asp.net mvc authentication cookie issue - asp.net-mvc

I'm trying to implement a "remember me" feature using ASP.NET MVC. It uses a customized authentication process as defined below.
Web.config:
<authentication mode="Forms">
<forms loginUrl="/Account/Login" defaultUrl="/Home/MyAccount" timeout="43200"/>
</authentication>
Code to persist cookie:
public void SignIn(string userName, bool createPersistentCookie) {
int timeout = createPersistentCookie ? 525600 : 120; // Timeout in minutes, 525600 = 365 days.
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(userName, createPersistentCookie, timeout);
string encrypted = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted);
cookie.Expires = System.DateTime.Now.AddMinutes(timeout);
HttpContext.Current.Response.Cookies.Add(cookie);
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);
}
Code to retrieve cookie:
if (System.Web.HttpContext.Current.Request.Cookies.AllKeys.Contains(FormsAuthentication.FormsCookieName)) {
cookie = System.Web.HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
}
The current code checks for Session for authentication. I'd like to add the ability to get the userName from cookie as well. I have 2 questions:
What do I need to do in order to retrieve the cookie?
How do I decrypt the cookie to obtain the userName?

To get the cookie:
HttpCookie cookie = HttpContext.Current.Request.Cookies.Get(FormsAuthentication.FormsCookieName);
Decrypt it with:
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);
var userName = ticket.UserData

Related

asp.net mvc form authenticate lose cookie session

asp.net mvc project when publish, it always lose session after 15-20 minutes.
my global.asax
enter code protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
ModelBinders.Binders.Add(typeof(decimal), new DecimalModelBinder());
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
}
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
var authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
if (authTicket != null && !authTicket.Expired)
{
var roles = authTicket.UserData.Split(',');
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(new FormsIdentity(authTicket), roles);
}
}
}
Login Method :
//clear any other tickets that are already in the response
Response.Cookies.Clear();
//set the new expiry date - to thirty days from now
DateTime expiryDate = DateTime.Now.AddDays(30);
//create a new forms auth ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, login.EmailID, DateTime.Now, expiryDate, true, "Kullanici Bilgisi");
//encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
//create a new authentication cookie - and set its expiration date
HttpCookie authenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authenticationCookie.Expires = ticket.Expiration;
authenticationCookie.HttpOnly = true;
//add the cookie to the response.
Response.Cookies.Add(authenticationCookie);
Please help me. Im control on google developer tools. I see timeout 2018 but session is always losing redirect to login page.
Web Config:
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/user/login" slidingExpiration="true"></forms>
</authentication>

Logging out of Webforms Authentication dos not remove the authentication on the server

I use the out of the box webforms authentication.
After a request to "Logout" and using:
FormsAuthentication.SignOut();
The user is logged out by removing the cookie ".aspxauth" from the client browser.
This works as expected.
Our site got security audited and the auditor claimed that the authentication token does not get deleted from the server when the user logs out.
I can reproduce this behaviour using Fiddler.
I log in to the site and copy the cookie ".aspxauth"
I log out: the cookie is deleted on the client and I dont have access to secured pages anymore
I send a request to the site using fiddler composer using the prevously copied cookie "aspxauth". I can access secured pages with that cookie.
The expected result would be that if I log out I can not access secured pages by providing the old aspxauth cookie.
Is there a way to invalidate the old aspxauth cookie on the server?
I solved this by storing a salt value in the Auth-cookie that gets also saved in the Database for the user when he loggs in.
On each request there is a check if the salt in the auth cookie is the same as the one from the database. If not the user gets logged out.
If the User loggs out the salt gets deleted from the Database and the old auth - cookie cant be used anymore.
Store Salt when logging in
// Generate a new 6 -character password with 2 non-alphanumeric character.
string formsAuthSalt = Membership.GeneratePassword(6, 2);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
orderAuthToken.EMail,
DateTime.Now,
DateTime.Now.AddMinutes(20),
ApplicationConfiguration.CreatePersistentCookie,
formsAuthSalt,
FormsAuthentication.FormsCookiePath);
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
UserInfo user = UserService.GetUser(orderAuthToken.EMail);
user.FormsAuthenticationCookieSalt = formsAuthSalt;
UserService.UpdateUser(user);
Check the salt in a filter you decoryte alle actions with
public class CheckFormsAuthenticationCookieSalt : ActionFilterAttribute
{
private readonly IUserService UserService = ObjectFactory.GetInstance<IUserService>();
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if ( filterContext.HttpContext.Request.IsAuthenticated)
{
// Encrypt the ticket.
if (HttpContext.Current.Request.Cookies.AllKeys.Contains(FormsAuthentication.FormsCookieName))
{
var cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie != null)
{
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);
if (ticket != null)
{
string salt = ticket.UserData;
int userID = UserService.GetUniqueID(filterContext.HttpContext.User.Identity.Name, true, false, "MyAppName");
UserInfo user = UserService.GetUser(userID);
//for deployment: dont logg out existing users with no cookie
if (user.FormsAuthenticationCookieSalt != salt && user.FormsAuthenticationCookieSalt != "seed")
{
FormsAuthentication.SignOut();
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Index" }, { "controller", "Home" } );
}
}
}
}
}
base.OnActionExecuting(filterContext);
}
}

MVC external authentication with the [Authorize] attribute

A site authorizes through a separate system. Once the user is authorized, I want to store some additional information with their Auth cookie. I am able to do this using the code below.
var settings = new JsonSerializerSettings { ContractResolver = new CamelCasePropertyNamesContractResolver() };
var serialized = JsonConvert.SerializeObject(accountNumber, Formatting.None, settings);
var authTicket = new FormsAuthenticationTicket(1, "MyAuthTicket", DateTime.Now, DateTime.Now.AddMinutes(15),
false, serialized);
var encTicket = FormsAuthentication.Encrypt(authTicket);
var faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
{
HttpOnly = true,
};
Response.Cookies.Add(faCookie);
However, when I try to hit a WebAPI method marked with [Authorize], I get a 401 Unauthorized error. What am I missing?
The following needs added to web.config:
<system.web>
<authentication mode="Forms">
</authentication>
<!-- other stuff -->
<system.web>

How to get forms authentication ticket to respecting cookie expiration date

I am having an issue where users of my website login sessions are expiring way before it should.
Here is my login method”
public ActionResult Login(LoginModel model, string returnUrl)
{
var mcookie = new MyCompanyCookie();
if (ModelState.IsValid)
{
using (var myRepo = new MyCompanyRepositry())
{
var passwordHash = MyCompany.Web.Portal.Helpers.Security.CreatePasswordHash(model.Password);
var userAccount = myRepo.GetMyCompanyUser(model.UserName,model.PartnerAccessCode);
if(userAccount != null && userAccount.Password == passwordHash && userAccount.PartnerAccessCode == model.PartnerAccessCode.ToUpper())
{
mcookie.GetMMformsauthentication(userAccount, model.RememberMe);
return RedirectToLocal(returnUrl);
}
else
{
ModelState.AddModelError("", "The user name,access code or password provided is incorrect.");
}
}
And forms authentication ticket:
public void GetMMformsauthentication(UserAccount useraccount, bool createPersistentCookie)
{
const string UnknownUsername = "anonymous";
// Composing UserData to be stored in the auth cookie
var userCookieData = new MarvMentUserCookieData()
{
UserId = useraccount.UserID,
Password = useraccount.Password,
PartnerAccessCode = useraccount.PartnerAccessCode
};
var ticket = new FormsAuthenticationTicket(1, string.IsNullOrEmpty(useraccount.UserID) ? UnknownUsername : useraccount.UserID, DateTime.Now,
DateTime.Now.AddDays(100), createPersistentCookie, userCookieData.ToString(), FormsAuthentication.FormsCookiePath);
var hashedCookie = FormsAuthentication.Encrypt(ticket);
HttpContext.Current.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashedCookie); // Hashed ticket
authCookie.HttpOnly = true;
authCookie.Expires = ticket.Expiration;
authCookie.Path = ticket.CookiePath;
authCookie.Secure = false;
HttpContext.Current.Response.SetCookie(authCookie);
}
}
And expiration settings inmy Web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
Here you can see that the forms expiration settings is set 2880 minutes however users are beign logged out after around 5-10 minutes.
The cookie is set to expire in 100 days
Does anyone have and idea what may be causing this issue?
It looks issue is not with session in authentication tag. Just check what happens if cookies stuff is commented... If Session retained for more time, then focus on cookie stuff.

Asp.net mvc FormsAuthentication from a service

I'm looking at the nerddinner code and in their AuthenticationController, they have the following code:
if (String.IsNullOrEmpty(alias)) throw new ArgumentException("Value cannot be null or empty.", "alias");
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, //version
userdId.ToString(), // user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(30), //Expiration
createPersistentCookie, //Persistent
alias); //since Classic logins don't have a "Friendly Name"
string encTicket = FormsAuthentication.Encrypt(authTicket);
this.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
My problem is that I want to move this code into a class that does not inherits from the Controller type. The problem with this is the last line of code where it sets the cookie; Response, which is specific to Controller.
How do I set encTicket to a cookie without having access to the controller? Is there a way to use FormsAuthentication class itself to d this?
You could have a method in your separate class which returns the cookie so that the only thing the controller has to do is add the cookie to the response. IMO cookie management (adding/deleting) is the responsibility of the controller:
var cookie = authService.CreateAuthCookie(userId, alias);
Response.AppendCookie(cookie);
This is how to add the encrypted ticket to the browser cookie without using a controller.
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
{
Expires = authTicket.Expiration,
Path = FormsAuthentication.FormsCookiePath
};
if (HttpContext.Current != null)
{
HttpContext.Current.Response.Cookies.Add(cookie);
}

Resources