I have a DNN site on example.com and an MVC site on subdomain.example.com. I've set up MembershipProvider and a RoleProvider in according to this article: SharePoint-Forms-Based-Authentication-Using-DotNet. Now I want to share auth cookie between two sites. I've set up domain keys in both web.config files like domain=".example.com". Fiddler says the same cookie is used when requesting to any of the sites. And there's a following effect: When I log in to one of the sites, I'm being logged off from another. What could I missed?
Below is a part of the web.config of the MVC site:
<machineKey
validationKey="DEE8F9D31F46D663FA0BCF9A6A9701B0796777C5"
decryptionKey="E75FBCF55F6BB0B2A352036B965725FD739B2EB21B790659"
decryption="3DES"
validation="SHA1" />
<authentication mode="Forms">
<forms
name=".DOTNETNUKE"
protection="All"
timeout="60"
cookieless="UseCookies"
loginUrl="~/Account/Login"
domain=".example.com"
path="/" />
</authentication>
<httpCookies httpOnlyCookies="true" requireSSL="false" domain=".example.com" />
<!-- Configure the Sql Membership Provider -->
<membership defaultProvider="SqlMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="DnnSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="0"
requiresUniqueEmail="false"
passwordFormat="Hashed"
applicationName="DotNetNuke" />
</providers>
</membership>
<!-- Configure the Sql Role Provider -->
<roleManager enabled="true" defaultProvider="SqlRoleProvider">
<providers>
<clear/>
<add
name="SqlRoleProvider"
connectionStringName="DnnSqlServer"
applicationName="DotNetNuke"
type="System.Web.Security.SqlRoleProvider,System.Web,
Version=2.0.0.0,Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
When you see this behavior it is typically from the encryption MachineKey values being different between the different applications. When the other application attempts to read the cookie, it cannot decrypt it and then deletes it, allowing you to login.
I would validate those items in the web.config. (They are not too far down from the node.
Related
We have one site that uses ASP.NET Membership for its user accounts. Let's say this site is at www.domain.com.
We have another site, let's say at www.domain.com/site2, which already connects to the database of site #1 for other reasons. We'd like to implement a username/password login to site #2, and would like to use the existing login credentials for site #1, as site #1 is where they apply for permission to access various systems, etc.
I'm not trying to create a SSO kind of solution, where signing into one site signs you in to the other, which is what other questions have been about.
I would like them to be able to enter their username and password that they have on site #1, enter it on site #2 and it auths them to site #2.
Is this possible?
Web.config of site #1:
<machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />
<membership>
<providers>
<clear />
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="VTDB"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="8"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear />
<add name="AspNetSqlProfileProvider"
type="System.Web.Profile.SqlProfileProvider"
connectionStringName="VTDB"
applicationName="/" />
</providers>
</profile>
<roleManager enabled="true">
<providers>
<clear />
<add connectionStringName="VTDB"
name="AspNetSqlRoleProvider"
applicationName="/"
type="System.Web.Security.SqlRoleProvider" />
</providers>
</roleManager>
....
Web.config of site #2:
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<clear />
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="VTConnString" />
</providers>
</membership>
<machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />
Where VTConnString points to site #1's database.
But when I call Membership.ValidateUser(userName, password) in site #2, it always returns false.
I figured out the issue:
I was missing applicationName="/" in site #2's web.config. Now that the applicationNames are set the same, it works correctly.
I have a MVC 5 application which was previously using AD to authenticate. I have removed the settings for windows authentication and added code to manually authenticate against a database of users.
The problem is that the AD authentication window continues to pop up and I am required to enter valid credentials to visit any form. This is not desired, expected, or in code anywhere I can find.
I have no Authorization tags on any method controllers. I have no security placed on any forms yet, no any allow or deny configuration settings. I cannot figure out why the AD authentication window is popping up for every form and why if I click cancel I cannot visit any of my forms without it popping up again.
config file:
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Account/Login" timeout="300" slidingExpiration="true" protection="All" />
</authentication>
I've looked at my controllers, views, and global/statup .cs files. Nothing is showing me a clue right now.
I can show any code snippets, but I'm not sure what is relevant at this point.
Below is my applicationhost.config file for the IISExpress settings, and it also appears to be correctly set up...
<authentication>
<anonymousAuthentication enabled="true" userName="" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false">
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="false">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
<authorization>
<add accessType="Allow" users="*" />
</authorization>
at the very bottom (line 1050) of the applicationhost.config file was the following data with windowsAuthentication enabled="true" set. After changing that to false I was no longer bothered with the Windows login prompt.
<location path="myapp">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
The file was located in the solution root folder followed by .vs\config
This post helped point me in the direction of checking that file as well as PankajKapare's comment about IIS Express.
Thanks for the help.
I'm having an issue with SitefinityMembershipProvider in Sitefinity 9.1
When I login to the backend, navigate to Administration -> Users:Page keeps loading.
When I checked the error log it tells me that "Provider must implement the class 'System.Web.Security.MembershipProvider".
But my class inherits sitefinity membership provider i.e. MembershipDataProvider
which is of type Telerik.Sitefinity.Security.Data.
My web config have the following membership defined.
<membership defaultProvider="Default">
<providers>
<clear />
<add name="Default" type="Telerik.Sitefinity.Security.Data.SitefinityMembershipProvider, Telerik.Sitefinity" />
<add name="CredentialServiceProvider" type="SitefinityWebApp.Providers.CredentialServiceProvider" />
</providers>
You need to register the provider in the Security settings as explained here:
http://docs.sitefinity.com/custom-membership-provider-add-the-new-provider-to-the-sitefinity-providers-collection
Additionally, I had to remove the custom provider from the web.config
<providers>
<clear />
<add name="Default" type="Telerik.Sitefinity.Security.Data.SitefinityMembershipProvider, Telerik.Sitefinity" />
</providers>
I have decorated my controller as follows
[Authorize(Roles = #"domain\System_Admin, domain\Survey_Admin, domain\Read_Only")]
public class ContractController : BaseController
{
I am in the process of converting a Forms Authenticated application to Windows Authentication. However I find that to access the methods in this controller, I have to login via a popup screen, defeating the purpose of using Windows Authentication.
In my web.config I have:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider"
applicationName="/" />
</providers>
</roleManager>
What more do I need to do so that the user is automatically logged in with the correct user roles?
This app is running in an environment where some users are still using IE7 if that makes any difference. What we're seeing is occasionally after someone logs out and someone else logs in they still get residue from the previous person where it may show that persons profile. Any suggestions would be greatly appreciated.
I'm using the following as the logout method in my asp.net mvc app
public ActionResult LogOff()
{
System.Web.HttpContext.Current.Response.Cookies.Clear();
FormsService.SignOut();
Session["User"] = null;
Session.Clear();
Session.Abandon();
Session.RemoveAll();
return Redirect("/");
}
The app is using sessions saved into the database because it's running on two different web servers.
Here's some settings from the web.config
<sessionState sqlConnectionString="LiveDB" />
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<membership>
<providers>
<clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LiveDB" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="50" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="LiveDB" applicationName="/" />
</providers>
</profile>
<roleManager enabled="true">
<providers>
<clear />
<add connectionStringName="LiveDB" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
If you use FormAuthentication to login like this -
FormsAuthentication.SetAuthCookie("username", false);
then Logout is supposed to be
FormsAuthentication.SignOut();
If you still have issue, you can force cookie to expire like this.
Membership and Session providers works separetly. Two members may use one session. That is not a rule, but it can be.
I'm not sure but I have a suggetion about your problem. Session has property IsNewSession. Microsofts says, that it "Gets a value indicating whether the session was created with the current request."
So, you may try to check if the Session of login user is new, because as he may share session with old user, and, may be, this is a reason, why one sees others profile.