I have created 2 webapplication in Visual Studio 2013 using C#.
I have registered 2 new users in both the applications.
Now if I run both the application in Google Chrome. I am getting the following;-
1) If I login in one website and if I refresh the other website page. It is also logged in.
How can i make it seperate, so that both can have there seperate users?
Has it someting to do with Context.User.Identity, are both site using same cookies??
Please help me in understanding it.
Thanks
Assuming you haven't explicitly changed the authentication configuration in the web.config across both websites, then the behaviour you are seeing is by design.
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.
...Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications.
So, if you want an independent ticket for each site, the easiest solution would be to give each site it's own distinct ticket name
<forms name=".ASPXFORMSAUTH_SITEA" ... />
<forms name=".ASPXFORMSAUTH_SITEB" ... />
For security purposes, you might also want to consider using different encryption/decryption keys as well.
You can make the logins seperate by doing the following (my guess is that you want the sessions seperate as well), which Microsoft advise to do if running multiple websites from a web server, most likely to avoid this cross cookie issue...
In your web.config give the session and the authentication cookies unique names, e.g.
<sessionState cookieName="UNIQUESESSION1" timeout="20"/>
and
<forms timeout="2880" name="UNIQUEAUTH1" />
Related
I have an inherited application (let's call it app.mydomain.com) that I'm trying to update the domain in the cookie that gets set via the web.config. Currently, its something like this:
<authetication mode="Forms">
<forms loginUrl="~/" timeout="2880" cookieless="UseCookies" domain=".mydomain.com"/>
</authentication>
There is separate application at app2.mydomain.com also using forms authentication, and the cookie from the app.mydomain.com conflicts with it. The app2.mydomain.com correctly references the full domain in its forms authentication block so it works fine as long as the app.mydomain.com cookie isn't around. My plan was to simply change the .mydomain.com reference in the web.config to app.mydomain.com to resolve this conflict.
My question is how does that existing cookie on app.mydomain.com behave once that web.config is updated in production? Does it overwrite the existing cookie as it sees this update? Does the existing cookie stick around and have to be flushed out before the new one will take effect? Thanks in advance.
So I ended up approaching this a bit differently. It hadn't occurred to me, but it was setup this way to accommodate the app and api being on different subdomains. By setting it to .mydomain, both could access the authentication cookie. When I removed the domain attribute, I was able to login but threw me back to login right away. So I ended up keeping this application using this format (.mydomain), then changed the second application to use it as well. This allows for one login sets credentials that are accessible to both applications. I was just trying to resolve the cookie conflict, but this is even better.
I have started looking into Forms Authentication with Windows Authentication (I believe its called Mixed Forms Authentication, but I could and probably am wrong)
So far I have discovered in my web.config file I need to add the following lines:
<authentication mode="Forms">
<forms loginUrl="~/Login"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
which I have done. But the next part confuses me. I have been reading about WinLog and WebLog pages and one has to be Windows Authentication and the other a forms Authentication.
I am under the impression this is how the flow should go
Add the lines above to your web.config
Brings user to login page
User gets redirected from another project that has Windows Authenication with the creds they filled and the other project sends a response saying yes or no.
The part after the web.config is super confusing, can someone tell me if I am on the right track or far from it?
What I am trying to do is not have an ugly dialog box, but instead have a custom login page.
If someone can point me in the right direction, that would be great.
ASP.NET has 3 different ways of authentication:
- Windows
- Forms
- Passport
Mixed mode authentication has been known as a somehow problematic way of authenticating users, in order to achieve it, you'll need one application to authenticate the users from a form, and another one to authenticate the users from IIS.
You will find some more info here:
ASP.NET MVC and mixed mode authentication
http://aspalliance.com/553_Mixed_Mode_Authentication.all
https://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx
I have MVC 4 website, where are 4 access points :
1.www.domain.com
2. domain.com
3.www.domain.net
4. domain.net
Problem is, that when user is logged on one of these url addresses, then user is not logged on another urls. So, for example after login to "www.domain.com" user is not logged in to "domain.com", this behavior applies for all access points.
User can be logged on all access points in same time, but he must fill login form 4 times.
There can be URL rewrite from non-www to www, but there are still 2 domains (.com/.net).
In IIS are all hostname shapes in single site bindings.
Any idea what I am doing wrong?
I have a website with similar domain extensions, including the https protocol, I forwarded all other domains to https://www.domain.com, its good for SEO reasons as well and for your analytics, I would suggest forward all domains to one single domain.
This answer also says:
So, how to share the authentication cookie across multiple domains?
Well, there is absolutely no way to do that. The fundamental barrier
of the HTTP protocol prevents you from sharing a cookie across
different domains, primarily for security reasons.
...There is no built-in mechanism in ASP.NET to implement a Single
Sign On across these two different sites.
You can redirect the website using web.config file by setting up sites in IIS to the redirect folder:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpRedirect enabled="true" destination="https://www.domainname.com$S$Q" exactDestination="true" httpResponseStatus="Permanent" />
</system.webServer>
</configuration>
If all of them display same content, just use one domain as the main. Else you can use oauth as single login.
Imagine when you create a new MVC4 Project and you start registering an account using SimpleMembership and you logged using Remember Me checkbox.
Now, when you create another MVC 4 Project, the application tries to loggin using the previous account, although throws an error because it does not exist. I mean, if a do a login in a web page, the another one uses the same account.
How can avoid this, I guess has to be with ForgeryTokens or something like that
Customize the name of the cookie so that it's unique per application.
<authentication mode="Forms">
<!-- **Defaults** timeout="30" slidingExpiration="true" -->
<forms name=".MyApplication" defaultUrl="~/" loginUrl="~/LogIn" />
</authentication>
if you are using a single sign on mechanism then it is a exceptionable scenario but if you do not wish to allow the same authentication with same account to another website then make sure the web.config file for both projects must have a different machine keys.
Also, this is happened because of cookies on your machine is set to true, to create cookies file and allow access to other project using this cookies details.
< Authentication />
It happens because when the web page is served the browser sees localhost as the domain name. It saves the cookie for localhost.
When you host another website on the same server with localhost, then the browser sends the same cookie again.
If you are using the same cookie name in both the applications, then the system will try to think that the user is already authenticated and you will get the error.
You can change the cookie name in web.config file.
Read this:
Can I change the FormsAuthentication cookie name?
I have two questions concerning authentication of a intranet website and how to go about doing it.
I want the first page the user comes to, to be the login page. I could have sworn there was a tag, something like [Authorize] that you put in your C# code that did this for you but I can't find it anymore. Right now the first page is my dafault.aspx. I turned on windows authentication in the web.config file and it automatically logged me in. So that is working, but I want the user to have to login as stated above. What do I have to do?
I only want to allow people that are in a certain group to have access. How do I add this additional check?
In your web.config file you need to add the following
<authentication mode="Forms">
<forms loginUrl="YOUR LOGIN PAGE!!" timeout="2880" />
</authentication>
in the <system.web /> tag.
That will force the user to authenticate for that site.
The [Authorize] attribute is used to require a user be authenticated (like you had put in your question), BUT!! only for MVC applications http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
With MVC you can also do the [RequiresAuthentication(Roles = "admin")] attribute which will give you control over which rolls have access to which endpoints.
I would seriously consider MVC
Use forms authentication instead of windows authentication. Have a look on these link they provide walk throughs for using forms authentication :
http://www.asp.net/web-forms/tutorials/security/introduction/an-overview-of-forms-authentication-vb
http://www.dotnetfunda.com/articles/article141.aspx
For using active directory go through these links :
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
http://msdn.microsoft.com/en-us/library/ff650308.aspx
Here's a guide to setting up Forms Authentication on your site: https://web.archive.org/web/20211020150650/http://www.4guysfromrolla.com/webtech/110701-1.shtml
Part 2 has the meat of the stuff.
Thanks for all the great input. They got me going in the right direction and then the customer decided to change direction. They want to have it auto login if they are in the right group, otherwise display and error message. The Form authentication would have worked as described.