Are there any possible issues with using the default Forms Authentication (see below) on Load Balanced servers? If there can be, what can I do to prevent the issues.
<authentication mode="Forms">
<forms loginUrl="~/Login/" protection="All" timeout="30" />
</authentication>
Can I use cookies (used by default)? Do I have to go cookieless? etc...
Also, does Microsoft (or VMWare) have a VirtualPC download that is an instant Load Balanced testing environment?
There is one issue. The cookies are encrypted and validated using the machine key and the validation key (that's what protection="All" means). You will have to set those in your top-level web.config in all the servers, otherwise each of them will have a different one and will reject cookies set by the others.
You can find a machineKey generator here. Then put the generated xml inside in the web.config of all the servers and you're ready to rock.
Related
I have a asp.net webform application (ProA). It was built some time ago by someone else, although I can access source code. Now, I finished another application which is a MVC5 (ProB).
ProA uses asp.net membership for authenticate users. ProB is not using any membership. Now, we want to add user authenticate to ProB, and also some parts of ProB is using username as parameter for some data.
Now, we want to force user login from ProA, then maybe click a link/button, redirect the user to ProB. In ProB, we create an authorize filter to verify the user has the right, then show the pages.
I have tried to use forms authentiction across applications, described in: Forms Authentication Across Applications . But it does not work. The changes I made in web.config is:
<authentication mode="Forms">
<forms name="X.ASPXAUTH" loginUrl="~/Login.aspx" path="/"
protection="All"
enableCrossAppRedirects="true"
/>
</authentication>
Could it be because that one is webform and the other is MVC? Also, ProB actually does not have any membership installed yet, does it affect this form authentiction?
Any other suggestions?
Thanks.
--- Added more info:
1) I'm testing on my local machine. I run both sites in VS2012. What should I use for domain? "localhost"? ".localhost"? or, not use domain at all? seems not working.
2) I added a button on ProA, when clicked, use this redirect to ProB:
HttpContext.Current.Response.Redirect("http://localhost:12345/", false);
Is this the correct way? The HttpContext has the user identity.
3) Does ProB have to have membership? Now, ProB does NOT have membership feature, is it the reason?
You shouldn't have any issues with sharing the authentication across web forms and MVC apps. The underlying technology is the same, .Net uses an encrypted to cookie which has the forms auth ticket.
Read the following MSDN article: https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
The main things to note are the domain reference and the machineKey config.
The domain attribute of the forms auth config allows the browser to include that auth cookie with the requests sent to each site. Then the machineKey portion is the part that handles the encryption/decryption.
Both sites must have the config setup up identically for this to work, and also be running on the same domain i.e. xyz.contoso.com and abc.contoso.com
web.config
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="[your key here]"
decryptionKey="[your key here]"
validation="SHA1" />
</system.web>
</configuration>
EDIT
Use the following link to generate your machine keys: http://www.developerfusion.com/tools/generatemachinekey/
I would like know how SetAuthCookie works for different application on same server?
Currently I have two similar applications with different virtual directories.
How can I make it so that if I login to one of them then it doesn't ask me for login on the other application, and the same for logout?
It is possible if both applications are hosted on the same top level domain. You should specify this domain in your web.config of both applications:
<forms
name="name"
loginUrl="URL"
defaultUrl="URL"
domain="example.com">
</forms>
This way the forms authentication cookie will be emitted with the domain property setup and the client will effectively send it between the 2 applications. Another pre-requisite is that both applications share the same machine keys so that an authentication cookie that was encrypted by the first application can be successfully decrypted by the second application. If both applications are hosted on the same server you could set those machine keys in machine.config, if not then you could set them in web.config of each application:
<system.web>
<machineKey decryption="AES" decryptionKey="C03B1AB0BC1ACCD18EA915CBD87373010AD0DEC430A69871,IsolateApps" validation="AES" validationKey="C0ED7C430148AD4BC6505085DA4FD0DD3EE2453B566FC4EA4C7B3C2DCAB2025A79C774370CA884DF909CE9A3D379E544B7890D0A1CEE164141D3A966999DC625,IsolateApps" />
</system.web>
I've also covered this in the following answer.
Even the post is old but there is an easy solution add "name" in the form tag in web.config, coz if you dont give a name to the cookie it will have a default one
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" name="client" />
</authentication>
for the other application put another name, it works perfectly with me. good luck
I have a pair of websites I am building in Asp.Net. In development, they are both on my machine. One is hosted in IIS and one is in IISExpress. I have configured both websites to use FormsAuthentication, and set the same authentication and httpCookies elements in each web.config:
<authentication mode="Forms">
<forms loginUrl="~/LogOn" timeout="2880" domain=".mydomain" />
</authentication>
<httpCookies domain=".mydomain" requireSSL="false"/>
However, after a standard FormsAuthentication.SetAuthCookie , the second site cannot read the .ASPXAUTH cookie from the first. It CAN read the same Asp.Net_SessionID cookie from the other website. So, one cookie is being passed across applications, but the second is not.
Additionally, when the debugger is attached to the second application and it receives the redirect from the from the first site, the Chrome debugger shows both cookies, Fiddler reports that both cookies were transmitted, and the Response.Headers["cookie'] contains the .ASPXAUTH cookie.
How can I effect this cross-application sign-on? In production, these two sites will answer on separate sub-domains.
I've found the answer to my problem.
IISExpress and IIS use separate MachineKey values, even though they are originating on the same physical machine. To solve my problem, I generated a MachineKey entry at http://aspnetresources.com/tools/machineKey and dropped the same MachineKey element into all participating application's web.config files.
Thanks to Robert Smith #smithrobs on Twitter for suggesting I check this line of the problem.
Previously, I have implemented two separate ASP.NET Web Applications, one as a virtual application in a subfolder of the other, which successfully shared forms authentication as described at http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
(basically, setting up identical <forms> sections in the Web.config, and keys in the <machineKey> section)
Now, I am trying to do something similar to get BlogEngine.NET (which is a Web Site, not a Web Application) to work sharing forms authentication with a Web Application of mine. I have tried both putting it as a virtual application in a subfolder, and setting it up as a separate IIS site (same domain name, different port number), but I can't get the authentication to work at all: when I go to the blog while logged in to my Web Application, Page.User.Identity.IsAuthenticated is always still "false".
I'm really not sure how to even start debugging this, since the forms authentication is handled before any of my code runs.
<authentication> section of the two Web.configs are the same:
<authentication mode="Forms">
<forms path="/" domain="localhost" timeout="129600" name=".WebSiteName"
protection="All" slidingExpiration="true" loginUrl="/admin/login.aspx"
cookieless="UseCookies"/>
</authentication>
And <machineKey> also:
<machineKey validationKey="DD45C42ACEAF1E208E9B78288177EBF9C8C7C54C6D05BA2FBA90B5348B8F6987216CB098056891CFE81DC33E37C5F9A2BF1845DBF902C6E4BBFEC2341FFA3635"
decryptionKey="0C69852D8BE0948D545C35B932D394102802FAF7FA46E99B4E5B5E12546E4620"
validation="SHA1" decryption="AES" />
Does anyone have any suggestions as to what I should check or try?
This was a good resource for this issue: http://blogs.msdn.com/b/cliffgreen/archive/2011/03/29/reporting-services-single-sign-on-sso-authentication-part-1.aspx
Note there are links within this article that are useful to read.
I'm working on a web application that is using Forms authentication.
<authentication mode="Forms">
<forms slidingExpiration="true"
loginUrl="~/User.aspx/LogOn"
timeout="15"
name="authToken" />
</authentication>
I'm seeing this cookie set in my browser when I log in:
The question is what happens when I put this website in a load balanced model? Where is the ASP.net session cookie being set? I didn't explicitly do it in code, so I assume it's happening behind the scenes somewhere in ASP.Net.
Also, If the session cookie is set by web server A, I assume web server B won't recognize it and treat it as an invalid session. If this is the case, I probably don't want to use it, right?
You'll have to set the machine key to be the same and the name to be the same on both machines...if this is done you should have no problems load balancing with forms auth.
<authentication mode="Forms">
<forms loginUrl="~/Login/Index" defaultUrl="~/"
name=".myportal"
protection="All" slidingExpiration="true" timeout="20" path="/"
requireSSL="false"></forms>
</authentication>
<machineKey validationKey="534766AC57A2A2F6A71E6F0757A6DFF55526F7D30A467A5CDE102D0B50E0B58D613C12E27E7E778D137058E" decryptionKey="7059303602C4B0B3459A20F9CB631" decryption="Auto" validation="SHA1"/>
Sessions can get slightly more complicated. You can store the ASP.Net session state in the database or use a shared session provider to make it available for load balancing as well.
Here is a good article on storing session state in the DB: http://idunno.org/articles/277.aspx