How to receive asp.net/C# variable values inside web.config?? Is there any way?
Under,
<identity impersonate="true" userName="hcltech\Loggedonusername" password="LoggedonUserPasswd" />
How to receive log in credentials inside web.config?..Please help
How to receive asp.net/C# variable values inside web.config?? Is there any way?
No, there is not.
There is no point in impersonating the user that is logged in already, because they are logged in already. Impersonation is for giving the current user the permissions of a different Windows user.
Related
I have a website that is using Windows authentication that calls an API. The API has the Authorize attribute:
[Authorize(Roles = #"myrole.local\role")]
The API then makes a call to a method in my business layer that does this:
string [] directories = Directory.GetDirectories("\\\\server\\folder\\folder2");
When running locally this works as intended. When my IT ops guy checks the audit logs, he sees that my login has accessed that folder.
Now when I deploy my website to our development environment, it no longer works (we get an "access denied" error for that folder). So we looked into it and found that the user trying to access the folder was our server (something like server$) tried to access folder and failed.
So my question is: how do I access the folder with the current user that is logged in? I have looked this up here on Stack Overflow and I see impersonation comes up a lot. I have tried this example with no luck:
public static List<DirectoryName> GetDirectories(IPrincipal user)
{
string[] directories;
using (WindowsImpersonationContext impersonationContext = ((WindowsIdentity)user.Identity).Impersonate())
{
//Insert your code that runs under the security context of the authenticating user here.
directories = Directory.GetDirectories("\\\\server\\folder\\");
}
}
I am still denied access.
I have the user that is logged in though, so I know I can 'see' them, but the folder I am trying to access says it's the server.
Does anyone know how to get around this? Am I missing something?
P.S. I have created the website with IIS and have set both the API and website to use windows authentication. (anon = false;); but still it says the server is trying to access the folder.
P.P.S. In the web.config for the API, I have these tags as well:
<system.web>
<!-- ... -->
<authentication mode="Windows"/>
<authorization>
<allow roles="group.local\group" />
</authorization>
</system.web>
Edit: So we were able to access the folder path with the logged in user but only when going to the website on the server.
If we go to the website off our dev server we will then get an access denied error. Also there is no audit line when this fails.
Hopefully this edit provides more insight.
ASP.NET Web Forms applications.
I checked our company's legacy code, the way they do login is like this:
when user is validated against database with (username, password), they set a session:
Session["authenticated"] = "true";
Every page other than login.aspx is inherited from a class named SecurePage. In SecurePage's OnInit() method, it checks
if (Session["authenticated"] != null)
if true, means authenticated, otherwise means not. So basically the way to do authentication is to see if there is a session named authenticated.
This seems the most crude and intuitive way of doing authentication... I want to ask: is this safe?
Another thing I feel strange is that in the web.config, they have this:
<authentication mode="Windows" />
Shouldn't it be
<authentication mode="Forms" />
since these are web applications? Users credentials are stored in database and these users are outside clients (not internal users).
A slight different version also does this after user is validated against database:
FormsAuthentication.SetAuthCookie( username, true );
what does this do? Besides this statement in login.aspx, I don't see any other pages have any code related to auth cookie. Do we need to set auth cookie by ourselves in code or does .NET framework handle this for us already?
Still another version have the following:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(login, false, 60);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
Response.Cookies.Add(cookie);
what does this do? Do we need to set this cookie by ourselves in code? or does .NET framework handle this for us already?
These web appliations were developed a long time ago, though I am not sure when. I suspect it is .NET 1.0 era? From my understanding since .NET 2.0,
it has this ASP.NET membership thing, and we can just use <authentication> and <authorization> tags in web.config (and subfolder web.config) to achieve the goal of authentication and authorization. Isn't it? Can anyone give me a history of ASP.NET framework authentiation mechanism? (membership -> simple memebership -> Identity?)
<authentication mode="Windows" />
Above should be used mostly in intranet website, because it's like saying use the computer(windows pc) authentication to access the resource. However, this will never work, since inherited class has a method to validate session key value for a login.
You should make sure that the code redirects user to login page in case the session key is not found. That means, in the else section of below code, you should take users to login page to try again. Which I am sure is happening.
if (Session["authenticated"] != null)
{ /*user is authenticated*/ }else{ /*redirect to login*/ }
Its is recommended to use <authentication mode="Forms" /> if the website is accessible over the internet. Other benefit of using this setting is that you can set default and login page.
Finally, FormsAuthenticationTicket is a class with property and values that are used when working with Forms authentication to identify authenticated users.
Read through msdn article to know more about asp.net membership.
https://msdn.microsoft.com/en-us/library/yh26yfzy%28v=vs.140%29.aspx
I am as a study project developed a website in ASP.net. In my web.config file i have autheticaion mode as windows. and i am using an appsettings connection string to connect to my SQL2005 database.
Now i want to know what kind of authentication is this?
Is this windows? forms? or anonymous authentication?
I have user table in sql 2005 and my first screen is login page. Obviously this user table has login details like username and password which will be matched to user input.
I dont understand i have read so many post on authorization and authienticaion but please clear me on this. Thanks in advance.
You are currently using Windows authentication. Your Windows username and password is used to authenticate you to asp.net.
A login page writing to a user table would be asp.net forms authentication.
Note that sql server authentication is a totally separate issue. It is up to your code to authenticate against your database. When doing so, the connection string in web.config file can be used.
If you want customize your credentials of string connection in order to access your DataBase, you can use Integrated Security
or Trusted_Connection
When the value is true, the current credentials of the Windows account used for authentication.
Nota : in yur case i think that you can use FormsAuthentification (You have Windows Authentification)
Link : http://msdn.microsoft.com/fr-fr/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.80).aspx
Forms Authentification :
<authentication mode="Forms">
<forms loginUrl="~/login.aspx">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
After your click
if (IsAuthenticatedValue) //You can adjust your condition
{
FormsAuthentication.RedirectFromLoginPage (.., ..);
}
else
{
Console.WriteLine("Invalid credentials. Please try again.");
}
Link : http://msdn.microsoft.com/fr-fr/library/xdt4thhy(v=vs.80).aspx
In addition to the other answer here:
Once the user is logged in, create a Session and store the fact they are logged in using that such as
Session["LoggedIn"] = true;
Session["Username"] = username;
Then check if they are logged in using your Code and authorise access to the page using that. So on page load if they logged in continue loading the page, else send them to the login page.
When you want to log the user off simply do Session.Clear();
I've got 2 MVC3 Internet websites. One (Site1) uses Windows authentication and is in the Local Intranet Zone. The second (Site2) is publicly available and uses Forms Authentication. Both sites are in the same Domain, but have a different sub-domain. I want to share authentication cookies between the two. In order to do this, they need identical settings in the web config. Sometimes this works, most of the time it doesn't. If anyone hits Site1 from outside our network, they get a 403 error, which is good. If a network user hits Site1, they're allowed in based on their network credentials. I then check their user's roles with the code below.
var userName = string.Empty;
var winId = (WindowsIdentity)HttpContext.User.Identity;
var winPrincipal = new WindowsPrincipal(winId);
if(winPrincipal.IsInRole("SiteAdmin")) {
FormsAuthentication.SetAuthCookie("siteadmin", false);
userName = "siteadmin"; //This is a Forms Auth user
}
else if(///I check for other roles here and assign like above)
Once I've checked the roles, I forward them onto Site2, creating a cookie for them if the user is in one of the roles determined in the if...statement above.
if(!string.IsNullOrEmpty(userName)) {
//Add a cookie that Site2 will use for Authentication
var cookie = FormsAuthentication.GetAuthCookie(userName, false);
cookie.Domain = FormsAuthentication.CookieDomain; //This may need to be changed to actually set the Domain to the Domain of the TVAP site.
HttpContext.Response.Cookies.Add(cookie);
}
//Network users not found in roles will simply be forwarded without a cookie and have to login
HttpContext.Response.RedirectPermanent(tvapUrl);
I've set up in the web.config a matching MachineKey (validationkey, decryptionkey and validation) for each site.
They also both have the same authentiation settings, with the exception of the mode. So my config for this looks like this.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" name=".ASPXFORMSAUTH" protection="All" path="/" domain="mydomain.com" enableCrossAppRedirects="true" timeout="2880" />
</authentication>
I think my problem is that the 'authentication' mode is different for each one, so Site2 won't use the authentication cookie from site1. This is just a guess though. Is there anyway I can figure out the issue?
According to this article, what I have going here should work. And there have been times where I think it's worked, but it's hard to tell, as I may have cookies cached and their getting reused. I'm hoping someone can see something I'm missing here, or has an alternative solution.
UPDATE
I checked my authentication cookie on Site2 after logging in normally and found the Domain wasn't set, so I've removed that line of code.
Also, I read about cookies expiring when the date isn't set, so I set an Expire Date on my cookie before sending with the request.
So, with those two changes, here's where I'm at.
It works on Chrome and Firefox, but not with IE. Not sure. I'm going to do some additional testing from another machine and another user so I know I haven't got any residual cookies sitting around.
I determined my problem was not setting the Expires property of my cookie. According this Microsoft article, cookies won't be written to the client unless the Expires property is set.
"If you do not set the cookie's expiration, the cookie is created but it is not stored on the user's hard disk. Instead, the cookie is maintained as part of the user's session information. When the user closes the browser, the cookie is discarded. A non-persistent cookie like this is useful for information that needs to be stored for only a short time or that for security reasons should not be written to disk on the client computer. For example, non-persistent cookies are useful if the user is working on a public computer, where you do not want to write the cookie to disk."
In this case, I needed the cookie to be written to disk since I was doing a server transfer to another site, thereby ending the session for that user. I'm not 100% sure that this was the fix, but it is working now, so I'm assuming that.
I am developing a website in which I'm using forms authentication.
We have 2 log in pages: one for user, another for admin.
I added this code into webconfig file for user.
<forms loginUrl="Login.aspx" defaultUrl="Home.aspx" >
I am using this code for user side when user successfully logged in.
FormsAuthentication.RedirectFromLoginPage (UserName.Text, chkPersistCookie.Checked)
I am not using the default user membership database. I have my own database in SQL Server 2005.
I want same thing for admin, but the default url is Admin.aspx & login url is adminlogin.aspx for admin.
How can i assign in web config file for admin? Is it the right way to do that or any one have some better concept for that?
I used This line of code and this worked for me.
FormsAuthentication.SetAuthCookie(txtUser.Text, true);
Response.Redirect("Admin.aspx");
Putting admin files to a folder and creating a web.config file in it, is an option. You can probably override the config rules there.