I have an ASP.NET MVC2 application, and I'm using FormsAuthentication to manage the Auth Cookie. When the cookie expires and the page is access, I need to display the Username in the field and the Remember Me checked. How can I do this once the cookie expired and I don't have access to it?
You don't by default. Cookie expired means the client is a full new user to the system.
Possible solution: You might want to set a cookie with an expiration date in 2099 or something, and store the username in there after logging in. When a 'blank' user hits your authentication page, you can check whether the cookie exists, and prefill the username and the remember me checkbox.
Related
I don't know much about web authorization, but there is one page which after login into gives the user coockie of name AUTH_WEBSITE, and this website redirects to my website which is mvc. Now I would like to only check if this user has that auth cookie and if it has, then I would like to authorize it in my website as well.
Now, I assume that checking cookies this way and givin admin rights based on cookie is NOT safe because other user can create this cookie for him self right ? so what would be better ?
And what is best place in mvc to check if other user is already authorized or has this cookie to prevent forcing user to click login button ?
To solve this issue you can use 2 ways:
When you create your custom cookie, use encryption methods. Encrypt user's role, password, even id etc. So other people can not decrypt them all to create other legal cookie.
For security, the best way is that to check user is exist in system or not in every action start. In your Authorize attribute, take values from cookie and check user, if it just exist continue, else alert : cookie values are wrong.
I'm doing an MVC application which includes a form.
The form consists of a variable list of users (participants on a team).
For each user I would like them fill out some information. If they are already registered they can chose to login through FB or Google+ and the system will retrieve information about them automatically.
When the user logs in through e.g. Google, a cookie is saved on their computer. As long as the cookie is still active it will prevent any further credentials to be inputted as google will just accept the cookie and not prompt for credentials. This will prevent other users (team members) to use this service.
Is it possible to force external login providers to ALWAYS require credentials (or perhaps a parameter which sets the expiry of the cookie).
Thanks in advance.
Frederik
I have an ASP.NET MVC web app which requires the user to login with their domain username and password by validating against ActiveDirectoryMembershipProvider.
On login I use ValidateUser(username, password) to validate the user's credentials, and I then set the forms auth cookie so that in future requests the user is not asked to enter their username and password again
FormsAuthentication.SetAuthCookie(m.Username, true);
This is fine, but I need to periodically re-validate the user to make sure their domain password has not changed, and I don't want them to have to enter their credentials again.
One way of doing this would just be to store the user's password in plain text in the session object, or perhaps encrypting it then later decrypting it. Then I could call ValidateUser once more, and log the user out if necessary.
In other web apps where I've rolled my own auth I would simply store a hash of the user's password and compare that to the hash stored in the database.
There doesn't appear to be a single method on ActiveDirectoryMembershipProvider which would let me do that.
What is the logical thing to do here?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
Excuse the extremely newbie question...
Once I have verified the users login credentials, Where should I store the state for whether a user is logged in or not?
Once you have validated that your user is OK according to the backend, you can make ASP.NET set an authentication cookie for the user in the response by doing a FormsAuthentication.SetAuthCookie(username, persistent).
From then on, ASP.NET will decrypt that cookie in requests and extract the username from it, giving you access to it via HttpContext.Current.User.
To me, it sound like this is what you're looking for.
You don't normally need to store this state yourself. If you are using one of ASP.NET's built in authentication mechanisms (e.g. Form Auth) you can simply check: Request.IsAuthenticated
How to stored the login form's value in cookies with spring security 3.
Customer requiredment↓
If you checked the [save password] checkbox in login page and next time the password will fill automatically.
I think i must stored the checkbox value when authorizated successfully.
And next login time,If the cookie's flag is true,i will fill the password.
But i didn't konw how to code.Please help me ,Thank you very much.
Other question,I didn't add remember-me element in the xml file.
Why it can be remember me ?
I think you should talk to the customer. Save password option is a bad idea from a web security perspective.
Spring security supports remember-me authentication, which allows a user to visit an protected website if he has logged in earlier and has not logged out. This it does by using a cookie, but not one containing the password.
Spring Security is not going to help you here. The remember me functionality in Spring Security is for auto login user and will not work to prefill password value in login form. You can customize a filter or loginSuccessHandler to add your own cookie. Please also see How should I store a user's LDAP password in a cookie? and similar posts on this site that recommend other ways to implement this instead of directly exposing password (even encrypted one) in a cookie.