I work at a consulting shop where we work on multiple site every day, most of them running ASP.NET MVC 3. We're running these sites locally during development using IIS Express, so we see something like "http://localhost:1234" for every site.
We're using forms authentication on all these sites, and we're seeing something odd when switching from one site to another. When I'm logged in to site A, and begin to browse site B, the HttpContext.Current.User property when debugging site B has the value we set it to from site A.
This only seems to happen on MVC sites. When I run a WebForms site on the same machine under IIS Express, HttpContext.Current.User is equal to a GenericPrincipal object. In other words, all Web Forms site seem to be isolated as far as authentication goes. What is different about MVC that makes these sites pick up on each other's auth information?
The name of the authentication cookie is probably the same for all sites and if they are all hosted on the same domain this cookie will be sent along each request. By default the cookie name is .ASPXAUTH. Thus if you are authenticated on Site A you will be automatically authenticated on Site B. The name of the cookie is defined in the forms section in web.config:
<forms loginUrl="~/Account/LogOn" timeout="2880" name="someCookieName" />
So try specifying different authentication cookie name for your sites.
Related
I am working on an asp.net mvc 5 project which is a sub domain based multi tenant saas application like t1.abc.com for tenant1 and t2.abc.com for tenant2.
I am trying to share the session across the sub domains for supper admins and I configured web config with root domain as
<httpCookies domain=".abc.com"/>
But it is not working, even after I login to abc.com when I go to t1.abc.com in the next tab still it prompts login page.
The session store is configured to point to the RedisSessionStateStore and the application is deployed in the azure cloud web apps.
Is there anything I am missing?
Finally I figured it out. I used owin middle ware so the solution is here in this link ASP.NET Identity Cookie across subdomains
I was deploying my asp MVC 5 web site in Azure Web Site. Everything was fine until I tried to manage my account (changging the password), it gave an error like this:
The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
I was using Asp Identity, so all the code is built in. I have been searching the solution and found two possibilities:
1) It is because there are two #html.antiforgerytoken. One belongs to the MANAGE controller form, and the other belongs to the login partial view int he navigation bar. I tried to exclude the login partial view, but the error persisted, so I concluded that problem might not be it.
2) As the error says, maybe it is about MACHINE KEY. I tried to input setting to the web config. There are two popular ways to generate this machine key, fist is using ISS and the second is using third party. I wanted to use the ISS, but my ISS8 is not showing a modul to see the machine key which is weird that I could not find any solution for it. Then I tried the third party, and created something like this:
<machineKey validationKey="4359B782C08EF91E2AA6CA8AD46C0D63BF323E97ABAA06FBDA1535A1FA1CD2B7702B2BACDC937074ED65FC16D3ECA0F674BBAC8675910AF921D301CA22343AA1" decryptionKey="1A956B2A0405EC07AEBEFBA40DA7E61E2E17F001B868D7507EB3F3CD2AFF060E" validation="SHA1" decryption="AES" />
Then I redeployed my website but the error persisted. Can anyone please help me?
My solution is structured like this:
Web Project (Default, ASP.NET MVC)
API Project (ASP.NET MVC using WebAPI controllers)
When deployed to a server, the web project will be the root and the api project will live in root\api.
I am authenticating users in the web app using FormsAuthentication.SetAuthCookie("foo",false); and so of course within a controller of the web project I have no problem reading the cookie back (HttpContext.User.Identity.Name).
I would like to be able to do the same in my API project when an ajax request is made from a page in the web project so that I can check that the user is authenticated before remitting a service.
Is this possible?
Update
I followed this MSDN article for creating authentication across applications, and I still can not read my auth cookie in the API context. I am wondering if it is because I am running in local host while the Forms node in the web configs expect a domain name:
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
I tried setting the domain to localhost:XXXX but that didn't work either. The machine keys in both applications match.
I am going to have an ASP.net MVC web site (example.com) and a Web API site (api.example.com) running on the same domain. What is the best and most secure way to use Forms Authentication to allow a user to log in to the MVC site, and have that login accepted by the [Authorize] filter in the API site? Additionally, there is the possibility that both sites will be hosted on multiple servers (each of which might have its own subdomain), so a solution that would allow for a single sign on approach to work among all of the servers in the cluster would be preferred.
Take a look at this link http://www.codeproject.com/Articles/27576/Single-Sign-on-in-ASP-NET-and-Other-Platforms this covers the answer in detail.
You will need to ensure all machines and separate applications on the site share a common (but unique to production) machine key to allow the authentication cookies to be trusted by all the machines/applications.
If you are simply using virtual directories under the same sub domain then simply harmonising the web.conig Forms Auth settings and machine keys should get you up and running very quickly.
If you want this to work between a second level domain then you need to change the "Domain" setting on the Form's Auth cookie. See the article for details.
I have an MVC 3 website that is using Forms authentication. The user logins and navigates to a Silverlight 5 application. The Silverlight app is calling a Silverlight-Enabled WCF service on another port. Because one of my requirements is to use Https/SSL, I decided to move the WCF services into a "Services" folder in my MVC application.
To see if the service is working, I typed in the address of my service. I got an error message stating my service requires anonymous access, but the website is specified to use forms authentication. So, I removed my mexHttpBinding in my web.config for my service and added authenticationScheme="Negotiate" to my httpTransport of my binding. (I'm not to https yet).
Now, I get a 302 and am redirected to the log-in page. It seems that my service is suggesting i'm not logged in. So, I added
routes.IgnoreRoute("{resource}.svc/{*pathInfo}");
and
routes.IgnoreRoute("Services/");
but that hasn't made a difference. I think the service says i'm not authenticated, but I'm certain I am.
Can someone explain what I'm doing wrong?
All of this works when I debug on my localhost, but I can't access the service when I deploy to a server.
Edit
I may have found my answer. I turned on anonymous access for my website in IIS and changed the httpTransport's authenticationScheme to the default (Anonymous). I then added
<authorization>
<deny users="?"/>
</authorization>
along with
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
which seems to be requiring the user to be authenticated in order to access the service. I am now going to check my silverlight application to make sure it can reach the service and get/post data. This was all in a test application, so I'll have to change my real application accordingly. Then, I'll tackle ssl/https.
Does all this sound right?
EDIT 2
I had to ensure mex was enabled and aspNetCompatibilityEnabled was set to 'false' to get the conctracts to update in my silverlight app. But after updating my services, I set the aspNetCompatibilityEnabled to 'true', and everything appears to be working.
I hope I'm still headed down the right path...
I ended up setting up IIS to add the webservice as a website under the parent website. Then, I used the Location tag in the parent site's web.config to implement forms authentication on the webservice.