When I'm deploying an ASP.NET Core web application to Azure, I have an issue with the session : they are shared across browsers.
Explanation : I'm going to my deployed site, I log in with my email/password then I'm logged in. If I open the website in an other browser on the same machine or on an other machine, I'm now connected with the credentials I used in the first browser.
I deployed the default template from Visual Studio without any changes.
Is there something to do to resolve this issue or am I missing something ?
Pretty sure this functionality is by design... and it makes a lot of sense - you wouldn't want to have to re-authenticate if you opened another tab to view a document in your on-line banking would you?
If you need to logon without sharing the cookies with existing browser (it will be the cookies that are holding the reference to the session that ensures the server knows who you are) you need to start a new session. For Internet Explorer this is simply File >> New Session.
For Chrome it is a little more complicated but explained here... Separate session for each window
Related
I have an issue with Identity 2.0 on Asp.NET MVC 5 project.
I am not using sessions, just the basic out of the box cookie based features.
My shared server currently recycles the application at a high frequency.
when this happens all the users get logged out.
The ApplicationCookie in the HttpContext.Request.Cookies remains the same but you get redirected to the login page and all identity.user properties are no longer there.
Is this normal and what sort of work rounds are there for maintaining logins after recycling?
Any advice would be really appreciated.
Is this a cache or machinekey issue?
(the website has plesk IIS interface so I don't have full control over it)
Still not sure why the server is restarting the application regularly as none of the settings reflect this. However found the reason for the users being logged out is due to identity 2 using a machine key that gets refreshed everything is resets the app
I have a MVC3, ASP.NET 4.5 web application deployed on Azure Websites, using SQL Azure.
Currently I am using some "inproc" Session variables which I need to remove since I am going to start using multi website instances. I could just store the Session variable values in the SQL Azure DB, but I am also using TempData, which also uses Session state, "under the bonnet". Due to TempData use, I do need to implement an "out of proc" session solution.
I have seen some recommendation for using AppFabric caching, but I am unsure whether this is still current, and whether it is correct for Azure websites.
Also my development setup is on a Windows 7 machine with SQL Server 2008 R2. So a solution should be transferable with minimum pain.
There is also a "thread agility" issue with session variables, and a open source solution has been created using REDIS caching, but I have no experience of this, or REDIS. See: GitHub site
So thoughts I have are:
1) Angieslist/AL-redis custom provider, see: GITHUB link . Not entirely sure that this can be used in a Azure Websites application.
2) Appfabric. Not sure if this is relevant or current for Azure Websites.
3) SQL Azure session provider.
4) Azure Table storage.
5) Use a custome TempData provider to persist via cookies ie https://www.nuget.org/packages/BrockAllen.CookieTempData.dll/1.2.2, and then remove other session variables.
I would be very grateful for advice on a good Azure Websites session implementation mechanism which is simple. My data is pretty simple. I think I have one object which I quess I will need to serialize, probably via Json.NET
If you have more than one instance of an Azure Web Site, sticky sessions are enabled by default by the load balancer. This means that a user will be directed to the same instance (server) and that you'll be able to use session state in your app.
You may also find the Distributed Caching section (Ch 12) of this ebook helpful http://aka.ms/CloudApps_PDF
I have a MCV3 application in godaddy serves and the session is quite unstable.
When I login it works fine but while navigating in the application it logs me out, and hitting refresh or navigating a little more inside the application in logs me in just like that (without asking credentials or anything). On my remote test servers and local in works fine.
This is probably not a session issue but rather an authentication cookie/ticket issue. GoDaddy (most likely) has their servers load balanced. Meaning that your application actually exists on more than one server at a time.
In your web.config, if you are not properly defining the <machineKey> attribute, then IIS makes up a machine key for you. Each server running the application will make their own machine key if it is not defined by you. As a result, one server is able to decrypt and read your authentication ticket, while the next request goes to another server which cannot decrypt the authentication ticket because it was encrypted with a different key and this server thinks that you are not logged in.
To address this issue, open your web.config file and define your <machineKey> attribute and redeploy. Once you login with the newly deployed application, you should see this issue disappear.
Forms authentication and Machine Key information on MSDN
Machine Key Generator (Most likely, everyone going here should use the .NET 2.0 version that is generated)
I have an odd situation occurring that I am trying to diagnose and would appreciate any advice on where to look.
I have an ASP.NET application using WIF that contains another ASP.NET application as a child in IIS 7.5. This child application contains a REST based web service. Accessing this service directly by pasting a URL into a browser will redirect to an ADFS sign in page. This is how I expect it to work. The odd part is that I have a second environment with the same applications and service deployed, and in this environment I am never redirected to the sign in page.
I have checked that all web.config files are identical, and also checked all IIS settings that I thought might be related. Browsing to web pages on the second environment requires a login, but not when browsing directly to the REST .svc file. I checked all HttpModules and Handler Mappings in IIS. I also enabled tracing of Microsoft.IdentityModel events and on the first environment can see a basic entries for a redirect to the STS. On the second environment I don't see any WIF events. The SessionAuthenticationModule appears to be called when I examine the data flow using IIS failed event tracing, but am not sure why it isn't requiring authentication.
I am familiar with cookie related issues with WIF and made sure that all cookieHandler settings were correct. I also closed browser windows and cleared all cookies to make sure the SessionAuthenticationModule wasn't seeing previous WIF cookies.
If you can think of anything else I should check please let me know.
If you have the same application in two separate environments bound to the same instance of ADFS, the URL's must be different so I am puzzled by the statement "all web.config files are identical"?
Have you tried re-running FedUtil on the application that doesn't work?
Also check AppPool settings.
After a lot of trial and error and carefully examining the applicationHost.config files between the two servers I found out this was caused by a difference in the ordering of HTTP handlers. The ExtensionlessUrl-Integrated-4.0 handler was picking up the request on one server and redirecting to ADFS. On the other server the svc-Integrated-4.0 handler was responding to the request first. You can read more about this behavior here: http://support.microsoft.com/kb/2520479
We are building a new web application that needs to run inside the SP Context for authentication. Unfortunately the person logged into the machine is not necessarily the person logged into SharePoint. I could not figure out a way to detect who was logged into SharePoint from an application outside of SharePoint. So, the solution is to deploy the application to the LAYOUTS folder within the 12 hive. This works great in that I can use a custom master page, go crazy with fancy user controls, AND be within the SP Context. I also locked down access to the page by detecting which web app the user was on so no one can access it from a different SP web app.
The problem is the URL. It is ugly. I want the url to be something like this: www.sitename.com/ instead of www.sitename.com/_layouts/appname/
I tried created creating a new web site within IIS that points directly to the app in the LAYOUTS folder. That failed because I was no longer within the SP Context.
I also tried an IIS redirect which worked, but the URL still switched over to the ugly URL.
Does anyone have any ideas for this?
My orginal problem was not being able to detect the currently logged in user for SharePoint outside of SP, so if you have a solution to that problem, that would be great too.
Your best option is to rewrite the URLs and HTML with a proxy. Apache with the mod_rewrite and mod_html_rewrite options are an option. However this kind of setup is not trivial.
You can use URL rewriting in IIS.