Suppose I have logged into an web application. I'm on the page Default.aspx. If iis restarts then I need to re-login to use the application.
Is it possible to go back to the same page if IIS restarts?
How are you authenticating your users? Using forms authentication stores a client side cookie which can survive IIS resetting. Are you storing any authentication information in session state perhaps?
Edit
Just to add you can also redirect a user to a different page from the login page. Take the following url http://example.com/Login.aspx?ReturnUrl=%2fDefault.aspx.
This URL can be used to redirect the user to the Default.aspx page after they login. Assuming your using Forms authentication you can then redirect them using FormsAuthentication.RedirectFromLoginPage(userName, false); The false parameter prevents a persistant cookie from being created.
If you mean the ASP.Net application domain recycles, you're issue is that you're losing session state data, right? If that's the case, then how about storing session data in the StateServer or inside SQL Server? The default is "in process", so it's wiped clean when the app domain recycles.
If you set a cookie on each page the user vists stating which page they were on, then in your OnLoggedIn event you can check for the existance of this cookie, and redirect the user to the page - we use a similar mechanism for round-robin logins to multiple domains at once.
Related
I have a website in production server, asp.net webforms using Asp.Net Identity system.
Sometimes, when users tries to login, it redirects then back to login page after successful authentication thereby denying them access to user dashboard and other secured pages.
The temporary solution to this is for me to Recycle Application Pools in the hosting server (via plesk). But it appears again after some time. Sometimes before 24hrs or more.
The issue most often occurs when multiple users are getting logged in at a range of time... From my observation.
I don't know the main cause of the issue and I'm seeking a permanent fix to it. What could be the issue? How can I resolve this?
Useful hint:
After authentication at the login page, I usually create a response cookie which holds other value which I use to keep track of the user. If the cookie expires, I redirect the user back to login. I usually check for existence of this cookie on the master page for each page load. So I don't know if this could be a possible cause. If it is, whats the best practice to employ?
I've tried checking the cookies being set if it's the possible challenge, but no success.
I have a web application built using asp.net mvc. I'm using the standard build in authentication - asp.net Identity (SignInManager & application cookie), although I've hooked this to MySQL back end.
As expected, when the user leaves my web application but returns to it in time before their session expires they can access the authorized pages on the site and when the session expires they are redirected to the log in page.
My question is, is it possible to force them to log in every time they return to the site after leaving it? The scenario being, they closed their browser or navigated away from the site all together.
Appreciate the help guys!
You need to "issue" the authentication cookie as "session" cookie. Session cookies disappear when all instances of the same-brand/same-mode browser is closed. By "same-mode" I mean incognito and non-incognito.
Keeping in mind your scenario, you can use following method.
FormsAuthentication.SetAuthCookie("YourCookieValue", false); //second aurgument is persistent
you can set the persistent value to false so whenever a user closes his/her browser he/she will be logged out.
I have an web application programmed in classic asp/vb. It is running on windows server 2008 r2. iis7
I want the user of the application once logged in not be logged out automatically..ever!
is this possible if so how?
Yes, there are 2 ways and none are secure:
1.
Save Login Credentials in either a cookie or in memory.
On page load you need to force the browser to refresh every 1 hour.
During web browser refresh send stored credentials to
login class/function. This will refresh the session timeout.
2.
You can also extend the session timeout using a browser refresh without storing credentials.
I have 3 applications running at my end.
RootSite
RootSite/VirtualDirectory1
RootSite/VirtualDirectory2
I have a login page in three of these applications. When I login in either of these applications the .ASPXAUTH cookie is set but I am seeing that all of the three applications are updating the same .ASPXAUTH cookie instead of creating individual one. For example a user login on "RootSite", .ASPXAUTH cookie is created, now the user comes and login in the application "RootSite/VirtualDirectory1" and this time I am seeing the same .ASPXAUTH cookie is updating. I am confirming this because the created date of this cookie has been changed. So this means instead of creating a new cookie it is using the same cookie. How can I resolve this ? I don't want to interfere the logged-in logged-out status of one application with the other ?
Add\Change the name attribute in your Forms Authentication web config entry - See this article
We have an internal web app running on IIS6 and we use the integrated windows authentication for domain users to login to the app before they can use it.
What we would like to do is redirect the user to an error page if they fail to login to the domain 3 times.
Where should i be looking to configure this? My first thought was in IIS, but i don't see anything in the config there that relates to what i'm looking to do.
How are the users authenticating? If they are using IE then domain authentication should be automatic (ie. the server does an NTLM challenge to the browser which is handled automatically by IE if the web server is in the intranet zone). In this case it would not be possible to fail to log in if the user is a member of the domain.
If you are using a login form which then then verifies the credentials against the domain controller, then you can implement a custom solution which counts the invalid logins and does a Response.Redirect to an error page.
Without knowing more about the setup it is difficult to answer more fully...
Personally, I'd make this database driven. assuming the user enters the username credentials correctly but fails to enter the correct password. When they do login correctly, set their FailLoginCount to 0, and eachtime they fail, increase it by one.
Once it reaches 3, redirect them to your desired page and possible "lock" their account.
HTH