Security :: Forms Authentication Cookie Not Changing Current User Identity
Jan 21, 2010
I am having a problem with security in a web application I am building using Visual Web Developer 2008. I am using Forms Authentication:
<authentication mode="Forms">
<forms name=".MYAUTH" timeout="20" enableCrossAppRedirects="true" />
</authentication>
And a SQL Server database with ASP.NET Membership and Roles. I am using the LoginView control with the AnonymousTemplate and LoggedInTemplate to manage the user's interaction with logging in and out. The problem I am having is that I am authenticating the user against the database:
If Membership.ValidateUser(_userName, _txtLoginPass.Text)
Then returns True and:
FormsAuthentication.SetAuthCookie(_userName, False)
sets the cookie correctly:
FormsAuthentication.Decrypt(FormsAuthentication.GetAuthCookie(_userName, False).Values(0))
{System.Web.Security.FormsAuthenticationTicket} CookiePath: "/"
Expiration: #1/21/2010 1:42:27 PM#
Expired: False
IsPersistent: False
IssueDate: #1/21/2010 1:22:27 PM#
Name: "jaymo "
UserData: ""
Version: 2
but when I check
HttpContext.Current.User.Identity.IsAuthenticated it always returns False.
If done this before and it worked fine. I cannot find any mistake I might have made or where something might have changed between ASP.NET 2.0 and 3.5.
View 2 Replies
Similar Messages:
Feb 9, 2010
I am using forms authentication and have an issue with a particular browser using the remember me feature. For various reasons I want to support the opera browser that works with the nintendo dsi. I can use forms authentication with that browser just fine but when I use the remember me (cookie) feature I can get through the login but then calls to User.Identity.IsAuthenticated return false. If I do not check remember me it works fine. Initially I thought the browser didn't support cookies but it does. At least I can go to m.gmail.com and check their version of remember me and it works. I can exit the browser and come back in and m.gmail.com remembers me. Also I don't have problems with remember me on any other browser I have tried.
Is anyone aware of some specific browser issue that doesn't work with asp.net forms authentication? I am using asp.net mvc but I doubt that matters.
View 3 Replies
Apr 23, 2010
I wanted to be able, as an administrator, to create new users using the createuser wizard. When I use the wizard to add a new user, however, I end up logged in as that user, instead of as my admin account. How do I prevent from being logged in as the user I just created?
View 2 Replies
Feb 26, 2010
I'm in the middle of moving a web application from IIS6 to IIS7. I've enabled "Windows Authentication" and added <deny users="?" /> to the authorization section of my web.config file. When the app was running on IIS6 my users where able to access the web app without logging in because their windows login was automatically recognized. This does not seem to be the case in II7. I can not get a value for "Current.User.Identity.Name" in my ASP.Net code.
View 1 Replies
Sep 7, 2010
I create two pages, the first one is the login page with user name and password textboxes - (not asp login control) , when clicking login button I check the login authentication, if it is true redirect to default page. in the default page if !IsCallBack then i check httpcontext.current.user.identity.isauthenticated
if it is false i redirect the user to the login page. but my problem is that the httpcontext.current.user.identity.isauthenticated is always false.
Below the section of authentication in web config
[code]....
View 5 Replies
Jan 18, 2010
We have an SharePoint site no login (anonymous) with a search module using AJAX. Now the users complains that the module isn't working. When I check the code (not developed by me), I find that the code only runs if "HttpContext.Current.User.Identity.IsAuthenticated=true". Could that ever return true on an anonymous site?
View 1 Replies
Sep 3, 2010
What do I need to do in order to change an application from Forms Authentication to windows authentication?
View 2 Replies
Dec 13, 2010
We have had a bug recently where users are logging into an application with multiple browser tabs. They are editing a content page which means that they can be working on a page for sometime (ie with no postbacks) They finally click save and because the session has timed out it takes then to login page. I initally resolved they by adding a reminder that the session is about to expire which initally resolved the issue. It has been noted that even when they are within session time out they still got redirected to login page (and loosing the data on the form). We had real problems replicating the issue but have finally managed to do so now and I have learnt some curous features of .net Forms Authentication.
I have set up a test project which has the membership controls on etc. I have set the Timeout on the <forms> tag
<forms loginUrl="~/Account/Login.aspx" timeout="2" />Case 1I then open two browsers windows (side by side), both on the login page (and logged out)On the left window I login (and start a timer)after 40 seconds on the right window I navigate to a page (which takes me to the page as I have logged in on left window )I then wait until the full 2 minutes has elapsed (but before 2 Minutes and 40 seconds) and then try and navigate to a page on the left window.It redirects me to the login pageI would expect it to allow me to navigate to as I have kept my session open on the right window.Case 2I then open two browsers windows (side by side), both on the login page (and logged out)On the left window I login (and start a timer)after 90 seconds on the right window I navigate to a page (which takes me to the page as I have logged in on left window )I then wait until the full 2 minutes has elapsed (but before 2 Minutes and 40 seconds) and then try and navigate to a page on the left window.It Navigates to the page keeping me logged in.After a bit of reading around the subject I have found out that the slidingexpiration property only renews the cookie if it is in the last 50% of the timeout value:
Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed[URL]
My Question is: How can I override this bit of functionality?
Is there a property to set somewhere to "Always renew cookie"?
Is there another workaround. Unfortunately I can't increase the timeout because of a complience issue (it must be set to 15 minutes)
View 3 Replies
Jan 30, 2011
get the below error. My application was working fine until I probably modified something, but don't know what.
Server Error in '/' Application.
Method is only supported if the user name parameter matches the user name in the current Windows Identity.
Description: An unhandled exception occurred during the execution of the current web request. review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Configuration.Provider.ProviderException: Method is only supported if the user name parameter matches the user name in the current Windows Identity.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ProviderException: Method is only supported if the user name parameter matches the user name in the current Windows Identity.]
System.Web.Security.WindowsTokenRoleProvider.GetCurrentWindowsIdentityAndCheckName(String userName) +2195661
System.Web.Security.WindowsTokenRoleProvider.GetCurrentTokenAndCheckName(String userName) +36
System.Web.Security.WindowsTokenRoleProvider.GetRolesForUser(String username) +61
System.Web.Security.RolePrincipal.IsInRole(String role) +182....
View 1 Replies
Oct 20, 2010
am writing a web service in vb.net/asp.net 2, that needs user's name. It works fine when the url request is "www.mysite.com" but if any one has logged-in using "mysite.com" without a "www" and goes to the page that calls my web service, The HttpContext.Current.User.Identity.Name gives null. How can I resolve this problem?
View 2 Replies
Jun 16, 2010
For some reason my users are logged out of the system every 10-15 minutes or so...regardless of the configuration below....am I missing something?
[code]....
View 1 Replies
Mar 1, 2011
So I'm making a asp.net login. I want the login name that people use to match an id in my SQL database. So that I can retrieve their information. But currently when I use the code below, from which I get the name of the computer I am currently on. However I would like the user Identity to be what they write in the username textbox at the login screen.
If HttpContext.Current.User.Identity.IsAuthenticated Then
Dim userName As String = HttpContext.Current.User.Identity.Name
Response.Write(userName)
End If
So I looked for it on net and I think it might have something to do with my web.config file. As I'm totally new to asp.net I wouldn't know. However here's a part of my Web.config file.
[Code]....
View 3 Replies
Jul 30, 2010
I want to know if this kind of authentication is possible.
We have an Active Directory account and that account we are using to log in to windows. I have a simple system that needs authentication using the IIS log in box (i dont know what do you call this but what I know is it only comes out when Anonymous user is unchecked in the IIS configuration.) Now, I want this box to appear before my page and the user will be authenticated and be compare to the user who logged in to the windows. If the user who have been authenticated is the same as the user who logged in to the windwos then we will let him in if not he must be denied in accessing the page.
The first problem I have in my mind is how to code it in asp.net to make an authentication when he will try to access my page.
Second is, let us say we have succeeded to show the authentication box, how can I get the username from the log in box and compare it to the user who logged on in windows. Of course we can get the user id of the logged in user from the windows using User.Identity.Name but how about the username from the log in box.
Note: I will not use log in forms even using https. Just the log in provided by the IIS according to the configuration.
View 1 Replies
May 14, 2010
I have created an ExtendedId class which extends GenericIdentity. (This stores Id as well as name)
In a httpmodule I stored this extended id in Current.User like so:
HttpContext.Current.User = new GenericPrincipal(myExtendedId, roles);
Problem is, later, how do I get at my ExtendedId type again?
If I try this:
ExtendedId eId = (ExtendedId)HttpContext.Current.User.Identity;
View 2 Replies
Jul 8, 2010
is possible to create another property like 'userid' as i can access like
HttpContext.Current.User.Identity.userid ? if yes , how? (actualy last year i did something like this but i have forgotten
View 1 Replies
Jan 29, 2010
Do we know the algorithm that asp.net uses to create the authentication cookie (when using forms authentication?)
Can we basically create our own copy implementation? if so, how?
What does it use to generate the encrypted cookie value, I know it uses whatever you pass into the SetAuthCookie call (which is usually the userID/username).
View 2 Replies
Nov 6, 2010
I have a bunch of applications that currently share the authentication cookie in v3.5.
We're in the process of upgrading to 4.0 and also upgrading the applications as a whole. I have 1 done, and would love to deploy it. However, as soon as I do, I lose my sharing of authentication cookie in that application.
In each web.config, my machine key is declared. I removed the actual keys to protect the innocent. :)
<machineKey validationKey="..." decryptionKey="..." validation="SHA1"/>
<authentication mode="Forms">
<!-- DEV Server -->
<forms enableCrossAppRedirects="true" loginUrl="Logon.aspx" name=".COOKIENAMEHERE" protection="All" path="/" slidingExpiration="true" timeout="1440"/>
</authentication>
View 1 Replies
Jul 6, 2010
My users need to stay logged in for 1 day, so I used a persistent authentication cookie with an expiration of 1 day but it still times out after 20 minutes (which is the default timeout for the session, not the cookie).
This is my code:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" path="/" />
</authentication>
FormsAuthenticationTicket ticket =
new FormsAuthenticationTicket(1, "username", DateTime.Now, DateTime.Now.AddDays(1), true, "userdata");
string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
cookie.Expires = ticket.Expiration;
HttpContext.Current.Response.Cookies.Add(cookie);
I also have manually-generated validation and decryption keys:
<machineKey>
validationKey="......."
decryptionKey="......."
validation="SHA1"
</machineKey>
View 19 Replies
Feb 5, 2010
Once the user has authenticated, I would like to base all of the information displayed to the user based on their username. Isn't that saved in the cookie?
For instance, I would like to pull all of their client information using a GridView and have the parameter set to the appropriate authentication information.
View 4 Replies
Feb 7, 2011
In IIS 7.5 server I have a website apps.mydomain.com. Site binding for this website is:
IP: All Unassigned
Port: 80
Host name: apps.mydomain.com
In DNS there is an ip address pointing to apps.mydomain.com. Site comes up fine when browsing to this hostname.
I want to get current windows logged in username from asp.net web apps. I enabled windows authentication and disabled anonymous. Using this ASP.Net code to test:
Response.Write(Page.User.Identity.Name);
However, browsing to http://apps.mydomain.com/site/ the application pool identity shows as the Page.User.Identity.Name value and not the current windows logged in username.
If I browse to http://servername/site/ then Page.User.Identity.Name will return current windows logged in username.
Is there something else I need to configure to get the current windows logged in username when using host header?
web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Windows"/>
</system.web>
</configuration>
App pool config (left out "handlers" for brevity, there's a 30000 char limit):
[Code]....
View 2 Replies
Feb 18, 2011
My requirements is when one other website call my service (httphandler) and in response i will provide one parameter which is
value of form authentication cookie
now that website call my website with that cookie value as query string , how to check from that cookie value that particular use is authenticated or not ?
View 3 Replies
Dec 6, 2010
is it possible to preserve authentication for ASP.NET Forms authentication cookie,btween Http and Https (different domains) and back?I mean haveing single signon for two domains say http://www.mydomain.com and https://members.mydomain.comI've seen on quite asp.net sites that have a 'MyAccount' section they transfer the site to https and then when you have logged into your account successfully and gone back to the majority of the site you move back to http whilst still being logged in.
View 1 Replies
Oct 31, 2010
Without reading the whole text below, since this is on the ASP.Net side ... basically I think I need to know if there is a way to reduce the size of the forms authentication cookie. When using a DotNet 2.0 website, the ASPXAUTH cookie is about 232 bytes ... when using the same source code but upgraded to DotNet 4.0. the cookie is approximately 264 bytes, setting the ticketCompatabilityMode does not reduce the size since I think the default setting is Framework20. I length of the cookie, including the its' name can not be larger than 256 bytes in order to use it with the "Client Application Services".
I only did a cursory search of the asp.net forums, but will dilligently look for an existing solution.
----- BACKGROUND AND RESEARCH -----
I have been using all three features of client application services (authentication, profiles, and roles) in my windows app (DotNet 3.5 framework) for almost two years now. Up until now, I have not had any problems. This week I hit a brick wall and am pretty stumped with two seperate but related issues.
Issues:
In development, we decided to upgrade our websites/services to DotNet 4.0. All applications upgraded successfully. However we are unable to log into our application using Client Application services. No matter what user we use, Membership.ValidateUser returns false. Since we know the username and passwords, we thought this was strange. When debugging the application, we found that Membership.ValidateUser was throwing an InvalidOperationException (see below for complete exception) stating that the ASPXAUTH property was too long, longer that the schema created in the SQL/CE database. (See below for things tried).
In production .. A user all of the sudden could no longer gain access to the application. Upon inspection, his ASPXAUTH cookie was 264 characters long (9 characters longer than the schemas nvarchar(256)). Even though the user was being authenticated on the "server side", and the JSON query returned "{"d":true}", Membership.ValidateUser returned false. Again, as in the case above, the actual error was ...
Message=@PropValue : String truncation: max=256, len=264 ...
I am assuming I am missing something very simple or that I overlooked a settings. In development, this is not a huge issue as I can release the Dotnet 4.0 websites when I am ready. But now that this has happened to a client on a production system, it is very worrisome.
[code]....
View 1 Replies
Aug 26, 2010
authentication cookie persistance to true on a aspx website,this works great.now I have made an affiliate website (HTML + iframe (same aspx)) and it does not keep my user logged in after closing browser.
View 1 Replies
Feb 18, 2011
My requirement is multiple domains (not subdomains) share cookie of form authentication
how to implement same?
View 2 Replies
