I've built a small ASP.NET mvc app with Forms Authentication. I don't seem to be able to share cookies/authentication from the base domain(say people.com) to subdomain (abc.people.com)
What I mean is when i Debug through the code the Request.Cookies object doesn't have any and User.Identity.IsAuthenticated is false.
What's even weird is it seems to work fine for Internet Explorer (weird huh .. ?) But for Chrome and Firefox.
But when i check the browser for cookies, I can see that the cookie is existent for the domain people.com
Am i missing something very obvious ??
Edit: I'm using OAuthWebSecurity to Login. The code that logs in is this
OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: true);
And the web.config value is
<authentication mode="Forms">
<forms loginUrl="~/Account" timeout="2880" />
</authentication>
Adding domain attribute to forms filed, with base domain value seemed to have fixed the problem.
<authentication mode="Forms">
<forms loginUrl="~/Account"
timeout="2880"
domain="people.com"
/>
Related
I use formsauthentication in my mvc application but it does not work as I expect. I have in my web.config file added ..
<authentication mode="Forms">
<forms loginUrl="~/login/Login" timeout="30" defaultUrl="~/login/Login" />
</authentication>
But if I go directly to a page other than the login page, I still can view that page even if I have not logged on to the site. What am I missing here?
I downloaded NopCommerce open source e-commerce project.
It's ASP.NET MVC based and uses Forms Authentication.
When I login always it sends me to login page.
I debugged it and I found a problem httpContext.Request.IsAuthenticated always return false (httpContext variable is type of HttpContextBase).
I checked forms authentication cookie, the cookie is successfully created also httpContext.Request has found cookie.
Someone recommended to add machine key to web config, I added but doesn't resolve.
I don't understand what's the problem ???
Check you got set the authentication mode in your webconfig
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login" timeout="2880" />
</authentication>
</system.web>
When my MVC4 web site (mywebsite.com) is deployed (to Amazon Web Services) and a non-authenticated user clicks on a link requiring authentication (e.g. Search), they are redirected to
www.mywebsite.com/Web.UI_deploy/Account/Login?ReturnUrl=%2fSearch
instead of
www.mywebsite.com/Account/Login?ReturnUrl=%2fSearch
(Web.UI_deploy is the web root on the web server). This issue only occurs with deployment, not on localhost.
What is the cleanest method of resolving this?
Minor change in the web.config solves the issue
Before
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
I removed the tilde ~ and it solved the problem
After
<authentication mode="Forms">
<forms loginUrl="/Account/Login" timeout="2880" />
</authentication>
I got this idea from Issue with return URL Authorize issue MVC4
I'm using the ASP.NET MVC SimpleMemberShip Provider,
There isn't any problem for a while after I logged in. I check if user is Boss, this is working.
if (User.IsInRole("Boss")) {
//do something
}
But after a few minutes when I refresh the page ,User.IsInRole("Boss") always returns false.
I debugged and checked if user still logged in, yes, user is still there, nothing changed but IsInRole keeps returning false.
When I log out and log in again It starts working.
I think the problem is about Sessions but I couldn't find any solution.
This is what I have in Web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
UPDATE:
I realized that happens when I rebuild my project.
You could be losing your cookie. Try adding:
<forms loginUrl="~/Account/Login" cookieless="UseCookies" timeout="2880" />
this solved quite a few problems in our MVC app.
I am working on an ASP.NET MVC4 project using SimpleMembership, which generates an ASPXAUTH cookie when you are logged in. It seems to be working just fine, but then today I opened up another MVC4 project, only to notice that I was already logged in.
This was extremely odd, because the new project literally does not have any users defined in the database. Even more disconcerting is when I hit "log out" on the new project, it logged me out of the original site.
Both sites are running on different ports, though both on localhost. When examining the Request to see why it is returning "IsAuthenticated == true", I noticed that the ASPXAUTH cookie is being sent to both sites, and the "domain" parameter of the cookie in the debugger is "null". This made me think that perhaps the cookie is being generated as a "domain-less" cookie (I have no idea if such a thing is even possible, to be honest!), and looked at the web.config setting to specify a domain:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" domain="http://localhost:56626" />
</authentication>
Unfortunately setting the "domain" parameter has made the cookie cease working. I've tried all permutations (with http, without http, with port, without port, etc) and every time I specify a domain, the browser receives the cookie with the properly specified domain name (I examined it in Chrome developer tools), but then fails to ever send it back to the server of subsequent requests.
So, I'm pretty confused about what is happening here. Is this a security leak that I've caused by not setting something up properly somewhere? Or is it perfectly normal behavior that an ASPXAUTH cookie will authorize a user on two totally different web apps on two different ports on the same domain? I would test this on a web host but unfortunately I don't have access to any that run MVC4 at the moment.
Thanks in advance.
ASPXAUTH is the default name given to the cookie but by changing this name for each project in the Web.Config you can make it apply only to that project.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" domain="http://localhost:56626" name=".PROJ1AUTH"/>
</authentication>
Add a Name attribute to the forms element. It will name the authcookie after the name you provide making it unique between other projects.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" name="A_UNIQUE_NAME" />
</authentication>