines...if this is done you should have no problems load balancing with forms auth.
<authentication mode="Forms">
<forms loginUrl="~/Login/Index" defaultUrl="~/"
name=".myportal"
protection="All" slidingExpiration="true" timeout="20" path="/"
requireSSL="false"></forms>
</authentication>
<machineKey validationKey="534766AC57A2A2F6A71E6F0757A6DFF55526F7D30A467A5CDE102D0B50E0B58D613C12E27E7E778D137058E" decryptionKey="7059303602C4B0B3459A20F9CB631" decryption="Auto" validation="SHA1"/>
Sessions can get slightly more complicated. You can store the ASP.Net session state in the database or use a shared session provider to make it available for load balancing as well.
Here is a good article on storing session state in the DB: http://idunno.org/articles/277.aspx
Related
I must be doing something wrong. I have followed instructions to set the timeout on my forms authentication app, but the app never renews the cookie and will time out about every 15mins or so.
I must be missing something that is so obvious it is not mentioned in the literature.
Here is my config info:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="~/" timeout="120" slidingExpiration="true" cookieless="UseCookies" />
</authentication>
and the session state
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="120">
...
I have tried sliding or not sliding--same time out happens.
Dumb questions: do I need something in the code behind (VB) on every page to make sure the postback renews the authentication?
If you are browsing your web application from IIS then check the check the Idle Time-Out(minutes) property under "Process Model" of application pool.
If it is 20 minutes. You should change that property value.
I am a fresher in ASP.NET. I have one issue about the forms authentication, I have a web application(HPE) with forms authentication, which is already deployed into IIS,
There is a Eligibility web site in the web server,which is developed in classic ASP, it uses forms authentication. That main web site has link to web applications such as HPE,CHDP,BCCDP etc. When i click a HPE link, I would redirect to HPE application, i set the HPE ticket timeout to be 20 minutes(the same with main site).
When i stay in the HPE for over 20 minutes (doing something to keep HPE ticket valid), i click side bar CHDP link (which points to CHDP application), it would directly goes to timeout page instead of CHDP app. Are there any ways that i can go to other pages in main site while i stay in HPE application for 20 minites?
Below is the authentication part for HPE in web.config
<system.web>
<authentication mode="Forms">
<forms name=".HPEAUTH" loginUrl="Logout.aspx?go=login" timeout="20" defaultUrl="/Eligibility/Cookiemonster.asp" requireSSL="false" protection="All" path="/" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Sorry that i didn't find any web.config file in the Eligibility(main site) directory. Any idea or though would be greatly appreciated.
To use the same authentication cookie across multiple applications, you will have to ensure that the machineKey section of your web.config file is set to the same thing on all apps.
From MSDN:
The following example shows the Authentication section of a Web.config
file. Unless otherwise noted, the name, protection, path,
validationKey, validation, decryptionKey, and decryption attributes
must be identical across all applications. Similarly, the encryption
and validation key values and the encryption scheme and validation
scheme used for authentication tickets (cookie data) must be the same.
If the settings do not match, authentication tickets cannot be shared.
For information about how to generate values for the validationKey and
decryptionKey attributes, see How To: Configure MachineKey in ASP.NET
2.0. (This topic applies to ASP.NET version 2.0 and to later versions.)
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
</configuration>
I would like know how SetAuthCookie works for different application on same server?
Currently I have two similar applications with different virtual directories.
How can I make it so that if I login to one of them then it doesn't ask me for login on the other application, and the same for logout?
It is possible if both applications are hosted on the same top level domain. You should specify this domain in your web.config of both applications:
<forms
name="name"
loginUrl="URL"
defaultUrl="URL"
domain="example.com">
</forms>
This way the forms authentication cookie will be emitted with the domain property setup and the client will effectively send it between the 2 applications. Another pre-requisite is that both applications share the same machine keys so that an authentication cookie that was encrypted by the first application can be successfully decrypted by the second application. If both applications are hosted on the same server you could set those machine keys in machine.config, if not then you could set them in web.config of each application:
<system.web>
<machineKey decryption="AES" decryptionKey="C03B1AB0BC1ACCD18EA915CBD87373010AD0DEC430A69871,IsolateApps" validation="AES" validationKey="C0ED7C430148AD4BC6505085DA4FD0DD3EE2453B566FC4EA4C7B3C2DCAB2025A79C774370CA884DF909CE9A3D379E544B7890D0A1CEE164141D3A966999DC625,IsolateApps" />
</system.web>
I've also covered this in the following answer.
Even the post is old but there is an easy solution add "name" in the form tag in web.config, coz if you dont give a name to the cookie it will have a default one
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" name="client" />
</authentication>
for the other application put another name, it works perfectly with me. good luck
Are there any possible issues with using the default Forms Authentication (see below) on Load Balanced servers? If there can be, what can I do to prevent the issues.
<authentication mode="Forms">
<forms loginUrl="~/Login/" protection="All" timeout="30" />
</authentication>
Can I use cookies (used by default)? Do I have to go cookieless? etc...
Also, does Microsoft (or VMWare) have a VirtualPC download that is an instant Load Balanced testing environment?
There is one issue. The cookies are encrypted and validated using the machine key and the validation key (that's what protection="All" means). You will have to set those in your top-level web.config in all the servers, otherwise each of them will have a different one and will reject cookies set by the others.
You can find a machineKey generator here. Then put the generated xml inside in the web.config of all the servers and you're ready to rock.
I have <authentication mode="Windows"> in my web.config.
I do not want to create another solution with <authentication mode="Forms">, but I do need to allow external access to my intranet web app.
There is a way to allow Windows-Authentication-using-Form-Authentication described here
http://dotnetslackers.com/articles/aspnet/Windows-Authentication-using-Form-Authentication.aspx.
Unfortunately, for the above to work, I still need
<authentication mode="Forms">
<forms loginUrl="login.aspx" name=".ASPXFORMSAUTH">
</forms> </authentication>
Is there a way to have the second <authentication mode="Forms"> somewhere in my sln solution?
You should take a look at Microsoft ISA Server 2006. You can use it to enable Windows Authentication sessions through an html forms login page that stores a cookie on the client. To the ASP.NET web application, the user looks a Windows Authentication client. ISA Server maintains the mappings of forms authentication to Windows Authentication for you. I've worked on systems that use this with both SharePoint and ASP.NET Windows Authentication and it works great.