In javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,
I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,
if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.
Thanks
The authentication cookie is marked with http-only, meaning it cannot be accessed by javascript. If you want to check is the user is authenticated, simply output a javascript variable, an hidden field or whatever you prefer from your code-behind. You can then check this easily in JS.
There is a .ASPXAUTH cookie set, you are obviously correct. It is used to determine if a user if logged in.
To get what you need look over your web.config for the config section:
<authentication mode="Forms">
<forms
loginUrl="~/login.aspx"
protection="All"
timeout="30"
name="ExampleSite.FormsAuthentication"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="index.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"
/>
</authentication>
When the user is successfully authenticated a cookie will be set based off the name="ExampleSite.FormsAuthentication" parameter. It will expire after logging out or after the session expires. You will see a cookie on Chrome/FFX or whatever browser you are using called ExampleSite.FormsAuthentication with an encrypted value. Obviously the name parameter you are using will be different and not ExampleSite.FormsAuthentication but you get the idea.
You could always check and see if the cookie exists. As mentioned be careful of the http-only (with relation to JS). As you can also override that value in the web.config so you can access it with JS.
<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />
Related
I working on an Formsauthentication sign in functionality.
My session configuration is 1minute,
<sessionState cookieless="false" timeout="1"/>
My forms authentication settings,
<authentication mode="Forms">
<forms cookieless="UseCookies" defaultUrl="~/" loginUrl="~/user/signin" name="PMPLUSWeb" timeout="21680" slidingExpiration="true" />
</authentication>
I set the forms authentication as,
FormsAuthentication.RedirectFromLoginPage(userID, user.RememberMe);
So when I access "HttpContext.Current.User.Identity.Name" I get the userID.
If the session times out (after 1minute), I thought "HttpContext.Current.User.Identity.Name" will also expire. But the value persist, I still get the UserID after 1minute. Where does this value stored?
Is the value read from the cookie and sent via the request?
If the login cookie expires (I'd avoid using the term "session" here), then HttpContext.Current.User will return null and HttpContext.Current.Request.IsAuthenticated will return false
For more information on how User / IsAuthenticated are set, take a look at these two questions.
I have a website, its completely over HTTPS. Even if someone tries to access over HTTP he will be redirected to HTTPS. I am using forms authentication. Recently I changed a setting to make the site more secure and after that Session is not retaining values and is always returning null. The settings are,
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
<sessionState cookieless="false"/>
I have no idea on how to fix this issue. How do I fix this issue? Also, is my site vulnerable if I do not use this setting? consider that everything else is secure.
You question is too general with out many clues, so I can give you some points to move on.
[1] set also the domain on the cookies, with out the www., so the cookie can be read and set even if by mistake the www is missing.
<httpCookies domain="yourdomain.com" httpOnlyCookies="true" requireSSL="true"/>
[2] you also need to setup the <forms... with similar parameters (and what ever else you have set)
<forms name=".klidi" path="/" requireSSL="true" cookieless="UseCookies"
domain="yourdomain.com" enableCrossAppRedirects="false"
slidingExpiration="true" />
[3] you also need to setup the <roleManager with similar parameters.
<roleManager enabled="true" cacheRolesInCookie="false" cookieProtection="All" cookieSlidingExpiration="true"
cookieTimeout="20" domain="yourdomain.com" cookieRequireSSL="true">
and last the most important set this line on your code before you try to set or use any cookie to see if by mistake you did not use secure connection https.
Debug.Assert(HttpContext.Current.Request.IsSecureConnection, "With out https, cookie will not work");
By setting the last line, on your computer when you make your site you can see and diagnose if the problem is coming from non secure connection, because from the moment you set the requireSSL to true, any simple connection will not hold any cookie.
Also try to clear your cookies in the case that the cookie exist as non secure and you have any conflict, and or try other browsers.
You can also read: Can some hacker steal the cookie from a user and login with that name on a web site?
If user directly close their browser without clicking logout then next time they open browser its session will be maintained as it is till they logout explicitly by clicking Logout button
I want to do it in vb.net !
Simply pass true as second parameter when emitting the authentication cookie:
FormsAuthentication.RedirectFromLoginPage(Username, true)
This will create a persistent authentication cookie on the client whose expiration is handled by the timeout property in your web.config:
<forms
loginUrl="~/login.aspx"
defaultUrl="~/default.aspx"
protection="All"
timeout="3600"
</forms>
Use cookies.
I have 2 applications. One on asp.net webforms main.test.com which should provide authentication, user logs in and I can use the cookie to authenticate on my asp.net mvc app located at myApp.test.com.
All I'd like to do is able to access the cookie so I can get the userId that was stored in it using the FormsAuthentication.
They use normal authentication provided by microsoft;
<authentication mode="Forms">
<forms domain="test.com" loginUrl="Default.aspx" protection="All" path="/" requireSSL="false" timeout="45" name=".ASPXAUTH" slidingExpiration="true" defaultUrl="Default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
</authentication>
This cookie should be accessible to any submain on test.com right?
Make sure you set your machine keys in each application so they can each decrypt each others data.
http://msdn.microsoft.com/en-us/library/ff649308.aspx
Then make sure you have set your cookie name and path the same in each. Job done, an auth ticket generated in either application should span them both
http://msdn.microsoft.com/en-us/library/ff647070.aspx
Edit: Forgot a bit:
In your web config also set the domain attribute of the httpCookies node to test.com
in the form tag add
domain=".test.com"
What is the best way to keep asp.net or asp.net mvc session active until user logs out?
*User should be able to activate session even after browser or computer restarts...
In another words, what is the best way to implement REMEMBER ME...
You can set the timeout setting to a higher value, but you can't make the difference between a session_end caused by a timeout or by a user that ends his session.
The solution to your problem is probably to restore the user's session in the session_start method in Global.asax.
You can use membership provider for this purpose and set a cookie file at the user browser and check it for authentication
Another idea is to send keep-alive request in background via iframe / ajax / image tag every minute or so.
The best way to be able to do this is to use cookies in your authentication strategy to indicate that a user is logged in. Set your website to use forms authentication, and set the pertinent attributes to use cookies. It can be done in your Web.config file:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
For more information read this: How To: Use Membership in ASP.NET 2.0