I have a C# web application (IIS 7.0) and I have Smart Card Authentication set up on the site. The user is required to have a Client Certificate associated to their account which allows them to login. Now I want to go a step further and either after 15 minutes of inactivity on the site, or if the user logs out, I want to website to redirect to a logged out state and a page specifically designed as a log out page. This all works fine, now is the tricky part.
Now, if the user is at the logged out page and wants to log in again, they must select a link to log in again, and I want IIS to ask the user to select their cert again and input their pin (smart card), how do I force IIS to do this? I would imagine that on the logged out page I need to somehow dump the user cert so that when the user logs in (default.aspx) the system will ask for their cert, but I do not know how to do this, is this possible?
Related
I'm building a web app (c#, asp.net-core-mvc) for internal use in my company. Authentication is required through user Microsoft Accounts (either through Windows Authentication or Azure, both options are working).
The issue I'm having is that I have been asked to require password confirmation when executing certain actions.
I have looked in all the documentation I could find but have not been able to find anything about this use-case.
The one thing I have found out is that it's apparently impossible with Windows Authentication since you can't log someone out.
I have been able to prompt the login page by using return Challenge();, but it loops back on the login page when you login (or shows 401 error page if you cancel), and doesn't return anything I have been able to exploit.
With Azure it also loops right back to the login page.
It would in theory be possible through Azure authentication by logging the user out and then back in, but I haven't been able to send the user back to the right page with the right information after logging back in.
So if anyone has a solution I'm ready to try anything that uses Microsoft accounts (custom user accounts isn't really an option since it's an intranet application).
I created a ASP.Net C# MVC app with "Individual User Account" for Authentication + localDB. I started the app in visual studio with IIS express on localhost, signed up an user and logged in with that user.
I am trying to understand how back-end know a user has logged in in the following scenario:
start the iis express & app in visual studio
log in
stop the iis express & app in visual studio
start again the iis express & app in visual studio
user still logged in (WHY???)
I checked the user tables in db, and could not find any fields indicate a logged in user. I am thinking stop & restart iis express should clear everything in the back-end as well.
So how does the back-end know there was an user logged in in the step 5 above??
I found the following cookie in the http request
Cookie: _ga=GA1.1.1546797954.1551225891; __RequestVerificationToken=PSFeb9iP4aZr3wxxb8nJNKtki_1XPTzGO1Hzaf0W3iDsSCnV_qCfMsC9TY980X51c2rANZA-zureu6UHKEssAHza58AdmQUdZVL98VGYlRc1; .AspNet.ApplicationCookie=VUPznoprBRK2z13u03ArrC9HLHeGGUyTSvu9rYpSnZju_Rz4X2V5n9faw0EhnmuFjVN1AIva7HZSAhUBeSZ5jQHSej6XaAExy0hkwF_9vC190LfWBPP-oH3Zp0jj0ZmZ7L3sLlLqux4HV5CZSA-jqhDF4IXAFKyisFFV136PlxrJTmb9OXRrmo9rigCiIy0z_oixDlg1eHVI3T6ptVgn1Qhohtr1mTqoBJsF7gi7CHymSBlyFJ5MgYxfPcWNhJnj3H-WWK1ijkfzxsm0R13m2_6IbIiK1y5uzQBkklb8oMuz0mD27GlwMzteQBP3VLOXn77BreOPefJ8_2AekYjFGjgBIGGpngxLVzDneT4rC-BDiVKdWO_FRuail4ivVAN2ZJtdjK0uEPqnln5rmOlT0MLAhYzHMkk-HTvtW-Xo-Kexinlh58uxz0E7bncY5I6troc19E0fBLMnfXThtaL7ur6CN4pqUyq4yALJCTHszG3RPLQoJja0u1g34i-mKunZ
In web development there is very basic concept called cookie.The cookie is responsible too store user information in browser. When you sign-in in membership system ,it adds a special header called Set-Cookie to response which afterward get's stored in browser cache.The information send through header contains information about loged in user's identity. With subsequent requests browser send the same cookie to the server and the membership system parses that info to identify the user which makes request and if the information is valid you are logged in and system identifies you.
EDIT :
The detail of operations taking place is not unique and depends on which library you use for authentication but if you use asp.net default authentication system then you can go and see how things get done in the source code.For ASP.NET CORE check https://github.com/aspnet/AspNetIdentity and for ASP.NET MVC check : https://github.com/aspnet/Identity
Following is how authentication works in ASP.NET MVC
Enter Username and password in login form and click on "Login" button
On click of Login button Server side code checks whether entered Username and Password exists in database
If entered Username and Password exists in database then server side code creates cookie and stores them in the browser(not in the database)
On every page request IIS checks whether authentication cookie exists or not.
If cookie exists then user is logged In and if cookie doesn't exist the user is not logged in
Since authentication cookie is stored in browser and not in IIS. Stopping and Starting IIS has no effect on User log in status.
To answer your specific question: So how does the back-end know there was an user logged in in the step 5 above??
Ans: On ever page request from IIS. Along with other information, authentication cookie stored in browser is sent to back-end/IIS. back-end/IIS then checks whether or not authentication cookie is valid. If cookie is valid back-end/IIS knows user is logged in. If cookie is invalid back-end/IIS knows user is not logged in.
To understand this process further. I would recommend reading about cookies first and then read about authentication in ASP.NET.
Hope this helps!
Is it possible to clear browsing data, cookies, active logins, etc. behind the scenes(programatically) on chrome custom tabs?
My goal is to have the user be prompted to login every time they open the custom tab (instead of being logged in automatically)
Shared cookie jar and permissions model so users don't have to log in to sites they are already connected to, or re-grant permissions they have already granted.
Chrome Custom Tabs is the Chrome browser (via the Chrome service and custom Intents) and thus the cache, cookies, etc.. are shared (actually the same).
The answer is no, you can not programmatically clear the data of Chrome.
Note: Right now there is no support of creating an Incognito-based Custom Tab
I would issue the user a transient/session cookie so it does not get persisted if you wish to forced a re-login on the start of every new session.
"My goal is to have the user be prompted to login every time they open the custom tab (instead of being logged in automatically)"
As of now July 2020, on appauth's request builder you can use the method setPrompt(AuthorizationRequest.Prompt.LOGIN)
This will prompt the user to login every time.
If this method isn't provided and let's say there is some persistence needed (to log the user in automatically after they have logged in). If the server issues cookies to do this Currently it is a challenge to log the user out using an endpoint
I've got a C# MVC application using Identity. I'm trying to find a solution to authenticate a Kiosk User:
normal users login using their credentials; be it local, FB, Google etc, from their home computer, phone or whatever
a particular computer however needs to be always logged in - even after the web server/application rebooted, the kiosk computer restarted etc. (well, at least after the server/kiosk computer is back and the kiosk computer returns to the application website, the computer needs to be logged in as that kiosk user again)
My simplest idea was to create a user role Kiosk that would be disallowed from logging out; however that doesn't solve the login problem unless I "remember" the kiosk user by a crazy-long-expiry-date cookie.
It also doesn't necessarily stop anyone from simply deleting the cookie (although I could live with that, the kiosk computer is in a monitored environment).
Identification by IP is not possible.
I'm looking for ideas on how I might be able to accomplish this. What pieces of software, or a certificate, or something could I install on that computer that'd allow me to check it is that one in my application?
Thanks for any suggestion that you might have.
This is commonly done with a persistent cookie as you describe, in the case of a web app. You could set the login cookie expiration to some long term date such as 1 year, 5 years or whatever makes sense. You can do this based on a role the user is a member of, user name, or some other identifier. I have done this before and I usually add a new option of some kind to hide the logout button/menu option.
Other options would be:
Client Certificate based authentication with IIS
Window Authentication if the machine is an AD member.
Special URL that is kiosk specific that signs the user in from a link/bookmark/button/whatever (this might just be a variation of the long term cookie option bypassing the password login)
I have an Intranet Website and when I does not log in from my Domain ID, browser automatically generate pop-up for Domain ID Username and Password.
Now the Problem is when I close my browser and some another user uses my Computer and opens the same browser, Browser will not again generate Pop-Up for Domain ID Username and Password and directly open the Intranet Website with my Domain ID.
Is there any way to terminate the session with AD Server when I Log-Out or close my browser.?
Thanks in advance
Active Directory server does not have a way to manage client connections to the server. All it does is manage the user credentials and accessibility. To switch roles or users in the active directory, you'd literally have to log off of windows and go back on.
Here is a perfect article that explains how to capture an active directory user logging into your website:
http://msdn.microsoft.com/en-us/library/ff647076.aspx
To replicate how YOU want users to log onto your site, your best bet is to go with Form Authentication, rather than using your Active Directory credentials. The mindset with Form Authentication is that you might have multiple users use the same computer logging into your website. Windows authentication has the mindset where only one user can log onto a computer so use that person's credentials by default to log onto the intranet website.
You can have the client send a request to disconnect from the server.
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx
You can also attempt to manage the User's session during log on as well:
http://msdn.microsoft.com/en-us/library/ah635ck5
the Abandon method seems to do the job that you'd want it to do.
Aside note: as a programmer using windows authentication, you don't have to worry about extra layers of security, but with Form authentication you have to keep security measures in mind.
I am not sure if this applies to AD server but you can delete the session cookie when browser closes.
window.onunload=function()
{
setCookie("YourCookieId","",-1);
}
Similarly on log-out you can set the expiration time to -1 years.
HttpCookie cookie2 = new HttpCookie("YourCookieId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);