I am currently getting an issue after an ASP.NET MVC 4 site is rebuilt that I was not getting previously.
We log in to a 3rd party site that redirects to our site with an authentication payload. A Session_Start is hit and the payload is successfully processed and a Session variable with the users details is created. We then do a RedirectToAction to send the user to another page.
On the first login after the site has been rebuilt Session_Start is hit again and a new Session is being created on the Redirect where previously it was not doing this. As our site checks for and treats an invalid session as being incorrect it sends the user back to the 3rd party site to log in again. When next they login they do not get this issue.
This looks to be happening when the site recycles as well. It only occurs for the very first user that logins to the site after its been rebuilt.
This only began happening in the last 2 weeks and I have reviewed any changes that went into the site in that time but could not find an obvious cause of the issue.
Any help would be appreciated.
Related
Scenario:
I have two application to which login is done using pingfederate single sign service.
1.User try to login into first application but as user is unauthenticated user is redirected to login page of pingfederate (universal sign in page). User logs into the first application.
2.User try to login into second application as user was already authenticated by single sign service pingfederate provide application with necessary information(information required to set session) and user is redirected to second application.
Problem:
When User logout from first application then user gets logout successfully. At this point pingfederate knows about all open application and send then logout callback. So it sends logout request to second application. Second application handles the logout request and clears the session. But user stays on the same page. user is not redirected to the login page
Question:
How can be this be implemented that when we receive logout request redirect user to login page?
The way SLO is supposed to work for SP-Init SLO is:
You click logout at the FIRST SP application.
You are redirected to the IdP with a LogoutRequest.
The IdP then sends you, serially, to all the other SPs with
LogoutRequests. Every one of those must provide a SAMLResponse back
to the IdP with a status.
The IdP, after receiving the final status, must send the
user/browser back to the originating SP with a SAMLResponse with the
final status, which the SP acts upon.
In IdP-Init SLO, it's basically only step 3.
Here's the kicker, though, and I think gets to the heart of your question. If a single one of those SP's "misbehaves", i.e., does not respond to, or support, SLO (there is no requirement for them to support SLO), then it will break the "chain" of logouts, if you redirect to it! The IdP will redirect off to the SP, and the there the browser will stay. Once the chain has been broken, there is no way to get it started again.
I discussed this problem in my blog post "SLO - Proceed With Caution", a bit more than a year ago. Ultimately, with many of the big-name SP's out there not supporting SLO, there's not much of a reason to do it - it's just going to give you, as an SAML administrator, a black eye. Or heartburn. Or both.
I have created Asp.net MVC4 Web application. In which, when a user logs in and do some browsing and then close the application from browser without logging out,then previously logged user is not logged out and When application is restarted then previously logged user is logged.
What i am willing is that if a user is logged in and close the web application,then user should be logged out instantly.
Note -I have not deployed the application on IIS by now.
So, as web is stateless.So,will it work correctly incase of real scenario when applicaiton will be deployed.
Currently, i am checking it on my development machine and browser.
I have seen following sample but No one has clear explanation
automatically logging users out of asp.net website on close
how to kill the session when user closed the browser without logout
So, is there any event that i can handle on dispose or some sort of shutdown as what we have in desktop application.
Actually, i have not worked web application before.
Try making the attribute - "createPersistentCookie" as false while authenticating
For Ex:
' generate non-persistent cookie for the authenticated user
Dim authCookie As HttpCookie = System.Web.Security.FormsAuthentication.GetAuthCookie(_logonModel.UserName, False)
I have an ASP.NET MVC1 site where the user is logged in. He is logged in because he has a cookie ".ASPXAUTH" with a token value in it.
For payments the Users gets redirected to a payment provider. He is redirected to my site when he completed the payment process.
This usually was fine but since the 29th of june I got a lot of users who dont have a cookie when they get redirected to our site.
I cant reproduce this behaviour but I see a pattern: Most users that have lost the cookie have the recent version(20.0.1132.47) of Chrome on Windows.
Has anybody had issues like this in the last couple of days? I have no idea what the reason might be, but I suspect it to be a setting of Chrome that is changed now by lots of users or an addon that changes something.
EDIT
The cookie created by forms authentication is a session cookie. May be some browsers changed the way they detect a session. If I have a session cookie, close the browser and reopen it I still have the cookie.
I have a MVC 3 website with the Facebook C# SDK.
Now i'm redoing the facebook integration in a clean MVC 4 application with the new version 6 of the sdk. So I used the gettings started help page on the sdk website. http://csharpsdk.org/docs/web/getting-started
I've followed the tutorial and changed only one part of the tutorial. The thing that I changed was that I call an Controller Action because the ashx was fired but wasn't allowed to set the accesstoken in the Session object. The Session was null.
Now when I start the website for the first time (used Chrome because IE won't work by default. The tutorial explains why.), I see the login button.
When I press the login button, I get the authorize page of facebook that asks that my app wants to connect to my facebook account. When I submit, the MVC action in the controller gets fired and the given accesstoken is stored in the session.
After that I can access my own information.
When I close Visual Studio (IIS express is closed with it) and restart the website, the login button is changed to my account with picture that says that I use the app that is connected. After that I navigate back to the page with my own information and get a nullreferenceexception on the session that gets the accesstoken. Why is that? Why is the user logged in but the action that stores the accesstoken isn't fired the second time that I open the website (new session).
Shouldn't I set the app secret somewhere? I have set the AppId in the javascript following the tutorial.
Thanks.
Per Facebook your user is logged into your app, but since you restarted your Cassini web server, your "session" is gone/lost/deleted.
Check your session to ensure you have a valid token, in session, if not redirect the user to your login code.
I have published an ASPNET MVC3 application to a service hosting. I use standard Account controller and I've seen that, during app execution - after a DB save - it loses account and the user is continuously redirected to the Login page.
This does not happen on my devel machine.
Do you know which problem is it?
Edit
I've put today my ASPNET MVC3 app on WinHosting. The app uses native Forms Authentication used in MVC. I have an AdminController that can be accessed only by authenticated users. when the user goes to Admin/xyz the system correctly redirects him to the login page to authenticate him.
The problem is that when the user is authenticated and waits 10-15 seconds, when he clicks on a link, he is always redirected to the login form even if he is authenticated.
I thought it was a session problem and I asked WinHosting to use SQLServer sessions but I see that the SQL tables (AspStateTemp*) that should handle sessions data are always empty.
Here is the node I added in web.config:
<sessionState mode="SQLServer" allowCustomSqlDatabase = "true"
sqlConnectionString="data Source=tcp:DB_server;database=DB_name;user id=DB_user;password=DB_passwd"
cookieless="false"
timeout="600" />
This solved my problem: http://forum.winhost.com/showthread.php?p=18258#post18258