Simplemembership ASPXAUTH cookie validating on two separate web projects - asp.net-mvc

I am working on an ASP.NET MVC4 project using SimpleMembership, which generates an ASPXAUTH cookie when you are logged in. It seems to be working just fine, but then today I opened up another MVC4 project, only to notice that I was already logged in.
This was extremely odd, because the new project literally does not have any users defined in the database. Even more disconcerting is when I hit "log out" on the new project, it logged me out of the original site.
Both sites are running on different ports, though both on localhost. When examining the Request to see why it is returning "IsAuthenticated == true", I noticed that the ASPXAUTH cookie is being sent to both sites, and the "domain" parameter of the cookie in the debugger is "null". This made me think that perhaps the cookie is being generated as a "domain-less" cookie (I have no idea if such a thing is even possible, to be honest!), and looked at the web.config setting to specify a domain:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" domain="http://localhost:56626" />
</authentication>
Unfortunately setting the "domain" parameter has made the cookie cease working. I've tried all permutations (with http, without http, with port, without port, etc) and every time I specify a domain, the browser receives the cookie with the properly specified domain name (I examined it in Chrome developer tools), but then fails to ever send it back to the server of subsequent requests.
So, I'm pretty confused about what is happening here. Is this a security leak that I've caused by not setting something up properly somewhere? Or is it perfectly normal behavior that an ASPXAUTH cookie will authorize a user on two totally different web apps on two different ports on the same domain? I would test this on a web host but unfortunately I don't have access to any that run MVC4 at the moment.
Thanks in advance.

ASPXAUTH is the default name given to the cookie but by changing this name for each project in the Web.Config you can make it apply only to that project.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" domain="http://localhost:56626" name=".PROJ1AUTH"/>
</authentication>

Add a Name attribute to the forms element. It will name the authcookie after the name you provide making it unique between other projects.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" name="A_UNIQUE_NAME" />
</authentication>

Related

Can't Login To Two Asp.Net MVC 5 Application on the same browser

I have Two Asp.net MVC 5 Applications running in the same server, when I login To the first one,I Automatically Logged Out From the second one ,And when I create user on both with the same username if login to one I login automatically in the other one ,I Don't Know what am doing wrong .
I user Microsoft visual studio 2013 default ASP.NET MVC 5 project Template.
Check to see if both apps are using the same application pool. Otherwise ensure they are not using the same back end data tables ie. the same Identity tables. If they overlap that could be your issue.
This might be caused by cookie name collision, if both applications are served from the same domain (domain.com/app1 and domain.com/app2) or from subdomain of one of them (domain.com and app.domain.com) - your two applications may have a default authentication cookie name of .ASPXAUTH.
You can change the authentication cookie name in web.config:
<system.web>
<authentication mode="Forms">
<forms name=".MYAPPASPXAUTH" loginUrl="~/Account/Login" timeout="2880" />
</authentication>
</system.web>
Picking a unique name for each of your applications fixes the issue.

How to avoid idle automatic logout inside my web.config

I am working on an asp.net mvc web application, that uses form authentication which talks directly to our active directory through LDap. On the staging server the user will stay logged-in unless he manually logs out. The problem is when I deploy the application on the live server using IIS 7 the user will be logged out after around 30 minutes if he did not work on the application. I thought the problem was related to the IIS idle time out, but when I checked the settings on the staging IIS I found the following:
but on staging no automatic logout will occur, so it seems the Idle timeout setting is meaningless in my situation. I want to be able to override any undesired setting inside the IIS that might be different on different servers. So my question is how can I specify inside my web.config to not logout the user?
Bearing in mind that on both the live and staging server I have the following setting inside the web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

asp.net mvc my web application is auto logout

I have created an asp.net mvc web application, it's working fine on localhost but when I upload it, users will get logged out automatically while they are working.
I used:
FormsAuthentication.SetAuthCookie(dbuser.FName, false /* createPersistentCookie */);
and in Web.config:
<authentication mode="Forms">
<forms loginUrl="~/home/login" timeout="2880" />
</authentication>
I tried a lot of things but didn't find a solution. How can I prevent the auto logout from happening?
Ensure that where ever you are hosting it is hosting it as a single instance or handling the session state in an instance-independent manner - ASP.net does not automaically handle session transfers in web gardens or farms. The moment your client hits the other server, they will be logged out.
If you are hosting it on AppHarbor with two web workers for example, you will need to handle the state setup yourself.
Have you tried setting:
Session Timeout Value
<system.web>
<sessionState mode="InProc" timeout="20"/>
</system.web>
At last I have to change my whole coding converting into cookie base user module

Unable to share cookie into subdomain for Chrome and Firefox

I've built a small ASP.NET mvc app with Forms Authentication. I don't seem to be able to share cookies/authentication from the base domain(say people.com) to subdomain (abc.people.com)
What I mean is when i Debug through the code the Request.Cookies object doesn't have any and User.Identity.IsAuthenticated is false.
What's even weird is it seems to work fine for Internet Explorer (weird huh .. ?) But for Chrome and Firefox.
But when i check the browser for cookies, I can see that the cookie is existent for the domain people.com
Am i missing something very obvious ??
Edit: I'm using OAuthWebSecurity to Login. The code that logs in is this
OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: true);
And the web.config value is
<authentication mode="Forms">
<forms loginUrl="~/Account" timeout="2880" />
</authentication>
Adding domain attribute to forms filed, with base domain value seemed to have fixed the problem.
<authentication mode="Forms">
<forms loginUrl="~/Account"
timeout="2880"
domain="people.com"
/>

ASP.NET MVC Error in deployed project - Lost authentication and redirect to login instead of logon

It's a very strange error for me,
in local machine all works fine, in deployed version,
I can login correctly, but after few(variable) minutes it disauthenticate me
and redirect to account\login that is the bud address because the right one is account\logon
(correctly configured into web.config)
this is the configuration of my web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="9999" />
</authentication>
<sessionState timeout="9999" />
EDIT
i can undestand that is a sum of two problem :
a bug of webmatrix data dll that change the login path (i don't really need this dll)
With glimpse I'm see that the process id of w3wp.exe change every minute, this is the cause of continuous logout?

Resources