asp.net mvc membership - caches login info and shows on different applications - asp.net-mvc

I've asked similar question here because I thought the problem was in my custom membership provider.
Then I tried this:
I created two NEW asp.net MVC applications. In first one, I registered as new user using default membership provider. I closed this application, opened second one and ran it. In this application I was also logged in as user I created in first application. Logging in as user from other application doesn't work, but caching is remembered on this site. Why is it so? Is it a bug?

I think this can be expected behaviour:
If you open localhost/app1 and localhost/app2 you are on the same domain. So its valid that the same cookie is sent. I am not shure if localhost:5050 localhost:5060 are considered as the same domain. But I guess thats the case.
If the same cookie is sent the Memebershipsystem will evaluate this as the same user. Thats expected behaviour.
If you want to have these 2 webs use different pools of users you have to create a new application in the Mebershipsystem and configure it in web.config.
This will not affect the behaviour of a production system, because the 2 web will be on a different domain. each domain is only allowed to access its own cookies.

Related

ASP.NET User.IsInRole() with trusted-domain memberships

I have a .NET Framework 4.7.2 MVC 5 site that is using Windows Authentication to authorise access to actions based on AD group membership. This works fine for a single domain, but we have domain trusts in place and ASP does not seem to resolve memberships from other domains.
e.g.
Two domains: Parent and Leaf
The site runs in the Parent domain, which has local security groups setup: SiteAccess-L.
SiteAccess-L contains a single member Leaf\SiteAccess-G, which in turn has our user Leaf\User.
When I dump the contents of HttpContext.User.Identity.Groups (casting through WindowsIdentity), I can see all the Leaf domain groups that the user is a member of, but not any of the Parent domain groups. This only happens for remote users, if I access the site locally, it seems to work.
Running a simple C# app on the desktop of the web server with the same user account and calling WindowsIdentity.GetCurrent() will bring me back both domain group membership.
Does anybody know what gives here, and how I access the full cross-domain group memberships in MVC? If I use GetCurrent() in MVC, I get the service-account that the application pool is running under.
Thanks.
I finally got a resolution to this, but I don't fully understand why.
The issue it seemed to be with an SPN. When accessing the web page through a URL such as http://mysite.parent/ and a SPN was in place for this host, the issue described would occur.
Removing the SPN resolved the issue and all groups were viewable by the site. This is clearly Keberos related, but my understanding isn't deep enough to categorically say for sure.
In the end, the SPN wasn't needed so it could be removed to resolve the issue. Reference: https://www.aligrant.com/web/blog/2020-09-28_iis__do_i_need_to_use_a_spn

Umbraco AD integration for an intranet

Im wanting to build an intranet that will use Domain (AD) authentication and let the user not have to login. So Ive been looking at the AD package here and digging into the details a bit, it seems you have to configure a user & password in the web.config. Then I seen this example, which is seems to simply be using the AD membership provider and isnt putting any hard-coded username and password in the config file. Are those two approaches even talking about the same thing?
I just need simple pass-through authentication based on the identity of the user passed in from the browser. The question also comes up as to under which context will requests be made when the user uploads a file, edits content etc. Will it be Network Service or the passed in identity?
Since you have specified umbraco 7 in your question, I think you are much better of pursuing the option in your second link.
The first link was written for Umbraco 4.11, and an awful lot has changed since then. Can't tell you if the second link will simply work out-of-the-box, but imo, you have a better chance of being successful.

ASP.NET MVC membership login for different domain

I am using one membership database for different domain. When I login in one domain, I want to automatically also perform a login for different domain in same browser.
Answer is no. Due to JavaScript Security, one cannot reads cookie set by others.
For example, www.mycompany.com cannot read cookie set by www.yoursite.com.
However, if those two websites are in different sub-domains, you can configure them to share the same cookie.
For example,
one.mycompany.com
two.mycompany.com
Note: ASP.Net offers Token Based Authentication, but you cannot use it with ASP.Net Membership.

Implementing single-sign on in ASP.Net Webforms and MVC

I have an existing WebForms application and we're now creating a new MVC application. They both authenticate using our own custom provider, using the same database.
I can successfully log in in each application separately using the same credentials, but what I now want is to implement a single-sign on (ie: if the user is already logged in in app1, app2 would automatically detect the user's settings and identify him as being logged in).
I have done my homework and read the references here, here and here, amongst others.
So far I have done the following:
Set the same machineKey on both sites:
Set the same forms auth on both sites:
Despite all of this, I haven't managed to get SSO working. I have managed 'Single-sign off', whereby when the user signs off one site, he's signed off from the other.
Is there anything I'm missing?
I would like a configuration-only solution, that does not require me to do any coding.
I am answering my own question just for closure's sake.
The reason why my my SSO was not working is because the main, existing website has its own cookie and session manager, and does not play by the rules of Forms authentication. It calls
FormsAuthentication.SignOut();
Shortly after login has completed.
I tried the configurations mentioned above with 3 different websites, a mixture of MVC and WebForms, different pipelines (integrated vs classic), with our custom membership provider, and it all worked marvellously.
So the steps defined above should work as long as your application does not do funny things with forms authentication.

ASP.NET MVC and role caching?

I am developing an ASP.NET MVC app with custom membership and role providers.
My custom role provider uses LinqToEntities to query the user/role mapping table and retrieve if a user is in a role or not.
When running on debug, local machine, everything is fine. When deploying on IIS7 however, I have this strange behavior:
When I change roles to a user, and then login with that user, it retains the old roles, instead of the new ones. It's like they are cached somewhere, but I already set the cacheRolesInCookie="false" option in the Web.config
Reading on the web, I saw that the option I mentioned is just a directive for the provider, meaning if I don't implement its usage, it will be ignored, is that right?
This leaves me puzzled. My provider should perform a fresh query every time a method is called. It works locally, but not on the deploy machine with IIS7.
Anyone knows if there's any hidden setting in IIS7 to make things work right?
Thanks.
After a long time I found the solution.
The problem was residing on the EF context I was using to read the users/roles.
I fixed it resintantiating the context every time a role is checked, instead of keeping the same context until application restarted.

Resources