I created a ASP.Net C# MVC app with "Individual User Account" for Authentication + localDB. I started the app in visual studio with IIS express on localhost, signed up an user and logged in with that user.
I am trying to understand how back-end know a user has logged in in the following scenario:
start the iis express & app in visual studio
log in
stop the iis express & app in visual studio
start again the iis express & app in visual studio
user still logged in (WHY???)
I checked the user tables in db, and could not find any fields indicate a logged in user. I am thinking stop & restart iis express should clear everything in the back-end as well.
So how does the back-end know there was an user logged in in the step 5 above??
I found the following cookie in the http request
Cookie: _ga=GA1.1.1546797954.1551225891; __RequestVerificationToken=PSFeb9iP4aZr3wxxb8nJNKtki_1XPTzGO1Hzaf0W3iDsSCnV_qCfMsC9TY980X51c2rANZA-zureu6UHKEssAHza58AdmQUdZVL98VGYlRc1; .AspNet.ApplicationCookie=VUPznoprBRK2z13u03ArrC9HLHeGGUyTSvu9rYpSnZju_Rz4X2V5n9faw0EhnmuFjVN1AIva7HZSAhUBeSZ5jQHSej6XaAExy0hkwF_9vC190LfWBPP-oH3Zp0jj0ZmZ7L3sLlLqux4HV5CZSA-jqhDF4IXAFKyisFFV136PlxrJTmb9OXRrmo9rigCiIy0z_oixDlg1eHVI3T6ptVgn1Qhohtr1mTqoBJsF7gi7CHymSBlyFJ5MgYxfPcWNhJnj3H-WWK1ijkfzxsm0R13m2_6IbIiK1y5uzQBkklb8oMuz0mD27GlwMzteQBP3VLOXn77BreOPefJ8_2AekYjFGjgBIGGpngxLVzDneT4rC-BDiVKdWO_FRuail4ivVAN2ZJtdjK0uEPqnln5rmOlT0MLAhYzHMkk-HTvtW-Xo-Kexinlh58uxz0E7bncY5I6troc19E0fBLMnfXThtaL7ur6CN4pqUyq4yALJCTHszG3RPLQoJja0u1g34i-mKunZ
In web development there is very basic concept called cookie.The cookie is responsible too store user information in browser. When you sign-in in membership system ,it adds a special header called Set-Cookie to response which afterward get's stored in browser cache.The information send through header contains information about loged in user's identity. With subsequent requests browser send the same cookie to the server and the membership system parses that info to identify the user which makes request and if the information is valid you are logged in and system identifies you.
EDIT :
The detail of operations taking place is not unique and depends on which library you use for authentication but if you use asp.net default authentication system then you can go and see how things get done in the source code.For ASP.NET CORE check https://github.com/aspnet/AspNetIdentity and for ASP.NET MVC check : https://github.com/aspnet/Identity
Following is how authentication works in ASP.NET MVC
Enter Username and password in login form and click on "Login" button
On click of Login button Server side code checks whether entered Username and Password exists in database
If entered Username and Password exists in database then server side code creates cookie and stores them in the browser(not in the database)
On every page request IIS checks whether authentication cookie exists or not.
If cookie exists then user is logged In and if cookie doesn't exist the user is not logged in
Since authentication cookie is stored in browser and not in IIS. Stopping and Starting IIS has no effect on User log in status.
To answer your specific question: So how does the back-end know there was an user logged in in the step 5 above??
Ans: On ever page request from IIS. Along with other information, authentication cookie stored in browser is sent to back-end/IIS. back-end/IIS then checks whether or not authentication cookie is valid. If cookie is valid back-end/IIS knows user is logged in. If cookie is invalid back-end/IIS knows user is not logged in.
To understand this process further. I would recommend reading about cookies first and then read about authentication in ASP.NET.
Hope this helps!
Related
I am attempting to use Integrated Windows Authentication on IIS for an MVC web app. The original hope was that the user would be logged in automatically using the current Windows user credentials. I am running into the issue where the user is always prompted to enter user name and password. I have decided that we can live with this. However, I have also noticed that the user can enter any valid domain credentials...it's not limited to the currently logged in machine. But if this is the case, I need to provide a logout button, so the user can be switched if necessary.
Everything I can find on this issue, logging out in Windows Authentication, says you cannot do it because it pulls the credentials from the machine login. But it's obviously not doing that in my case, because I can enter any valid credentials and log in successfully. So a user could be logged onto the machine as user X, and then, when prompted, log into the web app as user Y. Am I to understand that, under Windows Authentication, there's no way to address this?
Are you sure you selected Windows Authentication While creating the Project? Confirm that and if yes, proceed to check your web.config that application authentication is set to windows.
I have a react-native app, a web api written in asp.net C# and a web app where i used forms authentication from asp.net. It checks the username and password stored in my db and sets cookie.
What is the type of authentication i should follow?
Can i use same forms authentication even in react-native. If yes then whats the approach.
I want all the api calls to be made by authenticated users only. if not authenticated, then send back to login screen.
You should follow a token based authentication, you can read more here
The form authentication in react native as well as in standard native mobile or web application works the following way:
User types in his credentials in the application form
Your application takes his input data and sends it to a server to check the validity
If the credentials are valid, the server sends a unique TOKEN which you have to save in memory for additional ussage. This also means the user has successfully authenticated.
In every next http request, you have to pass the TOKEN a server sent before. In every request, server will check TOKEN validity, if it's valid, server will send data. Otherwise not.
You have to setup your application state where you store user information. For example, once your server returns a TOKEN informing, you change your user's state to { loggedIn: true } Based on that value, you can navigate user to the corresponding screens such as Login or in app dashboard.
You can also check https://auth0.com/
I'm continuing someone else's development AND I don't know much about current practices for authentication in MVC applications.
The only things that are set about authentication are in the application's IIS configuration:
.NET Authrization Rules = Allow, All Users
Authentication:
Anonymous Authentication: Enabled
ASP .NET Impersonation: Disabled
Windows Authentication: Enabled
With this configuration, on the server, the browser asks me for a login/password. I enter my network login.
Then I can get identify the user with Request.RequestContext.HttpContext.User.Identity...
On local computer where I login using the same login/password: no user is logged in the application (Request.RequestContext.HttpContext.User.Identity.Name == ""). If I disable Anonymous Authentication, the browser simply keeps re-asking for loginpassword infinitely.
My first problem is that I would like to be able to log out on server.
From scarse info I got here and there I have already tried:
FormsAuthentication.SignOut(); --> does nothing
WebMatrix.WebData.WebSecurity.Logout(); --> Exception, tries to access a database (I got this from one of the VS2012 templates but I didn't think it would apply to my context).
if(this.Request.RequestContext.HttpContext.Session != null)
this.Request.RequestContext.HttpContext.Session.Clear(); --> Session is null, so this does nothing.
So, how can I log out in order to relog as a different user ?
(I would also like to be able to identify the user on local computer, but I think that should be asked in another topic.)
Removed FormsAuth logout method as the question is for Windows Auth... doh!
Update:
To get the logged in user name try the IPrincipal Controller.User:
User.Identity.Name
Doh my bad your using Windows Authentication...
In which case it's the browser that is caching the credentials not the server / IIS so clearing the session won't achieve anything.
Taken from here:
"The user credentials are being cached by the client browser, not by IIS. To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider. When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials. When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login. If you're expecting the same credentials, then
user confusion should be anticipated.
All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate."
For an IE only workaround see this SO post.
I have already created a form authentication application. I had User table and created a custom membership provider. My user table has relations with other tables such as roles and permissions.
I change that to work using Windows Authentication. It looks easy but I have no clue how to still be able to read permissions from my tables? some tables are related to User table and requires user id, what to do here? should I break the foreign key?
If a user is accessing the page from LAN, s/he should get logged automatically, but if they accessed the application over internet, I should allow them to login? How to do this? What passwords should they use to login (active directory or my User table)?
I hope i get simple and easy answers.
Regards
In your controllers you can use User.Identity.Name to get the users AD username. You can then add a field to your users table called ADUSername (or update the values in the existing username field) so that you can link the logged in user to the existing user record in your database.
You don't have to do anything, if the user is accessing it from an external network or any machine that is not on the domain the browser will pop up a username/password prompt.
If you use Windows authentication, the user is going to be prompted for credentials just to access your site. You won't be able to prevent that. They won't even get to your code until they are authenticated.
We've done similar things using SSO (single sign-on), though I've never tied it to Windows authentication. The idea would be that you have two apps that share user credentials and, if you are logged into one, you are logged into the other. The first app would be your normal application which supports forms-based authentication. The second would be an app that only does Windows authentication and then, upon successful login, redirects to your normal application. Since you're already authenticated, the normal application simply creates it's standard authentication cookie and takes you to the main page of the application.
Typically these work by passing a token in the URL which you can then redeem via a back channel to the SSO server (or, in your case the Windows authentication server) to confirm that the token is authentic. The response to the back channel call contains the user name and other pertinent details if the token is successfully redeemed.
A sketch of the process might look like:
Get request to protected action on site.
If not authenticated, redirect to login site without token
Your login site contains both a forms-based login form and a link to the Windows authentication url
User clicks the Windows authentication url
Windows authentication site authenticates, creates a one-time use token in DB for user, and redirects back to your login action with token
Your login action redeems the token via back channel WebRequest to the Windows authentication server.
Windows authentication server validates the token, marking it as used, then returns the username to your login action.
Your login action creates standard forms authentication cookie and continues as normal.
Below is the scenario for a virtual directory following are the setting in IIS
Enable Anonymous Access is DISABLED (check box is unchecked).
Integrated Windows Authentication is DISABLED (check box is unchecked)
Basic authentication is ENABLED (checkbox is selected)
In the web.config of the webapplication (for the same virtual directory above) the setting is as follows:
When I browse an aspx page of the above web application it asks for username and password.
User enters username and password (in the dialog which appears as a part of windows authentication).
I can get the username that user has entered if the login is successful.
Is there any way I can get the username(that user has entered) even if the login fails.
Regards,
test_win
I don't believe that failed authentication information is stored in IIS in a way that's exposed to ASP.NET. If you were doing forms based authentication you would be able to track the invalid username/password, but since IIS is handling the authentication, I don't think you can get that information from code.
The logon attempt would be stored in the IIS log files, which you could process later from a separate process. You would want to look for 401/403 errors where a username is supplied.