Recently I noticed issues with the login process of a website I maintain.
When logging into the site with IE8 the .authuser cookie set by forms authentication shifts UIDs. This does not happen in any other browser I have tested. [ie6, ie7, ie9, FF6, FF7, FF8, Chrome, Safari]
User visits site. Clean browser session.
User is given a .authuser cookie with a UID
User goes to login page and logs in
User succeeds at login and is redirected
User is given a new .authuser cookie UID value
The biggest issue that comes from this is the fact that the login cookies set actually allow the user to return as 'partially authenticated' like on amazon. This means that the user can do all sorts of things on the site related to session, and when they log in using IE8, all that data is lost and corrupts certain processes in the site.
Related
I have created Asp.net MVC4 Web application. In which, when a user logs in and do some browsing and then close the application from browser without logging out,then previously logged user is not logged out and When application is restarted then previously logged user is logged.
What i am willing is that if a user is logged in and close the web application,then user should be logged out instantly.
Note -I have not deployed the application on IIS by now.
So, as web is stateless.So,will it work correctly incase of real scenario when applicaiton will be deployed.
Currently, i am checking it on my development machine and browser.
I have seen following sample but No one has clear explanation
automatically logging users out of asp.net website on close
how to kill the session when user closed the browser without logout
So, is there any event that i can handle on dispose or some sort of shutdown as what we have in desktop application.
Actually, i have not worked web application before.
Try making the attribute - "createPersistentCookie" as false while authenticating
For Ex:
' generate non-persistent cookie for the authenticated user
Dim authCookie As HttpCookie = System.Web.Security.FormsAuthentication.GetAuthCookie(_logonModel.UserName, False)
I am using ActiveDirectoryMembershipProvider in my web app. I authenticate users with their domain credentials like so
if (Membership.ValidateUser(m.Username, m.Password))
FormsAuthentication.SetAuthCookie(m.Username, true);
This works well.
But even when the user's password is changed in active directory, the user stays logged in to the web app?
How can I ensure the user does not stay logged in to the web app if their domain password changes, or their account is disabled etc?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
I'm not 100% certain, but it sounds like you're unhappy that the user's auth ticket continues to work even though their password changes / account expires.
Once a user has logged in and has a authentication ticket (cookie), the user is not challenged for authentication again until until the ticket expires (set in the web.config file). Here are 2 suggestions for dealing with this problem:
Wait for the auth ticket (cookie) to expire. Upon the next login, the user will
be required to use their new password. Variations of this solution include using session-only cookies so that the user must always login when the browser is closed (recommended for AD authentication).
Write an Http Module that looks for a list of recently updated users and inspects the auth ticket early in the HTTP pipeline. If an auth ticket comes through and matches the list of updated users, you exprire the user's cookie and re-direct them to the login page. Here's a similar question that would help get you started:
How can I force a logout of all users on a web site
I have an ASP.NET MVC1 site where the user is logged in. He is logged in because he has a cookie ".ASPXAUTH" with a token value in it.
For payments the Users gets redirected to a payment provider. He is redirected to my site when he completed the payment process.
This usually was fine but since the 29th of june I got a lot of users who dont have a cookie when they get redirected to our site.
I cant reproduce this behaviour but I see a pattern: Most users that have lost the cookie have the recent version(20.0.1132.47) of Chrome on Windows.
Has anybody had issues like this in the last couple of days? I have no idea what the reason might be, but I suspect it to be a setting of Chrome that is changed now by lots of users or an addon that changes something.
EDIT
The cookie created by forms authentication is a session cookie. May be some browsers changed the way they detect a session. If I have a session cookie, close the browser and reopen it I still have the cookie.
I'm using DotNetOpenAuth. I configured my application with Custom form authentication with Gmail OpenID through (DotNetOpenAuth). I can successfully login to my app. But say for eg. i logged out from application and click login (with in 10 to 15 Sec) its not redirecting to gmail login. It generated authentication token by itself without asked from user.(I hope something is cached OpenID)
I used PAPE
request.AddExtension(new PolicyRequest()
{
MaximumAuthenticationAge = TimeSpan.Zero
});
And also tried to configure in web.config.
<openid cacheDiscovery="false">
Is there any workaround for the same.
NOTE : Once i logged out i used to clear ALL Session and call FormAuthentication.SignOut()
With OpenID, you as the relying party cannot force the login policy for the user at their Provider. You can request that the provider relogin the user as you have with the PAPE extension, but the Provider may still ignore that.
The cacheDiscovery setting is irrelevant to pass-through login, so I suggest you remove that entry as it will simply slow down all logins.
I think you're mistaken when you say it's not redirecting to Google. If you look at the logs, or what your browser's URL bar, Google.com should be redirected to, but at that point Google decides the user has a login session and avoids prompting them to login again, and redirects the user immediately back to your site.
Right now Iam using devise for an application and I don't want a user to login twice, if it logins for the second time his previous session would be killed. this way the user can't login with two browsers, for example he logins first with firefox and then logins with google chrome the firefox session expires.
Something similar here: Can a session be shared between browsers from the same computer in rails?