My solution is structured like this:
Web Project (Default, ASP.NET MVC)
API Project (ASP.NET MVC using WebAPI controllers)
When deployed to a server, the web project will be the root and the api project will live in root\api.
I am authenticating users in the web app using FormsAuthentication.SetAuthCookie("foo",false); and so of course within a controller of the web project I have no problem reading the cookie back (HttpContext.User.Identity.Name).
I would like to be able to do the same in my API project when an ajax request is made from a page in the web project so that I can check that the user is authenticated before remitting a service.
Is this possible?
Update
I followed this MSDN article for creating authentication across applications, and I still can not read my auth cookie in the API context. I am wondering if it is because I am running in local host while the Forms node in the web configs expect a domain name:
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
I tried setting the domain to localhost:XXXX but that didn't work either. The machine keys in both applications match.
Related
I'm trying to set the Machine Key in Web.Config of ASP.Net MVC apps but it sounds like Azure automatically provision unique machine keys for each web app and override what's in my Web.Config.
The reason I want to do that is because I have an App Service witch is used as Authentication App. Thats where users will login. And I also have plenty others apps that will be using the Token provided by the first app. Doing this will Authenticate users at one unique place and users will be able to navigate through some modules in a portal being authenticated only once. It works very well in localhost or hosted in IIS, but on Azure Hosted App Service it seems like Machine Key aren't read properly or something even if I reset the machine-key configuration section upon Application_Start.
I tried the solution described Here, but as #gorillapower said
Seems this isnt working for us. We are using .NET 4.6.1 and using OWIN startup with app.UseCookieAuthentication() and using a Redis cache session provider. I implemented the above, but the user keeps getting logged out after a slot swap. Any ideas?
It also seems that when you run an ASP.NET application on multiple instances of an App Service Plan (ASP) you do not need to worry about machineKeys as the App Service Platform will use the same one across all your instances and therefore will not need to make any changes to your application.
But in my case, our Apps are all in different App Service Plan. So this solution doesn't apply.
Any clues about this problem ?
Thanks
Generate machine Key and add into web.config file
It will work for Web Farm / load balancer either in IIS or Azure Web App service.
Note : It will only work if you are using IAppBuilder->UseCookieAuthentication-> CookieAuthenticationOptions
<system.web>
<authentication mode="None" />
<machineKey validation="HMACSHA256" decryption="AES" validationKey="D6883865C0490AFA4907A046E838DD2C7B13B636694B552630C13770701B944A" decryptionKey="2C3C48562E6FE018E71B69BDB27D06048A573C094A962AA9A1547C3D874C63B0" />
I am working on an asp.net mvc 5 project which is a sub domain based multi tenant saas application like t1.abc.com for tenant1 and t2.abc.com for tenant2.
I am trying to share the session across the sub domains for supper admins and I configured web config with root domain as
<httpCookies domain=".abc.com"/>
But it is not working, even after I login to abc.com when I go to t1.abc.com in the next tab still it prompts login page.
The session store is configured to point to the RedisSessionStateStore and the application is deployed in the azure cloud web apps.
Is there anything I am missing?
Finally I figured it out. I used owin middle ware so the solution is here in this link ASP.NET Identity Cookie across subdomains
I have 2 ASP.NET MVC web applications setup under the same domain. One is just a standard MVC website. The other is a Web API project. For now I am just setup locally.
* http://localhost/myapp
* http://localhost/api
I am using forms authentication to login in to the web application and then accessing the api application via a jQuery $.get request. Is there a way to share the forms authentication from the web app with the API app? Again these are 2 separate applications but are sharing the same root domain.
I found the answer. I just needed to add a matching machineKey element to the web.config file for both of my applications.
<machineKey validationKey="..."
decryptionKey="..."
validation="SHA1"
decryption="AES"
/>
I have an MVC 3 website that is using Forms authentication. The user logins and navigates to a Silverlight 5 application. The Silverlight app is calling a Silverlight-Enabled WCF service on another port. Because one of my requirements is to use Https/SSL, I decided to move the WCF services into a "Services" folder in my MVC application.
To see if the service is working, I typed in the address of my service. I got an error message stating my service requires anonymous access, but the website is specified to use forms authentication. So, I removed my mexHttpBinding in my web.config for my service and added authenticationScheme="Negotiate" to my httpTransport of my binding. (I'm not to https yet).
Now, I get a 302 and am redirected to the log-in page. It seems that my service is suggesting i'm not logged in. So, I added
routes.IgnoreRoute("{resource}.svc/{*pathInfo}");
and
routes.IgnoreRoute("Services/");
but that hasn't made a difference. I think the service says i'm not authenticated, but I'm certain I am.
Can someone explain what I'm doing wrong?
All of this works when I debug on my localhost, but I can't access the service when I deploy to a server.
Edit
I may have found my answer. I turned on anonymous access for my website in IIS and changed the httpTransport's authenticationScheme to the default (Anonymous). I then added
<authorization>
<deny users="?"/>
</authorization>
along with
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
which seems to be requiring the user to be authenticated in order to access the service. I am now going to check my silverlight application to make sure it can reach the service and get/post data. This was all in a test application, so I'll have to change my real application accordingly. Then, I'll tackle ssl/https.
Does all this sound right?
EDIT 2
I had to ensure mex was enabled and aspNetCompatibilityEnabled was set to 'false' to get the conctracts to update in my silverlight app. But after updating my services, I set the aspNetCompatibilityEnabled to 'true', and everything appears to be working.
I hope I'm still headed down the right path...
I ended up setting up IIS to add the webservice as a website under the parent website. Then, I used the Location tag in the parent site's web.config to implement forms authentication on the webservice.
I work at a consulting shop where we work on multiple site every day, most of them running ASP.NET MVC 3. We're running these sites locally during development using IIS Express, so we see something like "http://localhost:1234" for every site.
We're using forms authentication on all these sites, and we're seeing something odd when switching from one site to another. When I'm logged in to site A, and begin to browse site B, the HttpContext.Current.User property when debugging site B has the value we set it to from site A.
This only seems to happen on MVC sites. When I run a WebForms site on the same machine under IIS Express, HttpContext.Current.User is equal to a GenericPrincipal object. In other words, all Web Forms site seem to be isolated as far as authentication goes. What is different about MVC that makes these sites pick up on each other's auth information?
The name of the authentication cookie is probably the same for all sites and if they are all hosted on the same domain this cookie will be sent along each request. By default the cookie name is .ASPXAUTH. Thus if you are authenticated on Site A you will be automatically authenticated on Site B. The name of the cookie is defined in the forms section in web.config:
<forms loginUrl="~/Account/LogOn" timeout="2880" name="someCookieName" />
So try specifying different authentication cookie name for your sites.