i have 2 web sites that consumes a service (WCF). The user's authentication is done in the service to access one site. How to make this authentication to access both sites? Can i store a cookie in the service (WCF) and access both sites?
How can i do that?
Thanks.
This is fairly simple. Once you have called FormsAuthentication.SetAuthCookie in your application. A cookie is created/encrypted and given to the user.
For another website to consume that cookie for auth purposes,
it must be by the same cookie name/domain
can be decrypted,
and is still valid.
To do this, you merely need to ensure the keys and names are the same in the web config for each application: for example from: http://msdn.microsoft.com/en-us/library/vstudio/eb0zx8fc(v=vs.100).aspx
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
</configuration>
Related
I have 2 mvc .net applications, 1 is written in vb and the other in c#.
The are structured as follows:
http://app1.example.com, (c#)
http://app1.example.com/site (vb)
The user initially logs into the /site app and has the ability to navigate to the root site.
My web.config application > authentication is as follows:
<forms
name="SITECOOKIE"
protection="All"
path="/"
domain="app1.example.com"
timeout="15" />
My issue is, the user logs into the http://app1.example.com/ site app where the Login controller takes care of the authentication process and sets the "SITECOOKIE". However, when navigating to the root site, http://app1.example.com, the root app cannot access or see the cookie "SITECOOKIE".
What can I do so the root app has access to the cookie "SITECOOKIE"?
You just need to set domain to example.com, if you want to share cookie between two websites.
<forms
name="SITECOOKIE"
protection="All"
path="/"
domain="example.com"
timeout="15" />
Ensure you set same machinekey in both web.config file.
I created two ASP.NET Web Forms Application in which I use separate Form authentication
with different machine keys .
But when I login in one of them I am logout in other.
Same thing happen on production server and on localhost.
If you haven't configured at least one of the two applications to use a non-default cookie name, they will both try to use the same cookie name ".ASPXAUTH", and if by "on the same server" you mean they are accessed using the same hostname, then logging into one will overwrite the cookie of the other.
Try overriding the cookie name in your Web.config, something like this:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name=".FOOASPXAUTH" />
</authentication>
And in the other application:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name=".BARASPXAUTH" />
</authentication>
I'm implementing "Remember Me" feature, I want the user to not have to enter login/password again.
It's seems to work in local, but in a shared hosting, It last for about 15 minutes then logout. Here is the code:
controller:
FormsAuthentication.SetAuthCookie("username", true);
Web.config:
<authentication mode="Forms" >
<forms loginUrl="~/Account/LogOn" timeout="262974" cookieless="UseCookies" />
</authentication>
<sessionState mode="InProc" timeout="262974" cookieless="UseCookies" />
EDIT
I've added the sessionState, but still the same problem, working on local and not on the server?
what am I missing?
Look into the sessionstate element in your web.config. For example:
<sessionState mode="InProc" timeout="60" />
Check out the following SO question for differences between the sessionstate element and the forms element in your web.config:
Differences in forms auth timeout and session timeout
The accepted answer by #womp states the following:
A session starts every time a new user hits the website, regardless of
whether or not they are anonymous. Authentication has very little to
do with Session.
Authentication timeout is the amount of time that the authentication
cookie is good for on the user's browser. Once the cookie expires,
they must re-authenticate to access protected resources on the site.
So, if Session times out before the Authentication cookie - they are
still authenticated, but all their session variables disappear, and
may cause errors in your website if you are not disciplined in
checking for nulls and other conditions brought about by missing
session.
If Authentication times out before the session, then all their session
variables will still exist, but they won't be able to access protected
resources until they log back in again.
I finally found the solution, I had to use StateServer instead of InProc and also a machine key, Here is the full solution:
Controller:
FormsAuthentication.SetAuthCookie("username", true);
Web.config:
<authentication mode="Forms" >
<forms loginUrl="~/Account/LogOn" timeout="262974" cookieless="UseCookies" />
</authentication>
<sessionState mode="StateServer" timeout="262974" cookieless="UseCookies" />
<machineKey validationKey="5BAE63F50C69C1BBB7BFC2E696674389C307E28E9DEB60FB273B85CAD8FC3C2261FB13DF92B90A99C6EB684FDB1F6E3E92E1A42083EB77B5918126DD52245FB5" decryptionKey="11F6FE0C790413FFF3E230387168016B212216DEF727C4157CDDD0558BEAE5B7" validation="SHA1" decryption="AES" />
I have a shared hosting with Arvixe and it's in their Support where I found the solution: support.arvixe.com
Go to : ASP.NET Settings and scroll to Session settings change "value" none to "Forms" It will be done!
I built a web app a while back that is miss behaving out of the blue. Page.User.Identity.Name returns the machine name ie phil_toshiba/phil instead of the username i set when the user logs in through the log in form (should be an email address):
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(tb_email.Text, true);
I dont know why it has only just started doing it but it doesn't do it on the live site just the local project i need to work with to update some features. the live and local are in sync (code is exactly the same) only difference is the live site is compiled and using iis.
EDIT this is the authentication tag in my web.config file:
<authentication mode="Forms" >
<forms loginUrl="Default.aspx" name=".ASPXFORMSAUTH" defaultUrl="Sections.aspx">
</forms>
</authentication>
Check your web.config, it should be set to use Forms authentication not Windows:
<system.web>
<authentication mode="Forms"/>
</system.web>
I have to install a ASP.NET site in a intranet network.
I'm using a authentication mode=Forms".
In a my page i need to get the domain\user of the user connected.
I've followed this article:
http://support.microsoft.com/kb/306359
But it doesn't work.
My web.config has:
<identity impersonate="true"/>
<authentication mode="Forms" >
<forms name="login" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" timeout="30000" />
</authentication>
<authorization>
<deny users = "?" />
<!-- This denies access to the Anonymous user -->
<allow users ="*" />
<!-- This allows access to all users -->
</authorization>
I'm using IIS 6 and .net 4
In Authentication methods settings of iis i've checked
-Enable anonymous access
-Integrated windows authentication
How can i do?
thanks
If you have anonymous access enabled the web-site visitors will all be impersonating the IUSR_MachineName account (or whatever you have configured as the anonymous account).
You need to disable anonymous access so the site will force the user to authenticate with his/her credentials so they will be available in your ASP.NET page. Otherwise the server has no idea who the current user is.