I'm trying to create a custom MembershipProvider and I was wondering how I would add my user information to the Authentication Cookie that ASP.NET uses. My goal is to get my authentication to work for both the website and the WCF service with ASP.NET Compabatibility mode enabled.
You are using MembershipProvider in your application, so all you have to do is just use the inbuilt login control and set it's provider property to the type of your MembershipProvider. FormsAuthentication will take care of creating authentication cookies for your users.
You need to specify URL of your default page [where your users will go after successful login] and the URL of the login page which hosts the Login control. FormsAuthentication will check if user is authenticated, if it founds user not logged and your asp.net page demands authentication, then FormsAuthentication will redirect the user to the Login page specified in web.config's FormsAuthentication section.
That is how you leverage Providers in ASP.NET 2.0+, you need not do things explicitly, everything is configurable.
Here are some links for your reference, which will guide you through what you need.
http://msdn.microsoft.com/en-us/library/879kf95c.aspx
http://quickstarts.asp.net/QuickStartv20/aspnet/doc/ctrlref/login/login.aspx
http://www.asp.net/learn/videos/video-7420.aspx
http://www.asp.net/learn/videos/video-148.aspx
http://www.asp.net/learn/videos/video-47.aspx
Related
I have setup a DNN website with domain
www.abc.com
Now I require to build a custom application in asp.net and host it in
domain
www.custom.abc.com
The users who have logged into DNN (www.abc.com) should not be prompted to login again in www.custom.abc.com.
Basically, I want to share the Sessions used by DNN to my custom application. Is this possible ? Need some ideas for my starting point.
If you wish to share authentication cookie, you can do so by setting same keys in the web config.
Please check Forms Authentication Across Applications
Sharing sessions is a bit more difficult if those are two different applications, and it would require some custom coding.
Maybe you can add some logic in global.asax Application_BeginRequest event to check if user authentication cookie exists (User.Identity.IsAuthenticated), and if user is authenticated, but session is NULL, just recreate needed session.
I have built a SPA application with Hot Towel (durandal) and I have problems to understand the authentication.
When I am loading data from my database how can I filter this data to the current logged in userid ?
thanks for help,
Best Reguards
If your SPA is calling asp.net of any kind on the back end you can still use Forms Auth cookies to secure your ajax endpoints and identify the user making the request. Depending on how SPA like you need it you can just use a standard aspx or mvc login page, then from there redirect the user to your SPA start page that calls your main.js and starts your SPA. All ajax calls you make to that site will have the Forms Auth cookie set and you can use it to verify the user making the request. Here is a link to standard forms auth. If you want handle the login process in durandal as well that can still be done, you just need to make your ajax endpoints for logging in and out to allow anonymous and then handle setting the forms auth cookie in them.
On the server-side, referencing User.Identity in the controller will get you the properties of the currently authenticated user. The question is, what form of authentication does your application use (Windows, Forms, Basic, Anonymous, etc.)?
Hi,
I need to determind how my site uses Cookies to inform the user in proper way.
The solutio is a ASP.NET MVC website using .NET Membership. Im storing data in sessions on server but nothing is saved manual to cookies on the client. I Supose however that the ASP.NET Membership is using cookies (for autologin) but im not sure witch data it really stores on the client?
Could you pleas explain or give me a link for this?
BestRegards
The forms authentication ticket (the cookie on the client) stores values such as the username and cookie expiration time along with some other boolean fields related to the remember me checkbox and sliding expiration. This is if you use cookie-based forms authentication which is the default and a typical choice. More information can be found at the following site:
Forms Authentication Explained
It is important to note that sessions and the forms authentication ticket (cookie) are not related in any way. You can have a session without being logged in and you can login and never touch the session object. This is an important difference.
EDIT
This cookie is not used for 'auto login'. After authentication, putting in a username and password, the cookie is created and is used for authorization - can you access these resources - throughout your site.
ASP.NET Membership enabled sites will have up to 3 cookies:
Session token
Authentication token
Roles cache (if enabled in
web.config)
To see them, open your site in the browser of your choice, login, and inspect the cookies. In IE its Tools -> Internet Options -> Settings (next to Browsing History) -> View Files
I'm trying to add LDAP support to an existing ASP.NET website that uses Form Authentication. This is not a big problem, I just build a simple login dialog (ordinary HTTP POST), query the LDAP directory and log the user in via Form Authentication ticket.
It would be extremely nice to automatically get the users credentials via NTLM (Integrated Windows Authentication) without the need for a login dialog (like what you get when using ASP.NET Windows Authentication with computers in the same Active Directory). Is there an easy way to do this (keep in mind, I can't use Windows Authentication for my ASP.NET app and the server is not in an Active Directory Domain, I need to be able to query LDAP directory manually)? Or would I have to manually do all the LDAP handshaking / challenge/response thingy?
Thanks for your help,
~ saxx
I do just this on my intranet here. These are the steps I use...
Create a login page (login.aspx seems good) & set the web app up for forms authentication. Set authorisation as deny anonymous. These means any attempt to use your app will cause the user to be redirected to your login page if they don't have a auth ticket.
Now the important step. In IIS, set the app to allow anonymous only. On your login page change this to only be Windows Integrated. Now what happens is when the user is bounced to your login page, IIS forces an NTLM authentication. We now have the users name in the headers.
2nd important step. in the page_load method add:
FormsAuthentication.RedirectFromLoginPage(Request.ServerVariables["Logon_user"], false);
What this does is take the username IIS will always give us and put into a forms auth ticket.
There's of course a certain amount of tidying up you may want to do, perhaps adding a logout feature, or stripping the domain name of the username.
Simon
We have a SSO solution with ADFS for logging into our web app, we also have standard setup that uses authentication with our database. I want to setup a solution that allows for both. So now I am trying to figure out, is there any way for ASP.NET to detect if a user is authenticated with Active Directory so I could do this on the fly? If user is logged in through AD, send through ADFS, else, show login screen. Any idea?
I also realize that this may not work if they are setup to use forms based authentication only after the ADFS process is started.
Yes... In IIS, enable both integrated authentication, basic, and anonymous. All the real work is done in HTTPModule that are registered in the root Web.config (e.g. in the runtime CONFIG folder). The built-in Authentication HTTPModule will set the user Principle once authenticated if authenticated via integrated credentials. You can add your own to be fired after it. If the IIdentity (e.g. User.Identity) has the IsAuthenticated set to false then you know they were not authenticated and can then redirect them. If it is set to true, you can then replace the IPrinciple with one that contains roles that are germane to your application.