I have a provider hosted app which uses SharePoint Context filter for authenticating users. I'm storing the context token generated in the first request in a session variable and using it in subsequent calls.
When I click on the app in site contents and get redirected to the provider hosted app, everything is working fine.
But when I navigate to a page in SharePoint Online which has a Client Webpart hosted in the provider hosted app, session does not work.
On inspecting the request headers sent by the App webpart and the app when it is opened directly, I found that ASP.NET_SessionId cookie is not getting stored in the app webpart but when the provider hosted app is navigated directly.
Also I found that SPCacheKey cookie is being stored in both cases only Session cookie is not getting stored when loading via app web part.
I tested this in Chrome as well as IE and both are giving same output.
I tried modifying the web.config as per this link
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="p3p" value="CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT""/>
</customHeaders>
</httpProtocol>
</system.webServer>
But it didnt solve the issue. Because of the session not getting stored, Every ajax call in my provider hosted app is getting redirected to appredirect.aspx which is throwing
Access to xmlhttprequest at https://tenant.sharepoint.com from origin https://providerhosted.domain blocked by cors policy no access
Why is the ASP.NET Session Id cookie not getting stored when loading via app webpart?
Please help
After searching solution for this problem using many different keywords in google, finally found a solution. It looks like this is an Iframe issue. As the app web part loads inside an iframe, the session cookies are not stored inside iframe.
As per this answer and this link, adding the cookieSameSite=None attribute in the sessionState of web.config fixed the issue.
<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>
As usual, this was caused by an update release by MS which changed the default value of cookieSameSite attribute of Session cookies from None to Lax
Related
Net MVC 4.7.2 application. This application is using Azure Identity platform for user authentication. When user is on company's network and sign in to app, as it seem the session doesn't look to end. Probably because of Sigle Sign On seamless authentication. So that is okay when user user in company's network and session go for long even when user logout or stay idle.
The question is what if user is not in company's network and sign in to the application, I want to figure out the exact minutes that for how long the session/or authentication cookies are set to expire when web app is in idle state?
The IdleTimeout determines how much time the session is idle before the contents in cache are abandoned.
The IdleTimeout doesn't depend on the cookie expiration.
The expiration of session cookies varies browser to browser.
The Timeout property can be set in Web.config file for the application like below:
<configuration>
<system.web>
<sessionState
mode="InProc"
cookieless="true"
timeout="30" />
</system.web>
</configuration>
Please note that, the session/or authentication cookies are set to expire when web app is in idle state is 20 minutes by default as mentioned in this MsDoc like below:
The IdleTimeout can be set up to 525,600 minutes (1 year) and it applies to Net MVC 4.7.2 version too.
The default frequency for user-sign is 90 days.
You can setup session cookie in Azure Active directory, please refer this MsDoc.
I have 2 applications, one is mvc web application with Msal .net code for Azure ad B2C login and second application is power apps portal using same azure ad b2c login. I have added iframe into both application for silent login if user logged in any one of the application, on power apps portal it worked on all browser like chrome, firefox, edge, opera. But for mvc application it work only on firefox browser, other than firefox it's request does not get authenticated. When I debug iframe request, able to see acquire token
IConfidentialClientApplication confidentialClient = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(notification.AuthenticationTicket.Identity));
Globals.ClientInfo = confidentialClient;
// Upon successful sign in, get & cache a token using MSAL
AuthenticationResult result = await confidentialClient.AcquireTokenByAuthorizationCode(Globals.Scopes, notification.Code).ExecuteAsync();
Globals.AuthenticationResult = result;
Globals.Claims = notification.AuthenticationTicket.Identity.Claims;
Globals.EncryptedClaim = notification.JwtSecurityToken.RawData;
but into call back function Request.IsAuthenticated is false.
My web application is using .net framework 4.7.1 and Microsoft.Identity.Client version 4.29.0, please help me to resolve this issue.
Also i am getting below error for my b2c callback method on chrome and edge, automatically response cookies are getting set Lax instead None, is this causing problem to set cookies for iframe.
Thanks,
Sandy
Request.IsAuthenticated is FALSE when you deal with <authentication mode="Forms"> and TRUE if you deal with <authentication mode="Windows" />.
So, to solve this problem check the authentication mode in your web.config. Add the following code in your web.config :
<authentication mode="Forms">
<forms loginUrl="~/_Login/Login" timeout="30" />
</authentication>
and
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
<system.webServer>
Set the reply URL to your main homepage URL in both the registration and the config and make sure that the application ID and client ID are matching.
Refer the following links for more information :
Microsoft AAD Identity And Access Management With MVC 5 Web Application.
Request.IsAuthenticated is false after logging into Active Directory| MSDN
If in case you are getting redirected to the login page after successfull login then you will need to change the CookieManger :
var cookieOptions = new CookieAuthenticationOptions();
cookieOptions.CookieManager = new SystemWebCookieManager();
app.UseCookieAuthentication(cookieOptions);
Check this document for more information.
I have a website freshly deployed on the internal network of a client. I can test it only by remote desktop on a Windows Server 2012.
The website performs SAML authentication: the browser first receives a session cookie from the website, then is redirected to the SAML identity provider, and comes back to the website with the SAML response, where it also sends back the session cookie. This works fine with Chrome, but for some reason IE11 won't send back the session cookie, which prevents the server from accepting the SAML authentication.
I have no idea why IE11 fails to send the session cookie. I have checked in the Network pane in debug tools, and I do get the cookie (though I can't confirm IE is actually storing it) :
Set-Cookie ASP.NET_SessionId=yzk4rdznlg534so2xuxqmuv4; path=/; HttpOnly
Then I am redirected to the identity provider, but when coming back to the website, it doesn't send the cookie. The cookie is HTTP only so I can't check in the console if it is stored or not. I have used the instructions posted here to see stored cookies, and I can't see a cookie for my website at any time (though redirections happen fast, so it could possibly be added and then removed before I have a chance to see it).
I also believe I have explored all possible security and privacy settings to allow everything, to no avail.
In case it's important, the site URL has no dot (it's https://mmr-pp_sef/)
Any idea how I could troubleshoot what is (or isn't) happening?
Well, turns out that it IS related to the URL used (should have checked myself sooner instead of just pointing out that the URL was weird in my question).
Apparently, IE will not store cookies if there is an underscore _ in the host name. This can be verified by modifying your "hosts" file:
Open the file C:\Windows\System32\drivers\etc\hosts (you'll need admin rights)
Add this line at the end and save the file:
127.0.0.1 test_site
Enter the URL http://test_site in your browser (this assumes your web server listens on 127.0.0.1)
Observe that IE won't store any cookie.
The only workaround I have at this time is to use another host name, that does not contain an underscore, such as test-site.
In the server response, I am adding the "secure" flag to all cookies by placing the following line within the web.config:
<system.web>
<httpCookies requireSSL="true" />
</system.web>
This seems to work since the ASP.NET_SessionId cookie shows the "secure" flag in the response:
However, when I perform an action on the page and check the Dev Tools again, I noticed that the very same cookie no longer has the "secure" flag in the client request:
I am using Internet Explorer 11 developer tools to view the Network.
Should the session cookie contain the "secure" flag in the client's request? If not, are there any security implications of having an "insecure" request cookie?
After spending some time looking into it, I did not find any code in my application that was altering the cookies or the "secure" flag on the cookies. Any information on the matter will be appreciated.
I am trying to setup FormsAuth for my MVC app. When I browse to the login action (which has the AllowAnonymous attribute, I get a 401.2 error. My web.config has:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
My IIS authentication settings for the web app have Forms Auth and Anon Auth enabled the others (including Windows Auth) are disabled.
There are no web.configs in any parent directories overriding the settings.
As per the help screen, I have tried all the suggestions:
Causes
No authentication protocol (including anonymous) is selected in IIS. - Forms and Anon are enabled
Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication. - Not the case
Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server. - Not the case
The Web server is not configured for anonymous access and a required authorization header was not received. - Anon is enabled
The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access. - Set to allow all
Things To Try
Verify the authentication setting for the resource and then try requesting the resource using that authentication method. - Done
Verify that the client browser supports Integrated authentication. - Using Chrome, other sites work
Verify that the request is not going through a proxy when Integrated authentication is used. - No proxy
Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section. - Verified
Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here. - When I run this I get "AUTH_INVALID_ANON_ACCOUNT" error: Logon failure: unknown user name or bad password. (0x8007052e).
Any ideas? I've googled this for quite a bit, but canno't find a solution.
I've also tried changing the app pool to an app pool of a web app that I know works (with the same settings). Still failed.
It works fine with IIS Express