I have been doing Google searches trying to find a resolution to this issue, but either there isn't one or I have not touched on the right search string to give me an answer.
I have multiple websites defined under the default website (inherited it this way) running on Server 2008 R2. I access these externally by ip-address/site1 ip-address/site2 etc. Each site uses a login and password. All sites point to the same database which has the standard ASP.NET membership implemented.
I have set the application name property in the web.config files. I have unique application IDs defined in the database for each application. Originally everything was set to "/" so I changed it to be unique.
The main issue that I am having is that when I am using IE and I log into one site it kicks me out of the other site if I have it open in a separate tab. Is there any way to stop this from happening.
The authentication from the web config file is:
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" name=".ASPXFORMSAUTH" protection="All" path="/" enableCrossAppRedirects="true" timeout="1440" />
</authentication>
Related
I need to authenticate into a web app using Single Sign-On, through Active Directory. I want to get the userName doing: System.Threading.Thread.CurrentPrincipal.Identity.Name, and then, through LDAP, get the password from the AD, and log into the web app.
The problem is that System.Threading.Thread.CurrentPrincipal.Identity.Name returns empty.
Here is my Web.Config:
<authentication mode="Forms">
<forms loginUrl="~/SignIn" timeout="120" />
</authentication>
Now, I'm using active directory as a way to authenticate, and it works fine. But I also need to make it Single Sign-On.
Thanks
You need to activate Windows authentication.
<authentication mode="Windows" />
Don't forget to install the Windows Authentication feature for IIS.
If you want to use mixed authentication (Forms & Windows at the same time) I recommend OWIN-MixedAuth
You can use HttpContext to retrieve the user identity. You must set authentication mode as "Windows Authentication"
https://stackoverflow.com/a/40938106/950944
I am switching from WebForms to MVC.
In the web.config of a WebForm I have the following:
<authentication mode="Forms">
<forms loginUrl="/forms/Login"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If the user is not already authenticated they are redirected to a separate app on the web server /forms/Login/?ReturnUrl=%2fforms%2fLoginClient. That app has a standard log in screen and connects to active directory to verify user credentials and then on success creates the cookie and redirects the user back to the originally requested page using:
FormsAuthentication.RedirectFromLoginPage(username, false)
This is really convenient as I only have one login page UI to manage and all my code to talk to active directory in a single centralized location. Additionally, for new apps all I need to do to provide authentication is add the snippet above into the web.config of the new app.
Is there an equivalent way to do this in an MVC project?
I am familiar with the option to include an Account controller when creating a new MVC application.
However, this has a lot of stuff I don't want and way more Views than I'll ever need.
I don't want to have to create a new login page or duplicate my active directory auth code for every new MVC application that I create.
Thanks for any guidance on this.
I have created 2 webapplication in Visual Studio 2013 using C#.
I have registered 2 new users in both the applications.
Now if I run both the application in Google Chrome. I am getting the following;-
1) If I login in one website and if I refresh the other website page. It is also logged in.
How can i make it seperate, so that both can have there seperate users?
Has it someting to do with Context.User.Identity, are both site using same cookies??
Please help me in understanding it.
Thanks
Assuming you haven't explicitly changed the authentication configuration in the web.config across both websites, then the behaviour you are seeing is by design.
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.
...Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications.
So, if you want an independent ticket for each site, the easiest solution would be to give each site it's own distinct ticket name
<forms name=".ASPXFORMSAUTH_SITEA" ... />
<forms name=".ASPXFORMSAUTH_SITEB" ... />
For security purposes, you might also want to consider using different encryption/decryption keys as well.
You can make the logins seperate by doing the following (my guess is that you want the sessions seperate as well), which Microsoft advise to do if running multiple websites from a web server, most likely to avoid this cross cookie issue...
In your web.config give the session and the authentication cookies unique names, e.g.
<sessionState cookieName="UNIQUESESSION1" timeout="20"/>
and
<forms timeout="2880" name="UNIQUEAUTH1" />
Imagine when you create a new MVC4 Project and you start registering an account using SimpleMembership and you logged using Remember Me checkbox.
Now, when you create another MVC 4 Project, the application tries to loggin using the previous account, although throws an error because it does not exist. I mean, if a do a login in a web page, the another one uses the same account.
How can avoid this, I guess has to be with ForgeryTokens or something like that
Customize the name of the cookie so that it's unique per application.
<authentication mode="Forms">
<!-- **Defaults** timeout="30" slidingExpiration="true" -->
<forms name=".MyApplication" defaultUrl="~/" loginUrl="~/LogIn" />
</authentication>
if you are using a single sign on mechanism then it is a exceptionable scenario but if you do not wish to allow the same authentication with same account to another website then make sure the web.config file for both projects must have a different machine keys.
Also, this is happened because of cookies on your machine is set to true, to create cookies file and allow access to other project using this cookies details.
< Authentication />
It happens because when the web page is served the browser sees localhost as the domain name. It saves the cookie for localhost.
When you host another website on the same server with localhost, then the browser sends the same cookie again.
If you are using the same cookie name in both the applications, then the system will try to think that the user is already authenticated and you will get the error.
You can change the cookie name in web.config file.
Read this:
Can I change the FormsAuthentication cookie name?
I created a new ASP.NET, C# empty website and I have my own database in the App_Data folder. I have a master page as well in the solution.
Anyway, I want to create a login page, but my issue is, how would I know whether a user is logged in or not when navigating around the site.
To elaborate more, when the user opens the home page, it'll have a label saying "Login" and linking to /login.aspx
But then when the user logs in, I want the "Login" label at the top to change to, Username + a "Logout" label (which ofcourse logs the user out).
My question is, say I go to another page, say /AboutUs.aspx, how would I know, if there is anyone logged in and who is logged in?
I've googled this alot and seen many solutions, including Membership Provider and LoginView, but I don't understand both of them (yes, I've read many articles; even MSDN articles).
Im not really used to programming with ASP.NET.
Any help please! Thanks!
In ASP.NET, I recommend using Forms authentication. http://msdn.microsoft.com/en-us/library/ff647070.aspx
When the user is logged in, there will be an IIdentity object in the user's session that you can use to determine if the user has been authenticated. But, you won't really need to use it much, because the web.config will be configured to toss all unauthenticated users back to your login page.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
</system.web>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
If you are, as you say, using your own db, where you store usernames and passwords, you will need to take care of the authentication process yourself. The easiest way to do this is to write your own Membership provider by inheriting from the System.Web.Security.MembershipProvider class and overriding essential methods, like bool ValidateUser(string userName, string password). Then you'll need to plug your provider into your website via web.config.
On the other hand, you can use the built-in Membership provider and its db. To do this, you'll need to copy your user data into this db which will be created the 1st time your app uses Membership feature (like, when in VS you execute PROJECT -> ASP.NET Configuration menu command). It's name and location depends on the connection string in your web.config. If you opt to using this way, once your user is authenticated, you'll be able to see it with the following code on the server side:
User.Identity.IsAuthenticated