I have 2 mvc .net applications, 1 is written in vb and the other in c#.
The are structured as follows:
http://app1.example.com, (c#)
http://app1.example.com/site (vb)
The user initially logs into the /site app and has the ability to navigate to the root site.
My web.config application > authentication is as follows:
<forms
name="SITECOOKIE"
protection="All"
path="/"
domain="app1.example.com"
timeout="15" />
My issue is, the user logs into the http://app1.example.com/ site app where the Login controller takes care of the authentication process and sets the "SITECOOKIE". However, when navigating to the root site, http://app1.example.com, the root app cannot access or see the cookie "SITECOOKIE".
What can I do so the root app has access to the cookie "SITECOOKIE"?
You just need to set domain to example.com, if you want to share cookie between two websites.
<forms
name="SITECOOKIE"
protection="All"
path="/"
domain="example.com"
timeout="15" />
Ensure you set same machinekey in both web.config file.
Related
i have 2 web sites that consumes a service (WCF). The user's authentication is done in the service to access one site. How to make this authentication to access both sites? Can i store a cookie in the service (WCF) and access both sites?
How can i do that?
Thanks.
This is fairly simple. Once you have called FormsAuthentication.SetAuthCookie in your application. A cookie is created/encrypted and given to the user.
For another website to consume that cookie for auth purposes,
it must be by the same cookie name/domain
can be decrypted,
and is still valid.
To do this, you merely need to ensure the keys and names are the same in the web config for each application: for example from: http://msdn.microsoft.com/en-us/library/vstudio/eb0zx8fc(v=vs.100).aspx
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
</configuration>
I created two ASP.NET Web Forms Application in which I use separate Form authentication
with different machine keys .
But when I login in one of them I am logout in other.
Same thing happen on production server and on localhost.
If you haven't configured at least one of the two applications to use a non-default cookie name, they will both try to use the same cookie name ".ASPXAUTH", and if by "on the same server" you mean they are accessed using the same hostname, then logging into one will overwrite the cookie of the other.
Try overriding the cookie name in your Web.config, something like this:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name=".FOOASPXAUTH" />
</authentication>
And in the other application:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name=".BARASPXAUTH" />
</authentication>
If an attacker copied the authentication cookie that is placed in the SetAuthCookie call, from the victims PC to their PC, would the attacker be considered authenticated by the web application?
public static void SetAuthCookie(
string userName,
bool createPersistentCookie
)
Using standard forms authentication FormsAuthentication.SetAuthCookie and the argument createPersistentCookie = false
Assume this for web configuration settings
<authentication mode="Forms">
<forms name="MyWebApp" path="/" loginUrl="~/Default.aspx"
timeout="30" defaultUrl="~/Default.aspx" protection="All"
requireSSL="true" />
</authentication>
Yes; ASP.Net does not include the IP address in auth cookies. (and that wouldn't even help for shared WiFi or proxies)
However, since you have requireSSL="true", attackers will (in principle) not be able to get that cookie. (unless they have access to the server or the client, in which case you have bigger problems)
This is why you should always use SSL.
I built a web app a while back that is miss behaving out of the blue. Page.User.Identity.Name returns the machine name ie phil_toshiba/phil instead of the username i set when the user logs in through the log in form (should be an email address):
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(tb_email.Text, true);
I dont know why it has only just started doing it but it doesn't do it on the live site just the local project i need to work with to update some features. the live and local are in sync (code is exactly the same) only difference is the live site is compiled and using iis.
EDIT this is the authentication tag in my web.config file:
<authentication mode="Forms" >
<forms loginUrl="Default.aspx" name=".ASPXFORMSAUTH" defaultUrl="Sections.aspx">
</forms>
</authentication>
Check your web.config, it should be set to use Forms authentication not Windows:
<system.web>
<authentication mode="Forms"/>
</system.web>
I know a cookie can be shared across multiple subdomains using the setting
<forms
name=".ASPXAUTH"
loginUrl="Login/"
protection="Validation"
timeout="120"
path="/"
domain=".mydomain.com"/>
in Web.config. But how to replicate same thing on local machine. I am using windows 7 and IIS 7 on my laptop. So I have sites localhost.users/ for my actual site users.mysite.com
localhost.host/ for host.mysite.com and similar.
localhost.users and localhost.host is cross domain. Cookies cannot be shared cross domain.
You could configure it like this so that the sub-domain differs but the root domain stays the same:
users.localhost
host.localhost
Now set the cookie domain in your web.config to localhost:
domain=".localhost"
and in your c:\Windows\System32\drivers\etc\hosts file add the following 2 entries:
127.0.0.1 users.localhost
127.0.0.1 host.localhost
Now you will be able to successfully share the authentication cookie between users.localhost and host.localhost.
Ah, and don't forget to put a step in your automated build process that will transform your web.config value to the correct root domain before shipping in production.
This is a reminder for anyone running in Framework 4.5 and trying to share the token with frameworks 4 and lower, please notice that this will cause you not to receive the auth cookie on any of the 4 and lower apps. ie: if in your web.config you have:
<httpRuntime maxRequestLength="80480" targetFramework="4.5" />
You can get it to work by removing the targetFramework="4.5" attribute to get it to work, though I don't know if there are any side effects in doing so:
<httpRuntime maxRequestLength="80480" />