Security :: Are Cookies Required In Order To Use MembershipProvider And RoleProvider
Dec 25, 2010
Does Forms Authentication require that cookies be enabled to use MembershipProvider and RoleProvider? If so, can anyone tell me the minimum security level I need to tel clients to use.
I trying to understand how a server farm would use MembershipProvider / RoleProvider. If I have a million users, I do not want to have multiple copies of the MembershipProvider / RoleProvider database. I would like to have one set of machines used for login but then redirect users to other machines in the server farm depending applications the users decide to use. However, once they are redirected to the new machine, I do not want the user to have to relogin. I want the credentials and role information to be available.
Does anyone know how MembershipProvider / RoleProvider is configured for this type architecture?
I have created a custom MembershipProvider and RoleProvider which communications with some existing business logic. The issue I have is that the user login in my business logic requires 3 arguments (group id, user id, and password) and the MembershipProvider and RoleProvider I implemented just use 1 or 2 arguments (username, password). Right now I append my group id and user id together and pass it as the username then parse it in the implemented methods. Is there a better way to do this?
Note, I can handle the login fine because I can call my own ValidateUser method. The main issue is when the implemented methods are called from other things like the RoleProvider.GetRolesForUser(username) method when I use the AuthorizeAttribute.
Say for my ASP.NET application, I have implemented my custom RoleProvider by using my existing Users table on my Oracle 11g database. Then, for my Membership Provider, can I still use the AspNetSqlMembershipProvider that comes with the .NET framework and uses SQL Server?
I have written an assembly (DLL) containing two classes, MyMembershipProvider and MyRoleProvider, which are derived from MembershipProvider and RoleProvider, respectively. I have implemented most but not all of the abstract methods; the remaining ones all throw a NotImplementedException. I have signed the assembly and added a reference to it in my web-site project, where the relevant web.config sections look like this:
[Code]....
When I fire up the site, however, I get the following error:
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Exception has been thrown by the target of an invocation.
The error message points to the <add /> tag in the <roleManager /> section: if I take that out, however (enabled="false"), it comes back again as soon as I try to log-in to the site (this time pointing to the membership section). I have verified that is recognising the classes by changing the name in the "type" attribute (to something that doesn't exist), at which point it throws a different error. Therefore I'm presuming there's a problem with my assembly code somewhere; but how can I find out where? I have debug=true in the web.config and also compiled the assembly with Debug options, but no clues.
I'm working on adding a new webapp to an existing website. I've been directed to write the webapp in ASP.NET. The existing website is written in ColdFusion. For the most part, the ASP.NET webapp is completely stand-alone, but it needs to interact with the ColdFusion code in one important way - if somebody logs in to the ColdFusion site, we don't want them to have to log in again when visiting an ASP.NET page.
When someone logs in to the ColdFusion site, their username is stored in a cookie, along with a login token that can be looked up in our database. My .NET is a little rusty, so I'm having trouble visualizing how the ASP.NET code should use this data. I've already written a simple MembershipProvider that can be used to log in/out out the ASP.NET app using the data in our existing database tables, which are shared with the ColdFusion code.
What I'd like to know is - how can I make sure the ASP.NET app detects the cookies set by the ColdFusion app (I imagine they'd be sent to the ASP.NET pages, since everything is hosted on one domain), and automatically logs the user in using the MembershipProvider and Forms Authentication, using the credentials supplied in the cookie? I'm thinking that putting some kind of cookie check and log in function in the Global.asax file, set to run every page load for every page... but that seems kind of clunky. Also, do people still use the Global.asax file anyway? I had thought there was a more modern method.... Also, how can I manually log someone in using Forms Authentication and a custom membership provider? Currently my code allows the user to log in using the provided login control, but I'm not sure how to log the user in without them having to do anything.Looking over the MembershipProvider tutorials and the MSDN documentation it seems to me like the answer should be staring me in the face, but for some reason I just can't see it. Maybe not enough coffee....
I am obviously missing something here and it is driving me batty. I am trying to implement a custom role provider so that I can add some of my own custom code to it. I have created my CustomRoleProvider class, I have inherited the RoleProvider base class and implemented its members. I have made the required changes to my web.config so that my CustomRoleProvider is used. This is all working great.
All of this is wrapped up in a wrapper class as provided by the MVC Membership Starter Kit that I am using and wish to extend.
Now I want to add my own custom functionality.
When I add a function to my CustomRoleProvider I cannot see it or access it.
How do I add functionality to my CustomRoleProvider so that I can use it?
I had a post here [URL] that I need to expand on now. I have a few web pages that need to check for a certain role on each page request. I have a custom Membership Provider and a custom Role Provider (called CustomRoleProvider - very original - I know) that I am using to do this. When a user logs in, the CustomRoleProvider.GetRolesForUser() method is called automatically (by the urlAuthorizationModule). When this method gets called, I am currently adding a role to the roles string array that allows/permits the user from viewing the web pages of concern based on certain qualifications that are determined elsewhere in the code (i.e. the database is queried to see if the user has rights to visit certain pages).
This approach only gets me half way because the user's roles are only checked once at login. When I wrote my previous post, I thought the CustomRoleProvider was broken because it wasn't calling the IsUserInRole() method on each page request. According to Microsoft, "The IsUserInRole method is called by the IsUserInRole method of the Roles class to determine whether the current logged-on user is associated with a role from the data source for the configured ApplicationName." (that information comes from this page:
[URL] Reading that description I thought it was being called automatically on each page request. This is not correct. What I need to know how to do is to get a method in the CustomRoleProvider that returns a boolean to be called automatically on each page request so I can update the user's roles if they change while the user is logged into the web site. For example, if the user has rights to visit page A and then five minutes later his rights are revoked, he can't visit page A again unless he contacts an admin to reset his rights.
I have a web page which contains 3 drop down boxes followed by 3 textboxes. I am implementing Required field validators for all of them . But when i hit submit , The Page first checks for empty Textboxes before checking for any value in Drop down boxes , but i want the Drop down boxes to be validated first before Textboxes. How Can it be achieved?
I'm working with the default asp.net membershipprovider. Now, by default, that requires that all members registere have all unique email-addresses.However, I'd like to override that because, in a code behind of a certain webpage, I do not need emails to be unique.
I'm using various ASP.NET controls out of the box such as the CreateUserWizard control, Login control etc... For custom controls, I have sanitized my inputs by making sure they conform to expected values. However, is this required for the controls such as the CreateUserWizard control, or is that handled internally? Do I need to provide any extra server side validation to these controls and, if so, would it be best to do it in the "CreateUserWizardControl_CreatingUser" event?
I have a web page, where the administrator can reset other users password.I am not using any membership controls here.I found that i can use Membership.Provider.ResetPassword() function.But i want to send the new password to the user through the mail, just like in password recovery control, reusing the mail configuration in the web.config file(which membership use with the password recovery control).Do i need to explicitly do the coding for sending the mail, using SMTP client, and mail message class?or is there any builtin functionality inside membership for this just like in password recovery?
It's Microsoft SqlServer 2005 and Microsoft Visual Studio 2005. Is IIS required on my machine in order for BIDS to be installed? I just manually uninstalled SqlServer 2005 and reinstalled and still cannot see BIDS in Visual Studio Is there anything I should check or what components are needed to install BIDS?
I am getting an error with my custom RoleProvider (based on System.Web.Security.RoleProvider) initializing in my ASP.NET application. The error is: "Description: An error occurred during the processing of a configuration file required to service this request." I see this below error happening on a Windows 2003 server with .NET 3.5 SP1. I have not seen it on Windows 2008 servers, and have not seen the error when the ASP.NET application was built under .NET 2.0 (running on this same server). Any thoughts on the nature of the error?
Classification: UNCLASSIFIED
Caveats: NONE Server Error in '/Assist' Application. Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Line 122: <clear /> Line 123: <add Line 124: type="Grb.Security.FrameworkRoleProvider" Line 125: applicationName="MyApplication1" /> Line 126: </providers>
Source File: D:inetpubAssistweb.config Line: 124
Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082
HERE'S THE INITIALIZING FUNCTION FOR THE ROLE PROVIDER:
Public Overloads Overrides Sub Initialize(ByVal name As String, ByVal config As System.Collections.Specialized.NameValueCollection)
Try If config Is Nothing Then Throw New ArgumentNullException("config") End If If String.IsNullOrEmpty(name) Then name = Me.GetType().BaseType.Name End If If String.IsNullOrEmpty(config(DescriptionKey)) Then config.Remove(DescriptionKey) config.Add(DescriptionKey, SR.GetString(SR.RoleSqlProvider_description)) End If MyBase.Initialize(name, config) ' Get the configuration settings Dim configurationSettings1 As Grb.Framework.Business.ConfigurationSettings = Grb.Framework.Business.FrameworkConfiguration.GetConfiguration() ' Load the DomainManager
Dim dataManager1 As New Grb.Framework.Data.Main(Nothing, configurationSettings1.FrameworkSchema, configurationSettings1.AssistSchema, _ configurationSettings1.ConnectionString, configurationSettings1.ProviderInvariantName, _ configurationSettings1.EnablePerformanceLogging, System.Web.HttpContext.Current.Request.PhysicalApplicationPath) ' Load the DomainManager Dim frameworkDomainManager As Grb.Framework.Business.DomainManager = New Grb.Framework.Business.DomainManager(dataManager1, -1, -1) m_ProductDomainManager = New Grb.PlugIn.Assist.Business.DomainManager(dataManager1, frameworkDomainManager) m_ApplicationName = config(ApplicationNameKey) If String.IsNullOrEmpty(m_ApplicationName) Then m_ApplicationName = SecUtility.GetDefaultAppName() End If If m_ApplicationName.Length > 256 Then
Throw New System.Configuration.Provider.ProviderException(SR.GetString(SR.Provider_application_name_too_long))
End If config.Remove(ApplicationNameKey) If config.Count > 0 Then Dim attribUnrecognized As String = config.GetKey(0) If Not String.IsNullOrEmpty(attribUnrecognized) Then
Throw New System.Configuration.Provider.ProviderException(SR.GetString(SR.Provider_unrecognized_attribute, attribUnrecognized))
End If End If Catch ex As Exception Throw New Grb.Framework.Core.Exceptions.FrameworkBusinessException( _ Resources.ExceptionMessages.FrameworkRoleProvider_Initialize, ex) End Try End Sub
Set compilation debug="true" to insert debugging symbols into the compiled page. Because this affects performance, set this value to true only during development.
--> <compilation defaultLanguage="vb" debug="false"> <assemblies> </assemblies> </compilation> <httpHandlers> <remove verb="*" path="*.asmx"/> <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false" /> <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> </httpHandlers> <httpModules> <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> </httpModules> <!-- 1 GB maxRequestLength --> <httpRuntime maxRequestLength="1048576" /> <sessionState mode="InProc" timeout="60" /> <!-- note: Set authentication timeout >= session timeout (session timeout will clear authentication timeout upon session_start) --> <!-- note: <forms name="xxxx" value must be unique for each "forms authenticated" web application run on an IIS web server --> <!-- note: For a more secure system, set requiresSSL="true" (and install/setup an SSL key on the web site) --> <authentication mode="Forms"> <forms loginUrl="TimedOut.aspx" slidingExpiration="false" requireSSL="false" timeout="60"/> </authentication> <authorization> <deny users="?"/> <allow users="*"/> </authorization> <membership defaultProvider="FrameworkMembershipProvider1" userIsOnlineTimeWindow="15"> <providers> <clear /> <add name="FrameworkMembershipProvider1" type="Grb.Security.FrameworkMembershipProvider" applicationName="Product1" passwordRetrieval="false" passwordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="4" passwordStrengthRegularExpression="^[a-zA-Z0-9]+$" passwordStrengthFailedMessage="The password must be only alpha-numeric characters." frameworkDomainName="Master" maximumInvalidPasswordAttempts="3" maximumInvalidPasswordAttemptLockoutMinutes="30"/> </providers> </membership> <roleManager enabled="true" defaultProvider="FrameworkRoleProvider1"> <providers> <clear /> <add name="FrameworkRoleProvider1" type="Grb.Security.FrameworkRoleProvider" applicationName="MyApplication1" /> </providers> </roleManager> </system.web> <system.web.extensions> <scripting> <webServices> <!-- Uncomment this line to customize maxJsonLength and add a custom converter --> <!-- <jsonSerialization maxJsonLength="500"> <converters> <add name="ConvertMe" type="Acme.SubAcme.ConvertMeTypeConverter"/> </converters> </jsonSerialization> --> <!-- Uncomment this line to enable the authentication service. Include requireSSL="true" if appropriate. --> <!-- <authenticationService enabled="true" requireSSL = "true|false"/> --> <!-- Uncomment these lines to enable the profile service. To allow profile properties to be retrieved and modified in ASP.NET AJAX applications, you need to add each property name to the readAccessProperties and writeAccessProperties attributes. --> <!-- <profileService enabled="true" readAccessProperties="propertyname1,propertyname2" writeAccessProperties="propertyname1,propertyname2" /> --> </webServices> <!-- <scriptResourceHandler enableCompression="true" enableCaching="true" /> --> </scripting> </system.web.extensions> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <remove name="ScriptModule" /> <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> </modules> <handlers> <remove name="WebServiceHandlerFactory-Integrated" /> <remove name="ScriptHandlerFactory" /> <remove name="ScriptHandlerFactoryAppServices" /> <remove name="ScriptResource" /> <remove name="WebServiceHandlerFactory-ISAPI-2.0"/> <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> </handlers> </system.webServer> <location path="Default.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> <location path="Portal.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Login.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="PasswordChange.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="PasswordForgot.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="PasswordEntry.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <!-- Give ControlLoader.aspx full access and let it check session/authentication validation.
The rational is that if a user is "timed-out" and presses a button to load a control into ControlLoader, the ControlLoader validation will catch this condition and tell the parent page to reload (so the Login page doesn't appear in the modal-dialog).
used the built-in Membership framework and has implemented his own provider by creating a class that inherits from MembershipProvider (found in System.Web.Security). I actually went ahead and created a custom provider which inherits from MembershipProvider. The problem is that there are several methods I do not really need. Also, the schema is totally different. Plus, most methods return a MembershipUser which means my User class has to inherit from it as well. So really, what benefits does the MembershipProvider and the whole Membership framework add to my system? Do these benefits justify the fact that I won't be using most of the methods on the class?
I'm facing very odd problem with my application. I've been developing my own custom memberhip provider (derived from MembershipProvider, of course) and everything was working smoothly, until something odd happened. In my config file, I register my provider with such code:
[Code]....
When I deploy my site, I get this error message:
Configuration Error
Description:
An error occurred during the processing of a configuration file required to service this request. review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Input string was not in a correct format.
Source Error:
Line 62: <clear/> Line 63: <add name="CustomSqlMembershipProvider" Line 64: type="My_Membership.CustomSqlMembershipProvider" Line 65: applicationName="My Application" Line 66: enablePasswordRetrieval="false"
I have an intranet site that is used to pull several other intranet applications/tools and database info to one place.One of the most popular features uses iFrames and jQuery tabs to give a broad overview of activities, signal etc in a network node. Chrome and Firefox eat it up with no problems, IE will work if you override the cookie policies that restrict 3rd party cookies without a valid p3p (what a worthless standard). IE also works if you already authenticated yourself on the individual sites and the session cookies are still valid.
I would like to set the Login which will log auto when he return to site, if the user hasent logged off the site.and if he enter the site again he'll be logged in already.
read a cookie of a site with a different domain? I am currently trying to avoid an extra of step of logging into a website that I am currently developing.
i am having this weird problem only when i deploy my site [localy Everything works fine] when you try loging in from IE 8, the page simple refreshes! and no authentication takes place After lot of research, i found out that Internet Explorer 8 denies session cookies and to confirm this, i unchecked Enable protected mode (can be found in, internet options, security), and then tried logging in, it worked perfectly fine just like it did in other browsers [Firefox and google chrome]. I have found one solution which is to lower the security level, but i cant tell every visitor on my site to do that since its not practical.
I'm writing an ASP.net application that uses Windows Identity Foundation. My ASP.net application uses claims-based authentication with passive redirection to a security token service. This means that when a user accesses the application, they are automatically redirected to the Security Token Service where they receive a security token which identifies them to the application.
In ASP.net, security tokens are stored as cookies.
I want to have something the user can click on in my application that will delete the cookie and redirect them to the Security Token Service to get a new token. In short, make it easy to log out and log in as another user. I try to delete the token-containing cookie in code, but it persists somehow.
How do I remove the token so that the user can log in again and get a new token?