I am using forms authentication in asp.net4. But the authorization is behaving very unusually.
Following is my web.config snippet-
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="2880" protection="All" path="/" />
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
When i try to open any web page i am redirected to Login page as expected. If close my browser i should be logged out, but thats not happening although i am setting persistentCookie=false as follow
FormsAuthentication.RedirectFromLoginPage(username, false);
Now after closing browser if a login again i am considered authenticated user, but if i clear cookie cache in my browser than i wont be considered authenticated user.
I am not setting cookie anywhere and i dont want persistent cookie, than why is this happening.
Please tell me if i am missing something.
Anobody know something related to this
I just found that this problem is only with Chrome 21.0, and not with Firefox 7.0 or Opera 11.4 (problem of authenticating even though session ends).
When you use authentication mode="Forms" your auth credentials stored in cookies by default. If you want to change this behaviour you can use cookieless="UseUri" attribute, than your credential will be stored in the URL. You can find more inforamtion forms Element for authentication.
timeout attribute specify how long cookies will be stored (in minutes) by default it is 30.
Related
I have a system in which it is necessary for users to pass through login section to access home page. I am able to do that using asp C# Ado and SQL. But the problem is security. Still users are able to access Home Page without entering credentials by simply changing the URL. When users will open the website the URL will be this:
www.domain.co/Login.aspx
If any user changes it to this:
www.domain.co/Home.aspx
Still they will be able to access it. I do not want it. Can anyone guide me how to achieve this functionality?
Hope that you know the use and advantages of session. You can make use of it.
What you want to do is:
Create a session variable(let it be user_id) set its value as the id of the current user if the user successfully logged into the site. Which means session["user_id"] having the user id if there is any logged user.
You can check for session["user_id"] in the load event of other pages, if it is null means throw him out( redirect to the login page).
Creating session:
session["user_id"] = "Id of the user"; // This will be the unique identifier
This will be added after checking his/her credentials and are valid.
Checking session in the Home page/ or any other page:
if(string.IsNullOrEmpty(session["user_id"]))
Response.Redirect("Login.Aspx");
If your are not using it already, you should see how to add Forms Authentication: https://support.microsoft.com/en-us/kb/301240
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
protection="All" path="/" timeout="30" />
</authentication>
Then you can deny access to anonymous users to all the site doing:
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
Or to specific pages:
<location path="Restricted.aspx">
<system.web>
<authorization>
<deny users ="?" />
</authorization>
</system.web>
</location>
I'm implementing "Remember Me" feature, I want the user to not have to enter login/password again.
It's seems to work in local, but in a shared hosting, It last for about 15 minutes then logout. Here is the code:
controller:
FormsAuthentication.SetAuthCookie("username", true);
Web.config:
<authentication mode="Forms" >
<forms loginUrl="~/Account/LogOn" timeout="262974" cookieless="UseCookies" />
</authentication>
<sessionState mode="InProc" timeout="262974" cookieless="UseCookies" />
EDIT
I've added the sessionState, but still the same problem, working on local and not on the server?
what am I missing?
Look into the sessionstate element in your web.config. For example:
<sessionState mode="InProc" timeout="60" />
Check out the following SO question for differences between the sessionstate element and the forms element in your web.config:
Differences in forms auth timeout and session timeout
The accepted answer by #womp states the following:
A session starts every time a new user hits the website, regardless of
whether or not they are anonymous. Authentication has very little to
do with Session.
Authentication timeout is the amount of time that the authentication
cookie is good for on the user's browser. Once the cookie expires,
they must re-authenticate to access protected resources on the site.
So, if Session times out before the Authentication cookie - they are
still authenticated, but all their session variables disappear, and
may cause errors in your website if you are not disciplined in
checking for nulls and other conditions brought about by missing
session.
If Authentication times out before the session, then all their session
variables will still exist, but they won't be able to access protected
resources until they log back in again.
I finally found the solution, I had to use StateServer instead of InProc and also a machine key, Here is the full solution:
Controller:
FormsAuthentication.SetAuthCookie("username", true);
Web.config:
<authentication mode="Forms" >
<forms loginUrl="~/Account/LogOn" timeout="262974" cookieless="UseCookies" />
</authentication>
<sessionState mode="StateServer" timeout="262974" cookieless="UseCookies" />
<machineKey validationKey="5BAE63F50C69C1BBB7BFC2E696674389C307E28E9DEB60FB273B85CAD8FC3C2261FB13DF92B90A99C6EB684FDB1F6E3E92E1A42083EB77B5918126DD52245FB5" decryptionKey="11F6FE0C790413FFF3E230387168016B212216DEF727C4157CDDD0558BEAE5B7" validation="SHA1" decryption="AES" />
I have a shared hosting with Arvixe and it's in their Support where I found the solution: support.arvixe.com
Go to : ASP.NET Settings and scroll to Session settings change "value" none to "Forms" It will be done!
I built a web app a while back that is miss behaving out of the blue. Page.User.Identity.Name returns the machine name ie phil_toshiba/phil instead of the username i set when the user logs in through the log in form (should be an email address):
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(tb_email.Text, true);
I dont know why it has only just started doing it but it doesn't do it on the live site just the local project i need to work with to update some features. the live and local are in sync (code is exactly the same) only difference is the live site is compiled and using iis.
EDIT this is the authentication tag in my web.config file:
<authentication mode="Forms" >
<forms loginUrl="Default.aspx" name=".ASPXFORMSAUTH" defaultUrl="Sections.aspx">
</forms>
</authentication>
Check your web.config, it should be set to use Forms authentication not Windows:
<system.web>
<authentication mode="Forms"/>
</system.web>
I'm learning ASP.NET MVC3 and I'm now examining the user handling.
My first problem would be (I know there is a lot about this subject in other threads, I just fail to find a good one with MVC3) that I want the login page to redirect me where I came from, or where I was redirected from.
In php perhaps I would add this url to the querystring, maybe.
But I need a way to do this somehow automatically, and this is a so common design pattern I was wondering if there is a "built in" way to do this.
What would be the cleanest, or preferred way to do this?
Also when I'm redirecting to a login page which would be the best way for checking and storing the url which I'm redirected from? I would check for the referrer in the request object and spit it out in the url as "?redirect=protected.html" but I'm not even sure how to properly do this.
Any advice on this subject would be appreciated.
MVC works the same way as ASP.NET.
If you use Forms Authentication a lot of those questions will be answered for you.
In your Web Config find the line that says authentication="Windows" and then change that to Forms
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" />
</authentication>
MVC 3 will actually give you the Account/LogOn route as part of the MVC 3 template project (check your models and see if you have one called AccountModel).
Then you just add Authorization to deny all users to your site:
<authorization>
<deny users="?"/>
</authorization>
by default this will send any person coming to your site off to your login.
So after you have validated that there login credentials are correct you set the AuthCookie the same as ASP.NET:
FormsAuthentication.SetAuthCookie(userName, false);
Form this you can the redirect to where ever you want.
to redirect back to where you came from use:
FormsAuthentication.RedirectFromLoginPage(userName, false);
Not forgetting the other useful statement of:
FormsAuthentication.SignOut();
Without Authentication the site wont let you access anywhere until you are logged in, so the CSS will stop working.
The locations I have added to make sure this doesnt happen are as follows:
<location path="Content">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
In asp.net it is a ?returnUrl=...
(1) Make sure you have something like
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
in your root web.config.
(2) In your Controller you want to protect, add [Authorize] attribute above it.
Please create new project and select the Internet Application template rather than Empty one and you will get sample of the simple login process as well as changing password.
Note: Please read this as well: http://www.asp.net/mvc/tutorials/preventing-open-redirection-attacks
The sample shows after logging in process, it make sure the returnUrl is a local url by the Url.IsLocalUrl() helper to protect from Open Redirection Attack.
Update:
The best way is to implement your own custom login process after you really know the standard process for example instead of using the URL to track where the user come from, you can set a new cookie to store the returnUrl with httponly cookie and delete it just before redirect to previous page.
Another common practice is to use roles. You may specific a directory/controller for specific group of user called Role by adding the permitted role like this as an attribute above the controller:
[Authorize(Roles = "Admin")]
See this visual studio administration tool to create sample users and roles with built-in web interface.
You may also want to use sitemap to arrange your pages and menu link with show/hide menu based on current user role. Use this mvcsitemap to add security trimming features in ASP.NET MVC sitemap.
In some cases there happens to be a custom authentication instead of standard forms based (common case for enterprise level applications).
In this case I would recommend manually managing returnUrl parameter in the querystring. Login page reads this URL and redirects back after successful authentication.
I have 3 application that need single sign on. These are the web config sections I am using for authentication, authorization and the machine key settings. All the settings are the same in all 3 web applications. It works perfectly in Internet Explorer, but doesn't work at all in Firefox or Chrome. Is there anything else I need to do to get this work with Firefox and Chrome?
<authentication mode="Forms">
<forms loginUrl="~/login.aspx" timeout="2880" name="SSOCookie" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseCookies" enableCrossAppRedirects="true"/>
</authentication>
<authorization>
<deny users ="?"/>
<!--allow users ="*"/-->
</authorization>
<machineKey
validationKey="2C02F632ABC3B809F0662B06EED7E985345504D93BB2893C3C8106F48A273054D4C29EDD63F34CF3E19C76AA8FCF12C28AC127A9C5D6DEFC139800B302CADBDC"
decryptionKey="D7367948DC5AA193408CADB000E580A0FCCD71D8412D28E9AC76455FA85DB766"
validation="SHA1" decryption="AES"
/>
It appears you have to enable this in FireFox on each client
Open Firefox and navigate to about:config
Type “ntlm” in the filter field
double click on network.automatic-ntlm-auth.trusted-uris
enter a comma and space separated list of urls that you want NTLM to be enabled for
for more details check out http://sivel.net/2007/05/firefox-ntlm-sso/
it seems that Chrome does not support NTLM
http://www.google.com/support/chrome/bin/static.py?page=known_issues.cs
however, the user should be able to enter her credentials once and have them saved.