I have an parent MVC site that handles logins that has the domain mysite.com. This is basically the template MVC internet application out of the box - a user logs in, and it sets an .ASPXAUTH cookie with the domain .mysite.com.
I also have another MVC site that runs on the domain child.mysite.com. I intend to use custom forms authentication to authenticate the user from the cookie set by the parent. When I browse to child.mysite.com in Firefox, I can see the cookie set by the login site in Firebug, so I know the child site can access it, but I do not seem to be able to retreive this cookie from my code in the child site.
I am implementing FormsAuthentication_OnAuthenticate in Global.asax, and I would have expected the cookie to be visible in Request.Cookies, but there are no cookies there.
How do I access the cookie set by the parent login site in FormsAuthentication_OnAuthenticate?
I think I've found the problem. The child site was finding the cookie, but when it tried to decrypt it, it was erroring, and therefore not authenticating fully. This code on the child site would thow and error:
void FormsAuthentication_OnAuthenticate(Object sender, FormsAuthenticationEventArgs e)
{
var cookie = FormsAuthentication.Decrypt(Request.Cookies[FormsAuthentication.FormsCookieName].Value);
}
The error is 'Padding is invalid and cannot be removed' and is due to the fact that the child site cannot decrypt the cookie set by the parent site.
The answer is to set the machine key in system.web in web.config to be the same for both sites:
<machineKey
validationKey='241FF35BE3921690EBA492A89CC03719ECF5552D019448C44F8B28B01F546FCDC4AEDCD273380EB45BE8A49AFB9C14FE60BECF0B5ECBA4901C306875FED98DEA'
decryptionKey='864559FC58AC5FFB5B9581008552B4A873ACBE86469A81CB'
validation='SHA1'/>
Related
I am working on a new mvc4 site,and am using mvc4 forms authentication.
the users of the site expect to be able to login to the companies main site and click on a link and go to this new site i am developing. the old site stores the logged in user in a session variable. is it possible for me to check if the session variable exists and log the user in to my forms authentication? or will they need to login again?
Make the same machineKey section in your web.config in system.web like this:
<system.web>
<machineKey validationKey="SAME_KEY_GOES_HERE" ... />
...
You can generate machineKey here.
Then your goal is to pass all the authentication cookies from one website to another. I think you can store them in database, and provide authenticated users with an unique link to your new website. New website can read the key from database, and set cookie values obtained from the existing website. After that, user will be authenticated on your new website.
Update:
There could be easier and little bit less secure way of doing this. Don't keep cookie data in database, just create a form on the first website with post action. This form must contain all authentication cookies in hidden values. Action of the form must point to your second website. On the second website, you just need to place submitted form values to cookies. That's it! Much easier! (yep, and you need same machine key)
I am looking for a bit of a point in the right direction...
We have an MVC site, with a variety of virtual directories that all point at the same code, e.g.
https://www.x.com/dir1
https://www.x.com/dir2
The different virtual directories are used partly for business reasons due to the URL 'content' and partly to control how the site is skinned.
The sites are locked down for access using forms authentication, and I am trying to track down a slightly elusive issue.
A user logs into the site using the url 'dir1', authenticates fine, SetAuthCookie is called.
We have code that runs on OnActionExecuting throughout the site - it takes the logged in user and determines which virtual directory they should be accessing (one per user) and if they are in the wrong URL, will redirect them, e.g. (simplified code):
protected override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (Authenticated && UserIsNotInCorrectDirectory())
{
filterContext.Result = new RedirectResult("https://www.x.com/dir2");
}
}
The problem I am having is this - if I start a fresh browser (using firefox at the minute, to view the cookies) and do the following:
Log into the site using the 'dir1' url.
I get authenticated fine - I can see the set-cookie http header containing our auth cookie. This response will also redirect me to 'dir2'.
On the subsequent page, when I view the cookies, the auth cookie is not there - this is the problem.
To add to my confusion, if I then bring up the login page again (same browser, session not closed), and try this again, it works. Anybody got a clue?
My bet is that your OnActionExecuting filter is getting in the way of your login form and your session cookie is getting lost when you overwrite the result. In case this code resides in an attribute, I would try removing the attribute from your Login action and see if that works.
During a custom ActionFilterAttribute's OnActionExecuting method, we ensure that the user is still logged in before performing some actions. We do this by doing something similar to this pseudo code:
public override void OnActionExecuting( ActionExecutingContext filterContext )
{
if ( filterContext.HttpContext.User.Identity.IsAuthenticated )
{
// Do something...
}
}
I have multiple sites for multiple clients that run under the same domain with only difference being the virtual directory names. Each virtual directory actually points to same folder/code base and the URL/virdir name indicate to code which 'client configuration file' to use from a nested /Clients directory. Not sure if that much detail in site/code/IIS config is needed, but supplying in case any of that is culprit for problem.
If I try to sign on to multiple sites using multiple instances of a browser, everything works fine. The IsAuthenticated check returns true when I attempt to navigate around the site.
However, if I try to sign on to multiple sites using a single browser with multiple tabs, I keep getting logged out back and forth. If I sign in to site A, I can navigate around, but as soon as I sign into site B, if I try to navigate anywhere in site A, IsAuthenticated returns false.
Is this expected behavior? Is there a workaround to this?
UPDATE: I'm now only able to reproduce this behavior in IE. In Firefox and Chrome, I get booted to login screen whether I'm on same browser/multi tabs or multi browsers. Is there a difference in the way IE handles cookies? Or aren't cookies the culprit?
Without knowing your setup in any more detail, this is what I expect is happening.
Assumptions:
You state that you have multiple virtual directories pointing to one code base.
Each of these virtual directories are most likely set as an application is IIS.
You do not have a machine key defined in your web.config and as a result, each virtual directory auto-generated its own encryption/decryption keys
What is probably happening:
When you sign in from different browsers, each browser is given an authentication cookie. Since you are using different browsers, there is no issue.
When using the same browser, you login to site A and are given an encrypted cookie that was encrypted with the siteA autogenerated key.
When you attempt to go to another virtual directory that has a different autogenerated machine key, the site cannot read the authentication ticket (cannot decrypt it) and thus returns logged-in = false.
Once you login to siteB, the authentication cookie is replaced with an authentication ticket from siteB. At this point, siteA can no longer decrypt the authentication ticket and returns logged-in =false.
Try setting the machine key configuration section of your web.config with the appropriate options (MSDN on machineKey element). Here is some more information on the forms authentication ticket and process as well
I'm using Spring Security 3 to protect access to a Spring-based Java Web application. The security mechanism is all configured through a standard Spring Security bean definition file, using the "security" schema. By default the user can access any URL and those that require a login are listed in the “http” element of the Spring configuration file. The system is configured so that a user who has not performed a login will be redirected to a login form before they can access such a URL.
The problem that I have is that certain URLs in the system are intended for programmatic access and return XML rather than HTML. For such URLs I need to be able to return a “user not logged in” XML instead of forcing a redirect to a login form. How can I reconfigure my “http” element (and its associated elements in the configuration file) to allow me to have one set of controlled URLs that will redirect to a login form when the user isn't logged in and another set that will return an error?
Cheers, Adam.
Maybe an authentication filter helps you. Inside the doFilter() method of Spring's AbstractAuthenticationProcessingFilter you could check whether a XML file is requested. If yes, you interrupt the chain and return an error XML file if there's no active user session. See here for more details:
http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html
I have an ASP.Net MVC site that has a subdomain for each customer e.g. customer1.site.com, customer2.site.com, etc.
Login works fine from customer1.site.com/login and customer2.site.com/login using the standard ASP.Net FormsAuthentication.
How can I login from the parent domain (e.g. site.com/login) where the user specifies the subdomain name in a form field? I'd like the auth cookie to be stored against customer1.site.com or customer2.site.com so obviously need to redirect and repost the login form somehow.
you need to set the forms auth cookie domain to ".site.com" (note the leading .)
see here for setting the cookie domain: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.cookiedomain(v=VS.100).aspx
I ended up solving this by splitting this into two separate pages. On the first page the user can enter the subdomain name (e.g. customer1) only in a form, on submitting the form they are redirected to the subdomain login page (e.g. customer1.site.com/login).