In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages.
How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?
Session:
Fast, Scalable, and Secure Session State Management for Your Web Applications
Authentication:
How To: Protect Forms Authentication in ASP.NET 2.0
Step 1. Configure
Ensure that your forms authentication
tickets are encrypted and integrity
checked by setting protection="All" on
the element. This is the
default setting and you can view this
in the Machine.config.comments file.
<forms protection="All" ... />
Step 2. Use SHA1 for HMAC Generation and AES for Encryption
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
decryption="Auto"
validation="SHA1" />
Step 3. Protect Authentication Tickets with SSL
<forms loginUrl="Secure\Login.aspx"
requireSSL="true" ... />
Related
I have implemented SSO into my ASPX application and set the authentication mode as follows:
<authentication mode="Windows" />
Is it possible to enforce a session timeout for applications which use the authentication mode from above?
I'm working on an asp.net mvc web app that is supposed to:
Automatically login someone if they are a valid user in Active Directory.
If the client is outside of the network (they're at home or whatever), allow them to manually login with their AD credentials through a login form.
I'm very new to AD authentication, I'm confused as to if I should be using Forms Authentication or Windows Authentication.
I have this in my web.config:
<add name="ADConnect" connectionString="LDAP://[something]/CN=dhr,DC=[something],DC=net" />
If I set: <authentication mode="Windows">
I can check User.Identity.IsAuthenticated in the controller to determine if they're logged in. If they're not, am I supposed to use this?:
Membership.ValidateUser("someguy", "somepass");
I get an error about making a secure connection to the server if I run the above. I have this as my provider:
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<clear />
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnect" attributeMapUsername="sAMAccountName"
/>
</providers>
</membership>
Typically, network administrators prevent web applications that use windows authentication to expose to the internet due to security reasons. This is definitely possible, but you need to make sure that second scenario is valid and possible in your organization. A common scenario to connect from the internet is to use VPN which will log in you to the network (means you will be authenticated against AD).
To perform only authentication for the first scenario you do no need the AspNetActiveDirectoryMembershipProvider. An authentication (validation of user identity) usually only required to be set
in web.config: authentication mode="Windows" and authorization
on IIS: set integrated windows authentication to ON
on IIS: if you have second scenario (or if you have different domains, etc) keep anonymous access as ON - it should prompt with standard login propmt;otherwise set it OFF
I have developed an ASPNET WebAPI service that uses form authentication with cookies.
I also have a main website which authenticates against my ASPNET WebAPI and serves some content from it.
So my workflow basically is:
Client/Browser authenticates against the main website.
Main website (server) authenticates against ASPNET WebAPI and receives an authentication cookie.
After logging in the client will need to access some content of the ASPNET WebAPI via server and also via browser.
I would like to know if it is possible to re-use the same cookie that the server received in the browser. Ideally my website server receives the cookie and push it to the client browser. I am assuming that ASPNET Authorisation cookies are not IP-specific, since the client browser and the server IPs are different.
Thanks.
It should be possible by modifying your configuration such as:
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="yourdomain.com"
timeout="30" />
Remember that both sites must be on the same domain, and the cookie path must be set to a common root or /.
I am trying to make a mixed mode authentication to be able to put some users on Federated authentications and others on Forms authentication.
I am working with WIF, I set up my STS and everything is happy, when I am in federated mode by turning off all the authentication this way:
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
I log in to my main application then when I log in to my side application it will let me log in silently since the session cookie is already generated and the user is authenticated.
but when I use Forms authentication, when I log in to my side application it will take me to the login page which I understand because the user is not authenticated but it seems even with having the session cookie it is not silently redirecting it.
I know that I need to redirect onEndRequest to the STS to authenticate the user and if the user is already authenticated then it will generate FedAuth cookie and and it will log me in silently,
does anybody know how to implement this, I didn't find resources about it when I researched.
Alaa
For all who needs to setup federated user authentication in asp.net app the following link might be extremely helpful:
http://blog.elis-co.com/wif-sso-and-forms-authentication-in-asp-net/
Also http modules included to the config from the link above are outdated. So correct them with ones from the following article:
https://learn.microsoft.com/en-us/dotnet/framework/security/how-to-build-claims-aware-aspnet-web-forms-app-using-wif
I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:
in the [directory security tab] -> [Authentication Methods] I have:
the anonymous access Enabled
Integrated windows authentication Enabled
Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?
EDIT
I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!
Here is a check list for using ASP.NET Forms Authentication on IIS6
Configure IIS:
In IIS, Site Properties -> Directory Security -> Authentication and Access Control
Enable Anonymous Access
Disable all Authenticated access methods
Configure Forms Authentication:
Configure Forms Authentication in your site's web.config:
<authentication mode="Forms">
<forms name="MySite"
path="/"
loginUrl="~/logon.aspx"
protection="All"
timeout="30"
slidingExpiration="true" />
</authentication>
Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.
Configure Session Timeout:
You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.
<sessionState mode="InProc" timeout="40" />
Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.
The anonymous access should be enabled, I don't think integrated windows authentication makes a difference but if you're not going to need it then it's best to turn it off. The important thing to remember is to make sure it's turned on in web.config:
<authentication mode="Forms" />
Here's a basic tutorial that might be useful:
Overview of Forms Authentication
Anonymous access -> checked
All other option on the security tab -> unchecked
Note, forms authentication is done by .NET - not by IIS. Also, Windows Authentication MUST be off as well.
Rather technical explanaitions by MS.