I've got two ASP.Net applications residing in two different folders on my server:
/Foo <-- this is the standard unsecure application
/Secure <-- this is a separate application that requires SSL by IIS
The problem is that by default, the ASP.NET_SessionId cookie is specified on the domain and is shared between the two applications in different directories. I need the session cookie to be different because I can't allow a hijacked cookie on /Foo to be used to grant access to the /Secure application.
Ideally, I would like each application's cookie to be limited by the cookie Path property. There's apparently no way to do this in .Net out of the box.
As an added headache, even if I write custom code to set the cookie path, I'm fearful that some browsers are case sensitive and won't use the same session cookie for /Foo and /foo, which, depending on how the links are built, can result in multiple sessions in the same application.
Has anyone encountered and overcome this issue?
In .Net 2.0 and above, you can set the "cookieName" attribute of the "sessionState" XML element in your web.config to different values for each of your applications. That will keep them from using the same session ID.
Here's the MSDN reference for this.
Check the icon for your /Secure folder in IIS.
If it has a cog icon then it's a seperate application and the sessions should be different and the app will run in it's own appdomain.
If it's a globe icon then it's a virtual directory and will share the same session as the root site and /Foo.
if you are using forms authentication, then you also need to change the forms cookie in web.config:
<forms name="Foo"...
<forms name="Secure"...
Sounds like they are just in separate virtual directories, but are still in the same Application Pool. If you really want the applications to be separate, try creating another application pool for your /secure app.
Related
I was wondering if it is possible to run an aspx.net website in a sub folder if it has it's own web.config with forms auth and is using a role mananger?
I've done this for nested applications recently. Its not too difficult.
In addition to having access the same data store for credential and role data, you need to:
make sure the the machineKeys are the same for both web applications
configure loginUrl's to resolve to the same absolute path
if you're using cookies you need to make sure that the domain is set to a value available to both web applications
also for cookies, if your web applications are nested at diferent levels in a domain make sure that the path attribute is set to "/"
See this blog post for more detail on getting forms authentication working.
Another issue particular to nested applications is that by default your nested web.config will inherit settings from the parent app's web.config. This means that you may need to strip out some items in the child config that are in the parent config, and remove items that are currently in the child app config but would already be present in the parent config. See this for more detail.
Only if you setup this sub directory as different asp.net application from iis
I think there won't be any problems if you use Virtual Directory. Look here for more info:
http://msdn.microsoft.com/en-us/library/zwk103ab(v=vs.80).aspx
http://www.dotnetspider.com/tutorials/AspNet-Tutorial-86.aspx
Is this what you were looking for?
Authentication can only be set in config for all applications, or root folder of web application. Same for setting session. You can use sub folder. But it has to be its own application , so basically it doesn't make a ton of sense to have it as subfolder of another application.
I'm working with an ASP.NET application that is currently used only from intranet. The authentication mode for it is integrated Windows security. I now have a requirement that a part of the system should be visible externally with Forms based authentication.
Is it possible to set up authentication in web.config in a way that access to one of the pages goes through Forms while the other pages use integrated auth? Can it be done using a single web.config or do I need a subfolder with its own web.config file?
I know I could create a separate application for the external part but that would mean moving common parts around which ideally I'd like to avoid.
authentification-tag can be located only in Machine.config, Root-level Web.config, Application-level Web.config (source).
I suppose you should create new website in IIS for each authorization mode and add virtual directory that point to source code location. Every website should have custom web.config with authorization-settings.
You can set two MembershipProvider to authenticate users using FormsAuthentication.
For instance, if you want your application to authenticate intranet users with ActiveDirectory, you will select your first MembersipProvider and for the others the second one (you can manage it simply in your login page).
http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
Or you can implement your own MembershipProvider:
http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
We're using ASP.NET and IIS 6.0. I realise that the definitions of applications, websites and virtual directories are ill-defined in IIS 6, and changed a lot in IIS 7. However, I'm stuck with IIS 6.0 for now.
We have a single web site defined in IIS, and a number of separate sub-sites in Virtual Directories.
The scheme looks like this:-
http://site.example.com/site1
http://site.example.com/site2
.. etc ..
site1, site2, ... are virtual directories in IIS 6.0, under the "Default Web Site".
I need to use ASP.NET sessions and forms authentication in most of these sites, and I don't want them to share authentication data or session information at all.
Both the mechanisms currently depend on cookies. However, the cookies created by default use the same name, and have a path of "/" in the browser, meaning the sites' cookies will clash with each other.
Without changing the default name for each cookie, how can I enforce separation between my sub-sites? Do I need to change the virtual directories for IIS 6 "Applications"? Or is there some way in code to enforce a more limited scope for the cookies?
Thanks in advance.
For Forms Authentication, you can define the FormsCookiePath property to reflect the virtual directory of each sub site.
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.formscookiepath.aspx
For Session State, I haven't seen anything that can define a path, but you can define different cookie names away from the standard cookieName="ASP.NET_SessionId" value. That way each sub site is looking out for different session cookies.
http://msdn.microsoft.com/en-us/library/h6bb9cz9(v=VS.100).aspx
I have the following setup:
http://www.example.com/dir1/ and
http://www.example.com/dir2/
Each virtual directory is configured on IIS6.0 as an application with own AppPool.
When redirecting authenticated user from dir1 to dir2 using response.redirect I lose authentication information for the user and the user is being redirected to the login page. This issue was not coming up with each app (dir1 and dir2) were configured under subdomain, ex:
http://dir1.example.com and http://dir2.example.com.
I have resolved the issue by adding a machine key to the machine.config file.
Can someone explain to me why it's not working on a http://www.example.com/dir1 configuration?
I regularly configure applications this way. There are a few places you can go astray.
Each web.config must have an exact duplicate of a common machineKey section. E.G. generate one section and paste it into all web.configs that you want to share FormsTickets with.
Each MembershipProvider (and Roles/Profiles etc) element must share the same applicationName attribute. By default this is '/' so unless you have manually changed it there should be not problem.
All providers in all applications must share a common connection string to a common aspnetdb instance.
If you have tried any of these steps individually or incrementally it is likely that the DB is in an inconsistent state. Ensure that each of these requirements is satisfied and start with a fresh database.
If you follow these steps you should have no problems. This is a fairly common and straight forward use case.
Let me know if you have any more questions.
I don't know ASP , but my guess would be that you're not specifying a path for the session cookie you're using, so the path setting will default to the path the cookie is being set in, /dir1 and /dir2, respectively.
When using subdomains, you probably used example.com as the main cookie domain, so it was accessible to both subdomains = no problem.
You should be able to find this out by examining the session cookie in your browser (e.g. in the "Cookies" tab in Firefox's Web Developer Toolbar).
If I'm correct, you will need to specify / as the path for the session cookie somewhere.
I don't know at which point to fine-tune that, but maybe it points you into the right direction.
Environment: IIS 6.0, ASP.NET 3.5
I have the need to secure just one file with windows authentication and just want to ensure that I understand my options correctly.
Through IIS turn off anonymous
access for the file I want to
secure, and make sure Integrated
Windows Security is checked
Put the file in its own directory and drop a web.config file in there that has the authorization configuration setup for that directory to require windows authentication
Is there a way to setup the web config to control access to a single file? Will any of the security attributes help me here to lock down the single file?
Thanks in advance
Kevin
Put the file in its own directory and drop a web.config file in there that has the authorization configuration setup for that directory to require windows authentication
You can't mix authentication providers for a single app. So, eg., you can't have Forms Authentication for ~/ and Windows Authentication for ~/Secure. You may be able to get around it by making ~/Secure another app in IIS - but that greatly complicates deployment and testing IMO.
I've run into this problem while trying to secure ASMX services with basic authentication from a domain, but being in the same app as Forms Authenticated pages. I ended up hacking in a basic auth challenge in the ASMX service itself to prompt for credentials.
This should be possible using the <location> tag.
http://support.microsoft.com/kb/316871
I know in the past I have done the opposite and used it to enable access to a single resource and denied all others to unauthenticated users. Should work the same in reverse.
If you want the web.config to apply then you need to ensure that the directory in which it is placed is an IIS virtual directory. That ought to do the trick as the web.config's security restrictions will govern all files in that directory.