I have an ASP.Net MVC site that has a subdomain for each customer e.g. customer1.site.com, customer2.site.com, etc.
Login works fine from customer1.site.com/login and customer2.site.com/login using the standard ASP.Net FormsAuthentication.
How can I login from the parent domain (e.g. site.com/login) where the user specifies the subdomain name in a form field? I'd like the auth cookie to be stored against customer1.site.com or customer2.site.com so obviously need to redirect and repost the login form somehow.
you need to set the forms auth cookie domain to ".site.com" (note the leading .)
see here for setting the cookie domain: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.cookiedomain(v=VS.100).aspx
I ended up solving this by splitting this into two separate pages. On the first page the user can enter the subdomain name (e.g. customer1) only in a form, on submitting the form they are redirected to the subdomain login page (e.g. customer1.site.com/login).
Related
I am working on a new mvc4 site,and am using mvc4 forms authentication.
the users of the site expect to be able to login to the companies main site and click on a link and go to this new site i am developing. the old site stores the logged in user in a session variable. is it possible for me to check if the session variable exists and log the user in to my forms authentication? or will they need to login again?
Make the same machineKey section in your web.config in system.web like this:
<system.web>
<machineKey validationKey="SAME_KEY_GOES_HERE" ... />
...
You can generate machineKey here.
Then your goal is to pass all the authentication cookies from one website to another. I think you can store them in database, and provide authenticated users with an unique link to your new website. New website can read the key from database, and set cookie values obtained from the existing website. After that, user will be authenticated on your new website.
Update:
There could be easier and little bit less secure way of doing this. Don't keep cookie data in database, just create a form on the first website with post action. This form must contain all authentication cookies in hidden values. Action of the form must point to your second website. On the second website, you just need to place submitted form values to cookies. That's it! Much easier! (yep, and you need same machine key)
I have an parent MVC site that handles logins that has the domain mysite.com. This is basically the template MVC internet application out of the box - a user logs in, and it sets an .ASPXAUTH cookie with the domain .mysite.com.
I also have another MVC site that runs on the domain child.mysite.com. I intend to use custom forms authentication to authenticate the user from the cookie set by the parent. When I browse to child.mysite.com in Firefox, I can see the cookie set by the login site in Firebug, so I know the child site can access it, but I do not seem to be able to retreive this cookie from my code in the child site.
I am implementing FormsAuthentication_OnAuthenticate in Global.asax, and I would have expected the cookie to be visible in Request.Cookies, but there are no cookies there.
How do I access the cookie set by the parent login site in FormsAuthentication_OnAuthenticate?
I think I've found the problem. The child site was finding the cookie, but when it tried to decrypt it, it was erroring, and therefore not authenticating fully. This code on the child site would thow and error:
void FormsAuthentication_OnAuthenticate(Object sender, FormsAuthenticationEventArgs e)
{
var cookie = FormsAuthentication.Decrypt(Request.Cookies[FormsAuthentication.FormsCookieName].Value);
}
The error is 'Padding is invalid and cannot be removed' and is due to the fact that the child site cannot decrypt the cookie set by the parent site.
The answer is to set the machine key in system.web in web.config to be the same for both sites:
<machineKey
validationKey='241FF35BE3921690EBA492A89CC03719ECF5552D019448C44F8B28B01F546FCDC4AEDCD273380EB45BE8A49AFB9C14FE60BECF0B5ECBA4901C306875FED98DEA'
decryptionKey='864559FC58AC5FFB5B9581008552B4A873ACBE86469A81CB'
validation='SHA1'/>
I currently have an intranet site that is accessed by external customers. I therefore set this up using Forms Authentication. However the powers that be (my bosses) want all our domain users to not have to enter their username and password to access the site.
I've done a bit or reading and everything seems to point to setting up a WinLogin.aspx page that you alter to use WindowAuthenthication and then redirect from there.
I have a problem with this as I don't like the idea of putting an aspx form in my mvc application.
Can anyone tell me how to achieve mixed authentication using a strictly MVC Controller/Action setup without a second application?
NOTES: running MVC 3 on an IIS 7 box.
Forms Authentication is not related to the URL or physical structure of your files. What matters is that a URL should ultimately map to a physical (or virtual) resource on the server, and be processed, and be returned back to the user.
Thus, somewhere in between for each incoming call (each HTTP request, even those for CSS and JavaScript files), you have to see if the current user has enough permission to access it or not. If no, then you might redirect him to the login page.
If you want, you can have a URL like /user/windowslogin where user is the name of the controller, and windowslogin is the name of your action method. Then you can create a custom authentication attribute (something like [WindowsAuthentication]) on your windowslogin action, and in that attribute (which is an MVC filter in essence), you can see if the current request comes from within your domain, and if so, talk to Active Directory for authentication or stuff like that, and on case of successful authentication, create an authentication cookie using FormsAuthentication class, and the rest of the story.
However, I don't think this would be an easy task. Others might introduce better solutions.
After my login my site url (mock url) is http://mysubdomain.Domain.com/Dashboard When I added http://www.mysubdomain.Domain.com/Dashboard it redirect to my login page .How can I avoid this using Global Filter?
First of check that your domain has support for wild card.
If you used for based authentication than there is issue related to FormAuthentication cookie domain.
that cookie has to domain like = "*.domain.com" like this.
IN web.config
<httpCookies domain=".domain.com"/>
Whenever cookies are disabled in my browser and then i try to login on login page it unable to create session and so unable to login in system. Then i change the cookie setting to
<sessionState cookieless="true" timeout="20" />
in my web.config and then try to login Post action of the login function it doesnt call and whenever i input username and password and sumbit it, it call simple login action instead of Post one. What is the issue?
You shouldn't confuse session with authentication. If you are using Forms Authentication a separate cookie will be used to track authenticated users. Here's a good article explaining how to enable cookieless forms authentication. You could set the cookieless attribute on the <forms> element.
Quote:
"im not using form authentication instead i have built my own login mechanism. I just want to login user whenever cookies are disabled in user browser"
End Quote
That's the problem with rolling your own login: you lose all the benefits of using Membership Providers. You should cast your "own login mechanism" into a custom membership provider so that you can benefit from what ASP.NET provides out of the box.
Writing a custom membership provider is not difficult, and there are loads of articles, samples and blogs on the subject.
4guysfromrolla.com, for example, has a series of articles dedicated to the ASP.NET membership provider.