Security :: Losing Persistence Using Forms Authentication?
Feb 13, 2011
I have had a website on a shared web hosting plan for over a year with no issues with keeping persistence. It's been prettys stable, and the only drawback of the host I am using is that it's very slow on occasion...sometimes taking 5-10 seconds to load a page.
So over the last few weeks, I went searching for another web host and and testing one out now.So while my existing website is still running the old web host, I copied the code and data and pushed it on the new web host. It's up and running, but I noticed that shortly after I log in (Forms Authentication), I am logged off within 20-30 seconds.I decided to add the machineKey to the web.config, and it seems to have fixed it.
My question is why would this have fixed it? I asked if the host's servers were in a web farm.
View 5 Replies
Similar Messages:
Dec 29, 2010
This has been a nagging issue for some time, but very sporadic and difficult to isolate.
From time to time, browsers that have authenticated on a web application, have been open for a while, have logged in and out of the same web application multiple times, have multiple tabs, are pretty much any browser (Chrome, IE, Firefox, Safari), and seemingly at random, lose their ability to retain an AuthCookie after being set and followed by a redirect. Closing the browser and starting a new session resolves the issue, as does opening up a different browser and attempting to authenticate.
Our team uses forms authentication for all of our websites and web application. This is a pretty typical setup where a login form is displayed, the user enters credentials and a cookie is set on the click event of the postback, then a redirect occurs to the same page where the cookie is then referenced and used to complete authentication.
In this situation
FormsAuthentication.FormsCookieName = ".WebAuth"
Within Event:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, Username, DateTime.Now, DateTime.Now.AddMinutes(SessionTimeout), false, Username); HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
Response.Cookies.Add(faCookie);
Response.Redirect(Request.RawUrl, true);
After the redirect, on PreInit:
HttpCookie authCookie = Request.Cookies[cookieName];
At this point, the authCookie variable is typically not null, but in these isolated circumstances that I've outlined above, the cookie comes back null after the redirect.
This happens very randomly, sometimes weeks before affecting one of our developers. As I said, restarting the browser resolves the issue.
Today I had it happen on our dev server while using Chrome. I had logged into the application, allowed the application to session timeout, and then attempted to login again. The attempted login then failed to set the cookie. I remotely attached Visual Studio to the process on the server to begin debugging. The entire time I could step through my code, even deploy new code versions to the server with updates, restart the app, restart IIS on the server, attach and reattach to the project, and the issue persisted in Chrome. In Firefox, I was able to authenticate without issue.
From Chrome, the login would validate, attempt to set a Response Cookie as outlined above. Prior to redirect, I could see the properly set Response Cookie, as well as its counterpart in the Request Cookies. However, on each redirect after a seemingly successful login, the Response and Request Cookie are gone.
I enabled Trace on the application to view the cookie collection:
There is a .WebAuth in the Request Cookies Collection, as well as ASP.NET_SessionId and several ASPSESSIONIDxxxxxxxx, but when the page loads, only the ASP.NET_SessionId and ASPSESSIONIDxxxxxxxx cookies are available in the Request.Cookies scope, no sign of the .WebAuth. However, in the page's Trace information after render, there multiple .WebAuth cookies listed, it is just that the page seems to have no access to them.
Primarily, on a working version after authentication there is both a .WebAuth Response and Request Cookie in the page's Trace info. But on a non functioning browser window, the Response Cookie is absent.
Has anyone else had any experience with this? It is such a nagging issue, and so sporadic, but I would love to be able to resolve it. My concern is that it may be affecting users and we would have no knowledge since the description of the issue is so convoluted.
View 1 Replies
Sep 3, 2010
What do I need to do in order to change an application from Forms Authentication to windows authentication?
View 2 Replies
Jun 3, 2010
I have developed the authenticated rss feed using the basic http authentication for my site.I also have the admin module for the site which uses the Asp.net Forms Authentication .Both are in the same project.When i turn on the forms authentication module to None in my web.config.My rss feed authentication works fine(the browser pop up the dialog box for the username and password) and upon entering the username and password the rss feed gets displayed.But with forms authentication turn on when i click the rss feed link i am getting redirected to the administrator login page.
If i set my authentication mode to none than the feed works like dream but the admin module do not work as it uses forms authentication.
How can i resolve the conflict for that one.I am using the asp.net mvc filter on my feed contoller to pop up the dialog box for the username and password.
[Code]....
View 1 Replies
Feb 16, 2011
I'm developing an internal booking sytem. Users log in to the sytem and can view existing bookings and search for bookings. They can also create new or edit existing bookings. When completing such actions I need a confirmation prior to completing the booking or updating the recorded. The confirmation is based on a reauthentication of the user.... in otherwords he needs to enter his passord again.
How can I achieve this? The system is internam and I'm using Forms Authentication. I an also using roles as som of the admin forms can only be viewed by administrators.
View 1 Replies
Jan 28, 2010
I am using partially secured pages ( SSL). Now the problem is when I am switching between HTTPS and HTTP, I am losing my session. I tried storing session in Sql Server Database, its still not working. I am using just ONE web server and all pages are in single application.I am using Sql server 2008 ,IIS 7.0, C#.Net 3.5 I created a self signed test certificate to test my application.
I understand that I am losing my session because my urls are changing with https and http but there has to be someway to overcome this problem. I dont want to put unnecessary load on pages which do not have sensitive data by using https.
View 1 Replies
Jan 4, 2010
I have created a Web User Control (e.g, uc.ascx) which has a few HTML checkboxes in it (using Input Checkbox).
As uc.ascx is dynamically created in my webform page (e.g. page1.aspx), I discovered that the HTML checkboxes did not persist their "Checked" status. how I can make these HTML checkboxes persist?
View 1 Replies
Jul 14, 2010
This could be very straight forward for some of you, but I got caught up. I am doing very simple test - browsing from IIS Manager to see the default page or "under Construction", however I am being challenged to provide my login credential . When I provide my login credential, I am able to see the default page. I wanted to see the default page without providing my credential since Enable anoymous access + basic authentication I am simply wanted to see the default page asit is working on other servers except this one. I have included screen print to make sure may question is clear.
View 3 Replies
Jan 4, 2011
What's the difference between Basic Authentication and Integrated Windows Authentication in IIS?
View 3 Replies
Mar 10, 2010
I set authentication mode to Windows in the web.config and I enable Windows Authentication and disable the Anonymous Authentication in IIS 7 on win 7, but HttpContext.Current.User is always null.It works fine when I host the web app in IIS 6.0.
View 1 Replies
Mar 26, 2010
where I can find a good generic tutorial on persistence data access layers?
View 2 Replies
Feb 23, 2011
Been scratching my head on this one today quite a bit. Time to ask the guru's.Implementing your basic Forms Auth for a 2.0 web app in conjunction with SQL Membership Provider and Role Provider. Web.Config from virtual directory root
[Code]....
All other subdirectories do not contain web.config files but rather wanted them to just work off inheritence from the root web.config. Upon publishing of this setup - I am having one hell of a time maintaining the user 'authenticated' state. (Not sure if that's the best explanation of what is going on.. but)
View 4 Replies
Aug 9, 2010
I have a web farm web project, and want to make sure windows authentication is working well without any problem in web farm, can any one give me some web sites or information about that?
View 1 Replies
Feb 8, 2010
Am going to develop authentication part in the web site. I want my authentication module should not be hacked by any one and also want in secure side.
View 1 Replies
Sep 2, 2010
I needed information regarding the capabilities & integration of AzMan tool with Asp.net.Currently, I got a Sharepoint 2007 website along with ASP.NET 2008 where I am using Form Based Authenication.Now, the requirement is any user within a domain registered in AD should be able to login in website through intranet.
Can I acheive this using AzMan, or I need to create two websites one with FBA for internet users and the other one for the intranet users with AD authenication. Also my intenet website is deployed and in use where usermapping and roles are already created, so using this tool what will be the impact on existing webiste.
View 2 Replies
Apr 2, 2010
I am writing a site with six pages that use the same 12 pieces of data for x number of people. The user always goes to a fixed page where I do all of the DB related work to get the 12 pieces of data for x number of people. However, I don't want to do the DB related work again as it is overhead intensive. So after the initial page I end up with something like this:
Person1, Data1, Data2,Data3,.......Data12
Person2, Data1, Data2, Data3........Data12
[code]...
I have been trying to figure out the best way to store the data so that I can use the data set throughout the remaining 5 pages. I thought of setting up an array within a class but I keep getting a null value when I try to access that class values (maybe I have it set up wrong). I thought using a session variable to store the array, but because it is multi dimensional I am having issues (again, most likely due to a lack of knowledge). I thought perhaps storing the array into a temp SQL table would be efficient, because then it would be a single read out to SQL to get the datatable containing the data back into the page, but that seems like a lot of work for something that should be easier.
View 5 Replies
Nov 29, 2010
I have to create a very simple database driven website ( for a project ) with basic features like a login system, etc. I have completed most of the basic tasks required, but there is one section that is asking me to 'Use persistence to maintain state/relationship'.
I have read a few articles and videos about persistence but I don't understand its benefits and why and how it should be used. Can anyone point me towards a site that explains how to implement state persistence in a simple way. I don't need anything advanced just a very simple way of integrating this into a very simple site to say its been done.
View 1 Replies
Jan 24, 2011
I touched on this last year sometime, but I was frustrated at the time and might not have made much sense. I'd like to try again to see if I can get some constructive advice. I am having an issue in choosing a persistence engine. My first choice is FluentNHibernate / NHibernate. However, I am having severe difficulties with their criterion and projection mechanisms. Searching for examples is difficult and when I do find something, I really don't understand what I'm looking at. After a year of trying to bring this together, it still eludes me. I know I could just ask here for help with certain things, but you guys have more things to do than sit and teach me nhibernate criterion. My second choice is Entity Framework 4. I am leaving the CTP 5 off the list for now as there is a major bug in how self-referencing tables are handled at the moment. Now, I have two sub-choices here. The first involves using code first by turning off code generation in the designer and place my enities and edmx in separate libraries (.Domain and .Persistence.Mapping) but this involves a bit of extra work. Then again, for simplicities sake, I could just dump the edmx designer right in the domain library. But this means having the mapping info in the domain library. Not ideal, but it'd work. I still retain the ability to map collections, references and properties as protected or private, and add logic-checking accessors to the entities, as well as setting a protected and public constructor. The entities would still be strong, valid business entities. With these points in mind, what direction should I head?
View 11 Replies
Sep 1, 2010
I am loading a series of controls in the Page_Load event. However, I have to recreate those controls each page load, which means storing their data elsewhere. This is cumbersome.
protected void Page_Load(object sender, EventArgs e)
{
MyControl control = (MyControl)LoadControl(...);
control.Initialize(GlobalClass.controlData);
//^gives the control the data it had previously.
//Or use ViewState["controlData"] if serializable.
Controls.Add(control);
}
I feel like I should be using if (!IsPostBack) {}, but I don't know how, or why. In contrast, if I place the controls into the markup, then the controls seem to stay persistent. For example, a button in mark-up will remember any changes to its Text property (I think?).
<asp:Button ID="buttonText" runat="server"
Text="Text Segment" onclick="buttonText_Click" />
How do I maintain some sort of persistence with dynamically added controls, like controls added via mark-up? This would save me much work and frustration.
(I've coded for a small eternity, but the more I do ASP.NET, the more confused I become. Which is exactly the opposite of what how I understood learning to work :-P.)
View 2 Replies
Dec 15, 2010
I have to invoke SSIS packages from web service in the most secure way. I think that windows authentication will be secure but i am not sure. I do not have much knowledge about how to achieve this and the information on the internet is very distributed.
View 1 Replies
Apr 6, 2010
We use Sharepoint to control our websites. We build the sites, then load them into the sharepoint server. My question is if I use windows authentication, how can I get my role security in my web config file to coencide with the asp.net controls that use the Forms authentication. Is there a differenence? Our security uses a session variable for security but there is no where to set up their permissions except in active directory. I hope this makes sense because I would like to implement the LoginView with Role groups but how can I give them the role="administrator"? Do I have to go into active directory and give them these permissions(would take awhile due to the size of the company)? Or do I have to set up priveladges in the web.config file for each user(difficult I think)?
View 5 Replies
Aug 18, 2010
I'm writing a simple Intranet application using windows authentication. I want to restrict access to Safe/UCantSeeMe.aspx. I am aware of the AuthorizeAttribute, but this only works on methods. I also found a good post on doing this with the MVC pattern, but I'm not using MVC. This can be done with roles in forms based security. I read on MSDN that using windows based security means roles are based on groups, but it doesn't go into any detail. how can I restrict access to Safe/UCantSeeMe.aspx?
View 1 Replies
Mar 17, 2011
We are using membership provider for LDAP authentication. It is working as it should.
But what all configuration settings I have to do so that
all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.
We need to have this working because all the permissions on the database are based on the logged in user.
We are using form authentication for LDAP authentication. And having impersonation = true in web.config.
View 1 Replies
Sep 21, 2010
I have an application that has a user Login Control (provided by ASP). I am just now working with the integration of a dataBase created in MS visual studio 2010, to a developed website created in MS visual web developer 2010. My main goal is to create an authentication ticket that enables a user to be able to see a dataBase information only after that user has been successfully authenticated.
Up to now I'm able to see the dataBase when i run the website even if I'm not log-in, how i can create a home page that tells the user to log-in and once that user has successfully log-in it redirects the user to another page where the user can see the database and how I can add information to that dataBase only to specific members
View 4 Replies
Mar 15, 2010
I have the same exact problem here [URL] I have a multi-project solution with role based security. I login with admin and hit logout. Then, I can login with a user that has a different role and access an admin page by typing the address. Once I try to do something on that admin page that postbacks then I get kicked out and redirected to the login page. If I don't write in redirect to login page in logout page, I have to hit logout twice for logout to work properly. Also, it works fine if I close the browser and run a new browser.
Web.config:
<authentication mode="Forms">
<forms name="AppAuth" path="/" loginUrl="login.aspx" protection="All"
timeout="5" slidingExpiration="true" defaultUrl="default.aspx"></forms>
</authentication>
[Code]....
Something else I am wondering is if there is a way to redirect a logged in user to default page instead of login page when they try to access a page they don't have a permission for access.
View 2 Replies
