Web Security not working in Chrome and Firefox - c#

I am currently using Web Security. User can log in using this code
if (WebSecurity.Login(loginRequest.EmailAddress, loginRequest.Password))
{
FormsAuthentication.SetAuthCookie(loginRequest.EmailAddress, false);
var userDetails = new string[2];
userDetails[0] = loginRequest.EmailAddress;
var currentUSerRole = Roles.GetRolesForUser(loginRequest.EmailAddress);
userDetails[1] = currentUSerRole[0].ToString();
return response = Request.CreateResponse(HttpStatusCode.Accepted, userDetails);
}
The login code works, but IsAuthentcated always returns false and CurrentUsername always return -1 and all Websecurity methods are not worked well when I run my application on Chrome and Firefox browsers. But it's working good on IE Browser.
What did I missed? Is it any cors issue? or anything else? I found a lot of answers from Google, but they haven't helped me.
Any One Help Me

As per My knowledge
FormsAuthentication.SetAuthCookie(string, bool); can be used to login/logout a particular user with the string a username and bool value as true/false for log in/out.
FormsAuthentication.SetAuthCookie("user", true); will log in the user and the WebSecurity will have its userID.
FormsAuthentication.SetAuthCookie("admin", false); will log out admin and will remove its userID from WebSecurity.
so you should try FormsAuthentication.SetAuthCookie("user", true);

Related

SSRS Forms Authentication - How To Pass Cookie Credentials To Report Server

I am currently attempting to render the SSRS report in my web application using forms authentication.
My SSRS Report Version is 2016.
Initially I was under the impression that NetworkCredentials would work, and after encountering errors, I found that we are required to use FormsAuthentication, with passing the cookie as a means of authenticating the user.
I have done the necessary settings on the config files in the Reporting Server by following the guide from the link below:-
https://github.com/Microsoft/Reporting-Services/tree/master/CustomSecuritySample2016
The reporting services works as intended on the localhost/ReportServer and on
the SSRS Portal, localhost/Reports. I am also able to access said server
remotely.
Below is the code I used to obtain the authenticated cookie.
MyReportingService rsClient = new MyReportingService();
rsClient.Url = "http://xxx.xxx.xxx.xxx/reportserver/ReportService2010.asmx";
try
{
rsClient.LogonUser("user", "password", "");
Cookie myAuthCookie = rsClient.AuthCookie;
HttpCookie cookie = new HttpCookie(myAuthCookie.Name, myAuthCookie.Value);
Response.Cookies.Add(cookie);
}
Which supposedly would then be used to authenticate the user.
Cookie authCookie = new Cookie(cookie2.Name, cookie2.Value);
authCookie.Domain = "DomainName";
rvSiteMapping.ServerReport.ReportServerCredentials = new MyReportServerCredentials(authCookie);
rvSiteMapping.ServerReport.Cookies.Add(authCookie);
And in my forms authentication within the IReportsServerCredentials Class:-
public bool GetFormsCredentials(out Cookie authCookie,
out string user, out string password, out string authority)
{
authCookie = m_authCookie;
user = password = authority = null;
return true; // Use forms credentials to authenticate.
}
The issue I am experiencing is when the application is passing the credentials to the report server. I believe I must be doing this part incorrectly because while my application does get the cookie, when it authenticates the credentials provided by the cookie, I receive the text/html error:-
Object moved to <a href="/ReportServer/logon.aspx?ReturnUrl=%2fReportserver%2fReportExecution2005.asmx" />
This error is in response to setting a default generic Identity in the event that
the HttpContext.Current.User = null.
if (HttpContext.Current != null
&& HttpContext.Current.User != null)
{
userIdentity = HttpContext.Current.User.Identity;
}
else
{
userIdentity = new GenericIdentity("AnonymousUser");
}
I have tried googling the answer but most of the results are for
windows authentication and the few that are related to forms authentication
are very similar to the code I referred to.
The underlying cause of the issue was under my nose the whole time.
The domain name should refer to the web domain and not the active directory domain.
authCookie.Domain = "DomainName";
The cookie is now able to authenticate the user as intended.
Hopefully this helps anyone who happens to make the same mistake.

Auto login from credentials based in the URL

c#, .net4, webforms
I'm building if someone forgets a password. A system admin can send a link to the customers email, they can click it, it logs in, and forces them to update their profile. I have everything working and verifying. Now I don't understand (still reading) on how to make
HttpContext.Current.User.Identity.IsAuthenticated == true; after my method returns true that the person is verified and allow the information from the url log that person in. I know I'm missing something, or not understanding how it works.
Either way, thanks for the help
If someone needs this
if (verifiedUser != "0")
{
//if user is verified
FormsAuthentication.SetAuthCookie(verifiedUser, true);
var LoginType = HttpContext.Current.User.Identity.AuthenticationType;
if (!User.Identity.IsAuthenticated)
{
Response.Redirect(Request.RawUrl);
}
}
Works for my issue.

OWIN MVC - Multiple LoginProviders, Current LoginProvider

I have multiple login providers available. I can login with external account or using forms auth. Everything works fine.
I'am redirecting user to HomePage, and now i would like to know which login provider was used.
Is there is a possibility to find out in controller, which loginprovider was used?
Thanks for help!
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
string provider = loginInfo.Login.LoginProvider; // Facebook, Google, Twitter, Microsoft...
I got this working although it's not something that would work in all cases.
Here's the code I used in a HomeController function:
// get the provider name
var authCtx = HttpContext.GetOwinContext();
var usrMgr = authCtx.GetUserManager<ApplicationUserManager>();
var user = usrMgr.FindByName(HttpContext.User.Identity.Name);
var extLoginInfo = usrMgr.GetLogins(user.Id).FirstOrDefault();
var loginProvider = extLoginInfo.LoginProvider.ToLower();
The main issue here is that I'm not getting the actual login provider that the user is currently logged-in with. I'm just getting the first login provider associated with this user (which in my case happens to be the same, so it works).
Would be great to find a way to get the actual provider that the user is currently logged-in with.

websecurity.login returns true but not actually logged in [duplicate]

I can't understand exactly how simple membership worked. After all configuration I put this code to AccountController to see how it works and is it work at all
string UserName1 = WebSecurity.CurrentUserName;
bool LoginResult= WebSecurity.Login("admin", "111111");
string UserName2 = WebSecurity.CurrentUserName;
WebSecurity.Logout();
And when I run debugger I see that after all finished
UserName1 = ""
LoginResult = true
UserName2 = ""
Everything is ok except UserName2. Why it is empty? The login was successful...
Also I can't see UserID at WebSecurity and WebSecurity.IsAuthentificated is false
Why login was successful but WebSecurity do not shows it at all?
Login does not do what you think it does. It does not immediately set the current user, instead it sets a cookie on the users web browser, and on the next page refresh, asp.net will recognize that cookie and give them an authenticated request.
This is not specific to simple membership, that's how all authentication works in asp.net. Once authenticated, the page has to be refreshed for a login to be recognized.

creating a cookie failing with safari, chrome, ie but working with FF

We are using the following code to create the security cookie. Everything works fine in Staging environment, however in the production environment the following code is unable to create a cookie in Safari, Chrome or IE but it does create a cookie successfully in Firefox. anything that you guys think i am missing or is wrong in here ?
public static void SetAuthenticationCookie(CustomIdentity identity)
{
ConfigSettings configSettings = ConfigHelper.GetConfigSettings();
string cookieName = configSettings.CookieName;
if (cookieName == null || cookieName.Trim() == String.Empty)
{
throw new Exception("CookieName entry not found in Web.config");
}
string cookieExpr = configSettings.CookieExpiration.ToString();
string encryptedUserDetails = Encrypt(identity);
HttpCookie userCookie = new HttpCookie(cookieName.ToUpper());
if (cookieExpr != null && cookieExpr.Trim() != String.Empty)
{
userCookie.Expires = DateTime.Now.AddMinutes(int.Parse(cookieExpr));
}
userCookie.Values["UserDetails"] = encryptedUserDetails;
userCookie.Values["Culture"] = configSettings.Customer.Culture;
MyContext.Current.Response.Cookies.Add(userCookie);
}
Safari and IE8 don't accept third-party cookies by default.
When you call out to another domain using JSONP, every cookie set by that script will be blocked by Safari and IE8. There is nothing you can do about that (in IE8, you could add a P3P policy, but that doesn't work in Safari).
There are workarounds for maintaining state across JSONP calls, but it's pretty complicated (you'll have to manage state manually and use document.cookie in the called javascript)
As an alternative, you can ask your users to lower the privacy settings in their browser, but this isn't something worth considering IMHO.
did you check whether you have Web Developer add-on and disabled cookies? or disabled cookies inside of FF?
I've seen this issue related to the server having the incorrect UTC date/time. Firefox accepts regardless of the server date/time but other browsers won't set the cookie if the date/time is outside of a certain margin of error.

Categories