I have two applications. The first one is an ASP.NET 4 MVC application that requires authentication. The second is an app that will handle the authentication and set the forms authentication cookie.
On the authorizing app, I call
FormsAuthentication.SetAuthCookie(username, false);
and then I do a simple Response.Redirect back to my MVC application.
In the MVC app, I am making a custom filter that inherits from AuthorizeFilter. On the OnAuthorization method, I was going to decrypt the cookie and grab some additional user data from the authorized user.
My problem is, that
HttpContext.Current.Request.Cookies
has nothing in it. I have checked out fiddler, and the authentication app correctly sets the cookie, and the MVC application gets the cookie, but when it gets to my filter, there is nothing there.
My web.config has in both applications has the exact same setup:
<forms
name=".ASPXFORMSAUTH"
protection="All"
path="/"
timeout="30"
enableCrossAppRedirects="true"
domain="localhost"/>
And I have setup both with the same machineKey to be able to decrypt the cookie. The problem is, I am not seeing any cookie in my OnAuthorization method within my MVC filter.
Right now both applications are running on my local IIS instance.
All the weird behavior was due to the httpRuntime between each application being different. My MVC application was set to 4.5 while my application that was setting the cookie was 4.0. Apparently there was a change in how the crypto happens behind the scenes, and therefore when the cookie came through the pipeline, it would get stripped out as ASP.NET couldn't decrypt it.
I came across this when I manually tried to decrypt the cookie by setting the name property different. That way I could access the cookie and try to dectypt, but at that point I would get an exception.
I found the following link led me in the right direction: Sharing a cookie between two websites on the same domain
By setting the compatibility mode setting on the machine key, the cookie came through just fine and could be decrypted.
Related
I have Asp.NET MVC application which gets logged in after secure Id and password authentication.
After login, when I go to developer tools in Web Browser and Copy the ASP.NET_SessionId Cookie and paste it in another browser without login with Id and password, It gets logged in.
Where this cookie is created? And how I can handle this vulnerability?
You are describing "session hijacking"
You should ensure that ASP.net requires https, and that cookies are not accessible to client side script, by adding this to web.config
<httpCookies httpOnlyCookies="true" requireSSL="true" />
You might also implement something like the SecureSessionModule in this article which generates some additional measures
Note the caveats
https://learn.microsoft.com/en-us/archive/msdn-magazine/2004/august/wicked-code-foiling-session-hijacking-attempts
I have an inherited application (let's call it app.mydomain.com) that I'm trying to update the domain in the cookie that gets set via the web.config. Currently, its something like this:
<authetication mode="Forms">
<forms loginUrl="~/" timeout="2880" cookieless="UseCookies" domain=".mydomain.com"/>
</authentication>
There is separate application at app2.mydomain.com also using forms authentication, and the cookie from the app.mydomain.com conflicts with it. The app2.mydomain.com correctly references the full domain in its forms authentication block so it works fine as long as the app.mydomain.com cookie isn't around. My plan was to simply change the .mydomain.com reference in the web.config to app.mydomain.com to resolve this conflict.
My question is how does that existing cookie on app.mydomain.com behave once that web.config is updated in production? Does it overwrite the existing cookie as it sees this update? Does the existing cookie stick around and have to be flushed out before the new one will take effect? Thanks in advance.
So I ended up approaching this a bit differently. It hadn't occurred to me, but it was setup this way to accommodate the app and api being on different subdomains. By setting it to .mydomain, both could access the authentication cookie. When I removed the domain attribute, I was able to login but threw me back to login right away. So I ended up keeping this application using this format (.mydomain), then changed the second application to use it as well. This allows for one login sets credentials that are accessible to both applications. I was just trying to resolve the cookie conflict, but this is even better.
I am working on ASP.Net MVC-4 application. I have to implement windows authentication.
I have set authentication mode as 'Windows' in web.config file as shown below.
<system.web>
<authentication mode="Windows" />
</system.web>
In controller I try to get username as below.
string userName = User.Identity.Name;
but every time I am getting empty value.
Please let me know for any suggestions.
Thanks in advance.
Windows authentication is performed by IIS to establish our managed code User.Identity. Therefore, you need to enable Windows Authentication in your IIS, and in order to force the user to authenticate before being able to access our application, you need to disable Anonymous Authentication
With the given information, it looks like you've configured your project correctly but haven't actually authenticated the user yet.
First some background. There is a simplified tutorial on asp.net where, in between the lines, the following statement is mentioned:
By default, the ASP.NET Development Web Server executes all pages in the context of the current Windows account (whatever account you used to log into Windows).
This means that when you run your project with F5, it executes everything under your currently logged in user account. However, it isn't yet authenticated for the application and therefor your User.Identity.* is not set yet.
In order to verify if this is the case, you should add the [Authorize] attribute on the first controller (or Action) that is called in you ASP.NET MVC project. Most likely you'll be confronted with a "HTTP Error 401.0 - Unauthorized" exception. In this case, you should enable your webserver to authenticate first. The above mentioned tutorial will help you with this.
Imagine when you create a new MVC4 Project and you start registering an account using SimpleMembership and you logged using Remember Me checkbox.
Now, when you create another MVC 4 Project, the application tries to loggin using the previous account, although throws an error because it does not exist. I mean, if a do a login in a web page, the another one uses the same account.
How can avoid this, I guess has to be with ForgeryTokens or something like that
Customize the name of the cookie so that it's unique per application.
<authentication mode="Forms">
<!-- **Defaults** timeout="30" slidingExpiration="true" -->
<forms name=".MyApplication" defaultUrl="~/" loginUrl="~/LogIn" />
</authentication>
if you are using a single sign on mechanism then it is a exceptionable scenario but if you do not wish to allow the same authentication with same account to another website then make sure the web.config file for both projects must have a different machine keys.
Also, this is happened because of cookies on your machine is set to true, to create cookies file and allow access to other project using this cookies details.
< Authentication />
It happens because when the web page is served the browser sees localhost as the domain name. It saves the cookie for localhost.
When you host another website on the same server with localhost, then the browser sends the same cookie again.
If you are using the same cookie name in both the applications, then the system will try to think that the user is already authenticated and you will get the error.
You can change the cookie name in web.config file.
Read this:
Can I change the FormsAuthentication cookie name?
I have written an ASP.net webservice using C#. Everything works just fine with the service itself and deployment to stage and production. However after running an Acunetix scan there is an issue with cross site scripting. Our entire network is behind a WAF which is able to add some cookie stuff to provide protection for this. For the WAF to work it needs another cookie to attach to, we are trying to use the ASP.Net_SessionID cookie.
This cookie wasn't showing up so we added the line below to the web config and the cookie started showing up on the stage system only. When we deployed this update to production the cookie is not showing up.
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>
As far as we can tell both servers are functionally identical, iis 6, OS, dlls ect. Yet we can't get this cookie to populate. Any ideas?
Are you putting anything in session?
If you don't then the cookie will not be sent to the client browser.
Have you tried the aspxanonymous cookie?
http://msdn.microsoft.com/en-us/library/91ka2e6a(v=vs.100).aspx