I'm running the latest version of YetAnotherForum in a folder beneath my main WebApplication. The subfolder is configured as an application in IIS and navigating to the folder and logging in works wonderfully. YAF is setup with a membership provider and uses Forms Authentication.
What I'm trying to do now is to auto login a user into the forum from the main website. The main website uses custom authentication through sessions and cookies. It doesn't use any of the built in ASP.NET authentication or membership components.
So basically what I want to happen is that when a user click on a link to access the forums, they're sent to a processing page that authenticates them into the YAF Application before it sends them over to the subfolder.
Even though the main app doesn't use the built in authentications pieces, I've still set the authentication mode to forms and made sure the tag beneath that matches the one in the YAF web.config. Then, on the processing page I'm calling FormsAuthentication.SetAuthCookie(username, true), then redirecting. But YAF kicks me back to the login page anyway. Not sure where to go from here.
Main site is:
example.com/
web.config:
<authentication mode="Forms">
<forms name=".YAFNET_Authentication" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
YAF is:
example.com/yaf (Seperate WebApplication in IIS)
web.config
<authentication mode="Forms">
<forms name=".YAFNET_Authentication" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
Processing page is: (in pseudo)
example.com/autoLogin.aspx.cs
public void AutLogin(){
string userName = doStuffToGetUsername();
YAFStuff.CreateUserIfNeeeded(userName);
FormsAuthentication.SetAuthCookie(userName, true);
Response.Redirect("/yaf/");
}
I'd been searching Google for 2 days trying to sort this out, but I finally stumbled onto the solution. I needed a MachineKey that matched on both web.config files for the encryption process.
http://forum.yetanotherforum.net/yaf_postst8780_Custom-membership-and-role-provider-with-YAF-Profile-provider.aspx
Sweet!
Related
I've a ASP.Net 4.5.2 Webforms Website that was running just fine. Since last two days, I 401 Unauthorized for all the static files. I've not made any changes to the website code. I tried re-installing IIS but still no success (IIS 10/Win10)
Here is the authentication block from my root web.config
<authentication mode="Forms">
<forms loginUrl="/l/login" timeout="28400" />
</authentication>
please open windows file explorer, add "Authenticated Users" to application folder security setting.
I have a asp.net webform application (ProA). It was built some time ago by someone else, although I can access source code. Now, I finished another application which is a MVC5 (ProB).
ProA uses asp.net membership for authenticate users. ProB is not using any membership. Now, we want to add user authenticate to ProB, and also some parts of ProB is using username as parameter for some data.
Now, we want to force user login from ProA, then maybe click a link/button, redirect the user to ProB. In ProB, we create an authorize filter to verify the user has the right, then show the pages.
I have tried to use forms authentiction across applications, described in: Forms Authentication Across Applications . But it does not work. The changes I made in web.config is:
<authentication mode="Forms">
<forms name="X.ASPXAUTH" loginUrl="~/Login.aspx" path="/"
protection="All"
enableCrossAppRedirects="true"
/>
</authentication>
Could it be because that one is webform and the other is MVC? Also, ProB actually does not have any membership installed yet, does it affect this form authentiction?
Any other suggestions?
Thanks.
--- Added more info:
1) I'm testing on my local machine. I run both sites in VS2012. What should I use for domain? "localhost"? ".localhost"? or, not use domain at all? seems not working.
2) I added a button on ProA, when clicked, use this redirect to ProB:
HttpContext.Current.Response.Redirect("http://localhost:12345/", false);
Is this the correct way? The HttpContext has the user identity.
3) Does ProB have to have membership? Now, ProB does NOT have membership feature, is it the reason?
You shouldn't have any issues with sharing the authentication across web forms and MVC apps. The underlying technology is the same, .Net uses an encrypted to cookie which has the forms auth ticket.
Read the following MSDN article: https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
The main things to note are the domain reference and the machineKey config.
The domain attribute of the forms auth config allows the browser to include that auth cookie with the requests sent to each site. Then the machineKey portion is the part that handles the encryption/decryption.
Both sites must have the config setup up identically for this to work, and also be running on the same domain i.e. xyz.contoso.com and abc.contoso.com
web.config
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="[your key here]"
decryptionKey="[your key here]"
validation="SHA1" />
</system.web>
</configuration>
EDIT
Use the following link to generate your machine keys: http://www.developerfusion.com/tools/generatemachinekey/
I have an ASP.NET MVC 3 Beta application running on IIS. In my web.config I defined following section responsible for forms authentication:
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogOn"
name=".VNK"
protection="All"
timeout="43200"
cookieless="UseCookies" />
</authentication>
The defined login address is ~/Account/LogOn.
When I try to get the login url using:
FormsAuthentication.Initialize();
string loginUrl = FormsAuthentication.LoginUrl;
I receive: /VNK/site/Account/Login
Why do I get a different address from the one defined in web.config?
UPDATE: The "/VNK/site/" prefix is not a problem here. The problem is that LoginUrl property of FormsAuthentication class does not reflect the value from web.config. It means that if I change the value of loginUrl attribute in web.config from "~/Account/LogOn" to e.g. "~/foobar", FormsAuthentication.LoginUrl still has value of "/VNK/site/Account/Login". Why ?
I think there is a bug in ASP.NET MVC 3 Beta. This problem does not appear in previous releases of ASP.NET MVC.
If anyone wants to replay this error, he should follow this:
1.Download the mvc framevork.
2.Create new ASP.NET MVC 3 Web Application
3.Applay Authorize attribute on About action in HomeController
[Authorize]
public ActionResult About()
{
return View();
}
4.Start application and invoke About action by clicking on About tab. You will get server error, because application is trying to redirect You to such URL:
http://localhost:[port_num]/Account/Login?ReturnUrl=%2fHome%2fAbout
There is obviously no Login view. There is LogOn view. Url to LogOn action is defined in untouched web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
But application does not reflect that. Have anyone any clue what's going on ?
UPDATE:
I was right, there is a bug in MVC 3 Beta. From known issues:
"There’s a known issue that causes Forms Authentication to always redirect unauthenticated users to /Account/Login, ignoring the forms authentication setting used in Web.config. The workaround is to add the following app setting."
<add key="autoFormsAuthentication" value="false" />
UPDATE 2:
Alexander Prokofyev noticed, that ASP.NET 3 RTM looks for another setting. So you need this line instead:
<add key="loginUrl" value="~/LogOn" />
If you have access to IIS, then append a new application and enable ASP.NET "integrated pipelining" in application pool section by double clicking it.
If your hosting provider does not grant you access to IIS,
then login to the control panel.
Go to websites, under the management tab- enable ASP.NET integrated
pipe lining.
Set your application as a virtual directory
(It worked for me)
So the simple solution was to remove WebMatrix.*.dll from Bin folder in web project. I have done this for my asp.net project since it was redirecting my login to mvc style url.
Updated answer for MVC 4, heavily borrowed from this page and Request redirect to /Account/Login?ReturnUrl=%2f since MVC 3 install on server
<appSettings>
...
<add key="PreserveLoginUrl" value="true" />
</appSettings>
...
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="43200" /> <!--43,200 in minutes - 30 days-->
</authentication>
Put the following in appSettings:
<add key="loginUrl" value="~/Account/LogOn" />
You could empty loginUrl from Form Authentication configuration.
I removed the following from my web.config
<remove name="FormsAuthentication" />
and then everything seemed to work. This text had been added by default when I created my project.
The tilde (~) means "the root of my web site" so you don't have to keep using .. or \ to step up and down the web site structure. However, from an IIS perspective you web application may have an additional layer of directory structure which is being reflected when you request the LoginUrl programmatically. I'm unsure as to why you want to retrieve the LoginUrl, the normal state of affairs would have IIS redirect the user to the LoginUrl automatically any time they try to access a page that they are not authenticated for.
I think the server has trouble deciding what ~ means in this case, try giving a more direct url to the login page, such as /Account/LogOn.
Maybe you'll find something useful here http://msdn.microsoft.com/en-us/library/xdt4thhy.aspx
Hi have form authenticaion for my site, and it works fine on localhost and godaddy, but after moving to another hosting it stop working.
After login in admin area after 2-3 minutes I redirecting back to login screen.
Does anybody know if I change some settings on IIS or what is the source of the problem?
My code looks like
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="10000" slidingExpiration="true"/>
</authentication>
FormsAuthentication.SetAuthCookie(userName, rememberMe);
If your application domain is being shut down and you have no machineKey section in Web.config (or validationKey/decryptionKey="AutoGenerate") you will get new validationKey/decriptionKey after every application start and authentication cookies will become invalid. Visit http://aspnetresources.com/tools/keycreator.aspx and add generated machineKey section into your Web.config.
I've converted a web site to a web application and am now experiencing a strange behavior with the application. Essentially, there are 2 webs. One web site is the main, front-facing site written in ASP.NET 1.1 but with the Membership piece added from 2.0. The other is a former web site now grown up to a web application.
It seems as though when I login to the web site (project 1), I get properly redirected to the web app (project 2) properly. However, any link I click on sends me back to login on the web site (project 1). The machine keys are the same and all of the forms authentication properties are the same.
I've stopped IIS several times and deleted the files in the temporary folder and still no go. Very frustrating.
Here is an example of my forms element for my web app:
<forms domain="beta.domain.com" name=".ASPXAUTH" loginUrl="http://beta.domain.com/" protection="All" timeout="600" path="/" requireSSL="true" slidingExpiration="true" defaultUrl="https://beta.domain.com/app/" enableCrossAppRedirects="true"/>
Here is an example of my forms element for the web site:
<forms name=".ASPXAUTH" enableCrossAppRedirects="true" timeout="600" defaultUrl="/QueryStringAuthenticate.aspx" loginUrl="/" protection="All" slidingExpiration="true" cookieless="UseDeviceProfile" domain="beta.domain.com" />
Then on both I have the same machine key value specified. The QueryStringAuthenticate.aspx page in the web site hasn't changed. It still does the same thing it always did (obtain the cookie name [.ASPXAUTH] and cookie value [authentication token]).
I finally got it. It actually had nothing to do with the authentication itself, but rather the browser settings. Apparently, someone had modified our image file for dev machines to add the site in the trusted sites for HTTPS, but did not add it without the HTTPS. So, IE was dropping the connection somewhere. Either adding both with and without the HTTPS or removing those entries resolved the issue.