I created a new ASP.NET, C# empty website and I have my own database in the App_Data folder. I have a master page as well in the solution.
Anyway, I want to create a login page, but my issue is, how would I know whether a user is logged in or not when navigating around the site.
To elaborate more, when the user opens the home page, it'll have a label saying "Login" and linking to /login.aspx
But then when the user logs in, I want the "Login" label at the top to change to, Username + a "Logout" label (which ofcourse logs the user out).
My question is, say I go to another page, say /AboutUs.aspx, how would I know, if there is anyone logged in and who is logged in?
I've googled this alot and seen many solutions, including Membership Provider and LoginView, but I don't understand both of them (yes, I've read many articles; even MSDN articles).
Im not really used to programming with ASP.NET.
Any help please! Thanks!
In ASP.NET, I recommend using Forms authentication. http://msdn.microsoft.com/en-us/library/ff647070.aspx
When the user is logged in, there will be an IIdentity object in the user's session that you can use to determine if the user has been authenticated. But, you won't really need to use it much, because the web.config will be configured to toss all unauthenticated users back to your login page.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
</system.web>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
If you are, as you say, using your own db, where you store usernames and passwords, you will need to take care of the authentication process yourself. The easiest way to do this is to write your own Membership provider by inheriting from the System.Web.Security.MembershipProvider class and overriding essential methods, like bool ValidateUser(string userName, string password). Then you'll need to plug your provider into your website via web.config.
On the other hand, you can use the built-in Membership provider and its db. To do this, you'll need to copy your user data into this db which will be created the 1st time your app uses Membership feature (like, when in VS you execute PROJECT -> ASP.NET Configuration menu command). It's name and location depends on the connection string in your web.config. If you opt to using this way, once your user is authenticated, you'll be able to see it with the following code on the server side:
User.Identity.IsAuthenticated
Related
I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.
When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).
I use the following string to discriminate anonymous users and domain users:
WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;
If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.
Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.
it looks like a catch-22 for me
Thanks.
The term for this is Mixed-Mode Authentication. I have done this multiple times.
This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.
Internal Site
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
External Site - No Changes required. Let the users login as-is.
I don't know if it's too late to post this.I recently worked on enabling anonymous authentication on one page in the .NET 4.8 MVC application.
Let's say the page was accessible via URL: User/MyCustomPage
Application configuration was as follows:
1. In web.config authentication mode was specified and authorization was
set to deny for anonymous users.
<system.web>
<authentication mode= "windows"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
2. In the controller, authorize tag was there.
3. In IIS, windows authentication was enabled, and anonymous mode was disabled.
I did the below steps:
1. Removed authorize tag from the specific controller and added
[AllowAnonymous] tag.
2. Enabled anonymous authentication in the IIS server. Go to
server->authentication-> Anonymous-> click Enable in the right pane.
3. I had to add the particular path, to exclude it from regular
windows authentication by writing the below code in web.config file.
<location path="User/MyCustomPage"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
But Still, I was getting prompt for windows credentials on accessing the above URL. The reason I found that was:
The View that MyCustomPage was returning, was consuming another resource.
So, I have to add that path too in the web.config.
<location path="Bundle/Content/css"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I have started looking into Forms Authentication with Windows Authentication (I believe its called Mixed Forms Authentication, but I could and probably am wrong)
So far I have discovered in my web.config file I need to add the following lines:
<authentication mode="Forms">
<forms loginUrl="~/Login"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
which I have done. But the next part confuses me. I have been reading about WinLog and WebLog pages and one has to be Windows Authentication and the other a forms Authentication.
I am under the impression this is how the flow should go
Add the lines above to your web.config
Brings user to login page
User gets redirected from another project that has Windows Authenication with the creds they filled and the other project sends a response saying yes or no.
The part after the web.config is super confusing, can someone tell me if I am on the right track or far from it?
What I am trying to do is not have an ugly dialog box, but instead have a custom login page.
If someone can point me in the right direction, that would be great.
ASP.NET has 3 different ways of authentication:
- Windows
- Forms
- Passport
Mixed mode authentication has been known as a somehow problematic way of authenticating users, in order to achieve it, you'll need one application to authenticate the users from a form, and another one to authenticate the users from IIS.
You will find some more info here:
ASP.NET MVC and mixed mode authentication
http://aspalliance.com/553_Mixed_Mode_Authentication.all
https://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx
Here's my scenario:
I have an intranet application. I want to let the network users automatically get logged into the application using the Windows Authentication features. If the user isn't into my network, I'll pop up to them a login screen.
So, I changed the authentication mode into web.config file to Windows. Then I'm using the HttpContext.User.Identity object in order to get the logged user into the network. So I ran the app into my localhost and it works great.
When I publish the application into the server, when I try to automatic log in, the Identity object is always empty.
So, I've tried the following steps:
Deny anonymous users. <deny users="?"/>, which not allows any anonymous users to enter in the application, but I got a problem here: when the user isn't into our network, the server pops up that default authentication window from Window Servers, not my personal login screen.
Let anonymous users in. If I get rid with that <deny users="?"/>, any user can access the page, but it ALWAYS goes to the login screen, even if I'm into my local network.
So, what I need is: when the user is into the local network, go straight without login. If they aren't, pop up a login screen to them.
Can someone help me to figure out what's going on?
Thank you all!
Do the following,
<identity impersonate="true" />
<authentication mode="None" />
<authorization>
<deny users="?" />
</authorization>
Hope it helps.
I am switching from WebForms to MVC.
In the web.config of a WebForm I have the following:
<authentication mode="Forms">
<forms loginUrl="/forms/Login"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If the user is not already authenticated they are redirected to a separate app on the web server /forms/Login/?ReturnUrl=%2fforms%2fLoginClient. That app has a standard log in screen and connects to active directory to verify user credentials and then on success creates the cookie and redirects the user back to the originally requested page using:
FormsAuthentication.RedirectFromLoginPage(username, false)
This is really convenient as I only have one login page UI to manage and all my code to talk to active directory in a single centralized location. Additionally, for new apps all I need to do to provide authentication is add the snippet above into the web.config of the new app.
Is there an equivalent way to do this in an MVC project?
I am familiar with the option to include an Account controller when creating a new MVC application.
However, this has a lot of stuff I don't want and way more Views than I'll ever need.
I don't want to have to create a new login page or duplicate my active directory auth code for every new MVC application that I create.
Thanks for any guidance on this.
I have been doing Google searches trying to find a resolution to this issue, but either there isn't one or I have not touched on the right search string to give me an answer.
I have multiple websites defined under the default website (inherited it this way) running on Server 2008 R2. I access these externally by ip-address/site1 ip-address/site2 etc. Each site uses a login and password. All sites point to the same database which has the standard ASP.NET membership implemented.
I have set the application name property in the web.config files. I have unique application IDs defined in the database for each application. Originally everything was set to "/" so I changed it to be unique.
The main issue that I am having is that when I am using IE and I log into one site it kicks me out of the other site if I have it open in a separate tab. Is there any way to stop this from happening.
The authentication from the web config file is:
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" name=".ASPXFORMSAUTH" protection="All" path="/" enableCrossAppRedirects="true" timeout="1440" />
</authentication>