I know a cookie can be shared across multiple subdomains using the setting
<forms
name=".ASPXAUTH"
loginUrl="Login/"
protection="Validation"
timeout="120"
path="/"
domain=".mydomain.com"/>
in Web.config. But how to replicate same thing on local machine. I am using windows 7 and IIS 7 on my laptop. So I have sites localhost.users/ for my actual site users.mysite.com
localhost.host/ for host.mysite.com and similar.
localhost.users and localhost.host is cross domain. Cookies cannot be shared cross domain.
You could configure it like this so that the sub-domain differs but the root domain stays the same:
users.localhost
host.localhost
Now set the cookie domain in your web.config to localhost:
domain=".localhost"
and in your c:\Windows\System32\drivers\etc\hosts file add the following 2 entries:
127.0.0.1 users.localhost
127.0.0.1 host.localhost
Now you will be able to successfully share the authentication cookie between users.localhost and host.localhost.
Ah, and don't forget to put a step in your automated build process that will transform your web.config value to the correct root domain before shipping in production.
This is a reminder for anyone running in Framework 4.5 and trying to share the token with frameworks 4 and lower, please notice that this will cause you not to receive the auth cookie on any of the 4 and lower apps. ie: if in your web.config you have:
<httpRuntime maxRequestLength="80480" targetFramework="4.5" />
You can get it to work by removing the targetFramework="4.5" attribute to get it to work, though I don't know if there are any side effects in doing so:
<httpRuntime maxRequestLength="80480" />
Related
How can I set different Authentication Mode in Web.config in different host/domain name?
For example, I have 3 different environments:
Host 1. localhost (For local dev use)
Host 2. abc-test.com (For Stage)
Host 3. abc.com (For Production)
I would like to set the Host 1 and Host 2 with <authentication mode="Windows" />, but "none" for Host 3, as it will be run with Azure SignIn method.
Note:
I figured out when I set <authentication mode="Windows" /> in web.config and specify the if-else clause in controller to distinguish which domain name to retrieve the userIdentity, the "Non-Windows Auth" and Request.IsAuthenticated (For Azure SignIn) will not be working properly.
Hope one of you has experienced the same before and may provide me with the best solution.
Thanks in advance! :)
I have 2 mvc .net applications, 1 is written in vb and the other in c#.
The are structured as follows:
http://app1.example.com, (c#)
http://app1.example.com/site (vb)
The user initially logs into the /site app and has the ability to navigate to the root site.
My web.config application > authentication is as follows:
<forms
name="SITECOOKIE"
protection="All"
path="/"
domain="app1.example.com"
timeout="15" />
My issue is, the user logs into the http://app1.example.com/ site app where the Login controller takes care of the authentication process and sets the "SITECOOKIE". However, when navigating to the root site, http://app1.example.com, the root app cannot access or see the cookie "SITECOOKIE".
What can I do so the root app has access to the cookie "SITECOOKIE"?
You just need to set domain to example.com, if you want to share cookie between two websites.
<forms
name="SITECOOKIE"
protection="All"
path="/"
domain="example.com"
timeout="15" />
Ensure you set same machinekey in both web.config file.
I have two websites hosted on the same server (IIS6 on Windows Server 2003 R2).
URL for the first website is www.domainname.com URL for the second website is my.domainname.com/website2 where "website2" is a virtual directory under "my" website on the same server.
I have configured Single Sign On using forms authentication on both sites and it was working very well. After I moved the first website to another server (IIS7 - Windows Server 2008 R2) SSO stopped working (both ways).
"machineKey" and "forms" values are identical on both sites (see below).
I can see that the ticket is passed from the server logs.
I get the "Forms authentication failed for the request. Reason: The ticket supplied was invalid." error on the Event Viewer.
both sites use .net 4
------- Configuration start
<machineKey validationKey="key1" decryptionKey="key2" decryption="3DES" validation="SHA1" />
<authentication mode="Forms">
<forms requireSSL="true" name="domainnameAuth" domain=".domainname.com" loginUrl="login.aspx" timeout="20" protection="All" path="/" />
</authentication>
What am I missing here?
Any help on how to debug this situation is greatly appreciated.
The issue disappeared after installing update http://support.microsoft.com/kb/2656351
I beleive there was an issue with FormsAuthentication.Decrypt/Encrypt and that was fixed after this update.
Thank you for your help Henk!
I am currently working with my asp.net project. I use web.config settings to allow and deny services !
It works totaly fine ! Now I got some query ( just for knowledge) that if I use deny and allow authentication both what will happen ?
My code seems like that
<system.web>
<authorization>
<deny users="user_name" />
<allow users="user_name" />
</authorization>
</system.web>
Thanks in advance !
Authorization elements are evaluated in the order they are given in the configuration file.
In your example, the user would be denied, as the deny entry is earlier in the list than the allow entry.
Note that your question is referring to ASP.NET URL Authorization Behaviour (i.e. the settings defined in system.web\authorization). The behaviour of IIS URL Authorization is quite different. See the "Differences Table" here.
I built a web app a while back that is miss behaving out of the blue. Page.User.Identity.Name returns the machine name ie phil_toshiba/phil instead of the username i set when the user logs in through the log in form (should be an email address):
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(tb_email.Text, true);
I dont know why it has only just started doing it but it doesn't do it on the live site just the local project i need to work with to update some features. the live and local are in sync (code is exactly the same) only difference is the live site is compiled and using iis.
EDIT this is the authentication tag in my web.config file:
<authentication mode="Forms" >
<forms loginUrl="Default.aspx" name=".ASPXFORMSAUTH" defaultUrl="Sections.aspx">
</forms>
</authentication>
Check your web.config, it should be set to use Forms authentication not Windows:
<system.web>
<authentication mode="Forms"/>
</system.web>