Whenever cookies are disabled in my browser and then i try to login on login page it unable to create session and so unable to login in system. Then i change the cookie setting to
<sessionState cookieless="true" timeout="20" />
in my web.config and then try to login Post action of the login function it doesnt call and whenever i input username and password and sumbit it, it call simple login action instead of Post one. What is the issue?
You shouldn't confuse session with authentication. If you are using Forms Authentication a separate cookie will be used to track authenticated users. Here's a good article explaining how to enable cookieless forms authentication. You could set the cookieless attribute on the <forms> element.
Quote:
"im not using form authentication instead i have built my own login mechanism. I just want to login user whenever cookies are disabled in user browser"
End Quote
That's the problem with rolling your own login: you lose all the benefits of using Membership Providers. You should cast your "own login mechanism" into a custom membership provider so that you can benefit from what ASP.NET provides out of the box.
Writing a custom membership provider is not difficult, and there are loads of articles, samples and blogs on the subject.
4guysfromrolla.com, for example, has a series of articles dedicated to the ASP.NET membership provider.
Related
I'm new to SSO, so hopefully what I'm asking makes sense. So my current setup is a .NET MVC website using OWIN/cookies (app.UseCookieAuthentication()) and a custom user table (not ASP.NET Identity users).
So I'm wondering if I could add IdentityServer3 only for external providers, but leave all my existing user/authentication stuff as is for "local users". So I see that you can implement a custom IUserService to lookup users against your local database, and I think I got that working, but I'd like to even avoid that. And I'd like to avoid themeing the IdentityServer login screen. So something like this:
User hits up page with [Authorize] attribute.
User is redirected to my existing login page (not IdentityServer stuff)
Then my login page would have the external provider button(s) to login with external providers.
Is that possible? Or do you have to run your local users through IdentityServer3 also? I noticed I get an error if you don't provide a IUserService and don't use UseInMemoryUsers() either.
So from following various guides, I have this in my Startup.cs: app.UseIdentityServer(), app.UseCookieAuthentication(), and app.UseOpenIdConnectAuthentication() with Authority set to my IdentityServer endpoint.
Hopefully that made sense, Thanks!
Gonna answer my own question if it helps anyone else. The important piece here is AuthenticationMode in OpenIdConnectAuthenticationOptions. AuthenticationMode.Active is what will redirect the user to your OIDC provider anytime they hit an action with [Authorize].AuthenticationMode.Passive will allow you to use your OIDC provider as an additional authentication method. You want to follow the examples with ExternalLogin() and ExternalLoginCallback() controller actions that issue challenges to the provider and then match the authenticate user with your local user.
I have an MVC project using Cookie Authentication, but I want a single action to use basic authentication.
My problem is, that if the basic authentication fails, the user is redirected to the login page, specified in the cookie setup, instead of being issued a challenge.
My basic authentication code is from this page: http://www.ryadel.com/en/http-basic-authentication-asp-net-mvc-using-custom-actionfilter/
How do I prevent this redirect?
Adding the line:
filterContext.HttpContext.Request.Headers.Add("X-Requested-With", "XMLHttpRequest");
to the authentication attribute, will prevent the server from returning the login page.
I am working on a new mvc4 site,and am using mvc4 forms authentication.
the users of the site expect to be able to login to the companies main site and click on a link and go to this new site i am developing. the old site stores the logged in user in a session variable. is it possible for me to check if the session variable exists and log the user in to my forms authentication? or will they need to login again?
Make the same machineKey section in your web.config in system.web like this:
<system.web>
<machineKey validationKey="SAME_KEY_GOES_HERE" ... />
...
You can generate machineKey here.
Then your goal is to pass all the authentication cookies from one website to another. I think you can store them in database, and provide authenticated users with an unique link to your new website. New website can read the key from database, and set cookie values obtained from the existing website. After that, user will be authenticated on your new website.
Update:
There could be easier and little bit less secure way of doing this. Don't keep cookie data in database, just create a form on the first website with post action. This form must contain all authentication cookies in hidden values. Action of the form must point to your second website. On the second website, you just need to place submitted form values to cookies. That's it! Much easier! (yep, and you need same machine key)
I use chrome as debugging browser.
When I start my MVC (Razor) website, click the stop button and the website keeps running in chrome ,while I can make changes in VS ... perfect.
But sometimes (due to I don't know what changes), when I refresh a page, I'm still logged in, but I looses all my session vars.
How can I catch if session vars is cleared, so I can take my users back to login page? (I need a kinde global.asax page_request method.
I do have the .. <forms loginUrl="~/Account/LogOn" timeout="2880" /> ... but Im not logged out - only session vars are cleared.
It's because your login state is persisted in a client cookie. The session state is persisted on the server in memory (or whatever). When your app restarts the session is cleared but the user still has a valid forms authentication token (assuming forms authentication here) on their machine. Forms authentication does't use session in any way by default.
So, at the beginning of the request, you can either reload the user session from the database when it's null (I think this is the preferred approach if possible) or redirect the user to the login screen with a message saying "ooops, sorry we've lost your session" (which is not good!)
If you use the built-in Authorization functionality, you can just add the [Authorize] attribute. There's some info on using custom authentication here:
ASP.NET MVC Authorization
Lee Gunn explained it well. One solution would be to create a custom filter attribute similar to Authorize that verifies the session has the values you're expecting and decorate the appropriate controllers/actions.
I'm working on a project where certain logged in users have a dedicated page which they can choose the url of. When a user logins in i would like to display a link "View my page". I was just wondering what is the best way to store this baring in mind it needs to be accessible for as long as the user is logged in (The site has a remember me feature as well). Would a session variable surfice? or a cookie? Or a custom IPrincipal?
Many thanks
Matt
UPDATE:
What do you guys thing of using the UserData string you can store with the authentication cookie? It seems to satisfy my requirements, but i can't say I know a lot about it.
Forms authentication (based on cookie) should be enough. Here you can read about using FormsAuthentication with custom IPrincipal:
ASP.NET 2.0 Forms authentication - Keeping it customized yet simple
This page is about how forms authentication works:
Explained: Forms Authentication in ASP.NET 2.0
When you use forms authentication, you have Authorize attribute to limit access to controllers and action. It works pretty well. Your own IPrincipal is not necessary. I wouldn't use Session, because it can be easily lost.
Thanks guys, however I have ended up using the UserData string that you can store along with the authentication cookie. This way I know the data will always be available while the user is authenticated. And since I only need to remember simple data (the users url), this seems like a good solution.
Anybody with the same problem can find more info here:
http://www.asp.net/learn/security/tutorial-03-cs.aspx (See step 4)
If what you mean is that you want to display a different custom URL for each user and you simply want to cache that URL then there's a few things to consider:
If you use a session value or a cookie then you need code for the possibility of the value not being present. Both the server session or the browser session could expire and the user could still be logged in.
If you use a cookie you could consider setting the cookie expiry to the same as the authentication cookie expiry but this still doesn't guarantee availability.
A cookie value will not be secure, it could be modified. A session value will be secure.
If you're using custom forms authentication then you could store the URL in the authentication cookie itself and then load it into a custom IPrincipal. I would advise against that as I don't feel it's the right place.
If you're just trying to cache the URL then as long as your code re-fetches the data when the value is not present then a session value or a cookie will be fine depending on the level of security required.
If I have read that wrong and you just want to show/hide a link to depending on whether a user is authorized or not you can simple use
<% if (User.Identity.IsAuthenticated) { %>
view my page
<% } %>
And have your MyPage action in your controller render the dedicated page for the user.