I managed to user to perform multiple log on from other IE window session in my web application if the same log on is currently being used.Unfortunately I have problem to control multiple log on if the user is logging in using tab browsing in the same session. I know this is due to the same session Id but is there any way to trace down to the tab level within the same session?
View 2 RepliesI am trying to force to show to the Logon popup when the session is timeout in Integrated Windows Authentication Enabled website. The session_timeout is firing during the session timeout, but the User.Identity.IsAuthenticated is true. How force to use the Windows Logon Screen when the session is timeout.
View 4 RepliesI have ASP.net application that is basically a data entry screen for a physical inspection process. The users want to be able to have multiple browser windows open and enter data from multiple inspections concurrently. At first I was using cookie based sessions, and obviously this blew up.I switched to using cookie-less sessions, which stores the session in the URL and in testing this seemed to resolve the problem. Each browser window/tab had a different session ID, and data entered in one did not clobber data entered in the other.
However my users are more efficient at breaking things than I expected and it seems that they're still managing to get the same session between browsers sometimes. I think that they're copying/pasting the address from one tab to the other in order to open the application, but I haven't been able to verify this yet (they're at another location so I can't easily ask them).Other than telling them don't copy and paste, or convince them to only enter one at a time, how can I prevent this situation from occurring?
Preventing user to open duplicate web application,while it is running .....
View 1 RepliesHacker's attack the session ID in asp.net application. How can we protect the session identifier from hackers.
View 1 RepliesLet suppose, I am building an asp.net website which has login scenario in it. I want to provide a certain functionality to the website that if the user is already login on computer 1 and now try to login on computer 2, so he will be allowed to remain login on computer 2, while automatically logout him from computer 1. I also know that http is a stateless medium, so whenever user interact with computer 1 and try to interact with the page, it will get noticed at that time.
View 2 Replieshow to prevent multiple login using vb.net? I'm using visual studio.net 2008
View 6 RepliesMy application is windows authenticated. The application pulls JUST the userName from the current windows account. Then I provide site access to this user depending on his account privileges. If his userName belongs to the admins list he is directed to admin screens. If his username belongs to users list he is directed to users screens. I handle this security in C# and some SQL tables(No membership provider and no Active directory security in the app).
I need to be able to prevent multiple concurrent logins for the same userName.
I'm building an application using MVC3 RC and I'm trying to add a session variable as soon as anyone logs on. The variable is an int which is retrieved from a database using User.Identity.Name to retrieve the relevant database record.
I'm using the MS AccountController and tried adding the session variable immediately after the line:
FormsService.SignIn(model.UserName, model.RememberMe);
Although this is the point at which the logon is validated the User.Identity.Name is still showing as null when I try to get it immediately after.
Does anyone know when User.Identity.Name is actually populated in the session and how I can intervene to grab it at that point?
I have an app that uses impersonation to gain access to a database (on server separate from IIS). The app connects to the database using a trusted connection and seems to be working just fine. However, we get these logon failure events in the security event viewer:
[Code]....
It must have something to do with impersonation because the login failure is for the domain account which my app is impersonating under. But again, the app is working fine so I'm having a hard time figuring out how to stop these logon failures.
I get about 5 minutes of inactivity before a logon box appears for a site I manage. Once logged in, our users must be able to stay logged on all day with no annoying logon popups. This started happening after a change i made to IIS6. We formerly had digest authentication and windows integrated authentication checked and everything worked fine but our users complained because they had to put creds in as <domainuserid>. We want to get rid of the domain requirement. To do this i unchecked windows integrated authentication and added the domain to the "Realm" text box. I can log in now without the domain, and everything works as before but I only get a few minutes before I have to relogon. I tried increasing the connection timout to 36000 and have keep alives checked on the web site property page. I also tried setting the web servers registry setting: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesInetInfoParametersDigestContextCacheTTL to 36000 (ten hours). these changes had no effect that I can see.Our setup:we use SSL and have a test certificate that is expired We are hitting the site on our intranet with IE7 or IE8. The production version of this site is on the internet though.IIS6 on a 2003 serverkeep alives is checkedanonymous authentication is uncheckeddigest authentication is checkedwindows integrated authentication is uncheckedIISRESET was run after each change.
View 7 RepliesWe will put the active directory logon when the user access the website, the user needs to fill in his user name and password.
How do we store/get the details of the logon user once the user is logged in?
How to enforce logon hours validation
View 10 RepliesI have created an intranet site in win 2008 server. Enabled Windows Authentication and disabled Anonymous. I want to get AD logon username(current win logon user).I used HttpContext.Current.User.Identity.Name and also tried User.Identity.NameI am accessing the site from client machine. I am not getting the client's logon user instead getting the server's logon user. But I want client's logon user only.I just want to get username. I dont need any login screens or bla blaWhen I run in my development system(XP), its working fine.
When I deploy to windows 2008 server, I am getting problem(Getting only the server's logon user instead of getting the client's logon user).So, problem in the server settings. So, any settings I need to set to get this worked?I enabled Windows Authentication for my site in IIS management window. Disabled Anonymous authentication.
I have created an Intranet site using windows authentication based on role membership. It is working great. My Web.config is shown below.
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<authorization>
<allow roles="D820Developers, D820IT, D820Staff, D820Providers, D820Supervisors, D820Directors, D820Interns" />
<deny users="?"/>
</authorization>
Now my user wants the capability of being able to login to the intranet site as another user. For example, IT guy needs to login on a user's system to set some data.
I have created a standard MS Login Page. However when I try to login on the page I get the message
Your login attempt was not successful. Please try again
I do not have a database (aspnetdb.mdf) storing user information but login against the active directory. Can you use the login form with windows authentication without a database?
I'm using forms authentication in my application but i want to get the active directory domain anme and user name of the logon user. is that possible. The IIS Directory security settings are Anonymous Access allowed and Integrated windows authentication ticked. I tried the following but to no avail
Request.LogonUserIdentity.Name (this is returning the machine name and user name used for anonymous access)
System.Security.Principal.WindowsIdentity.GetCurrent().Name -> returning NT AUTHORITYNETWORK SERVICE
Ok so I've created a login page that accesses my Active Directory and challenges against it. What I would like, is if a user is logged onto the computer within the intranet with Active Directory Credentials for them to bypass the login to the web page.
However if they are outside of the building on a random computer, they should be presented with a login box just like they are now.
I'm running IIS 6.0 on a Windows 2003 server and running an ASP.NET 4 application which connects to an SQL Server 2005 database on another server. I have my Default.aspx page set to Windows authentication with anonymous access disabled.
When I load up the page it asks for a username and password (as expected), I enter my credentials and it comes up with the following error:Login failed for user ''. The user is not associated with a trusted SQL Server connection.
If I add the following to my web.config file: <identity impersonate="true"/> then I get the following error:
Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.
And if I add the <identity impersonate> tag set to true and with my username and password included it connects successfully.
I can't leave this in there as I want each user to connect as themselves, so why is the server not using the credentials that I enter when prompted to connect to the database ?
I built a small ASP.NET application. It has a global.asax and sets some session variables on Session_Start(...).What could prevent (all) session variables from not being set? Would a session time out do it? What if JavaScript turned off? What else can do it?
View 2 RepliesI am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
View 11 RepliesDoes somebody now a good way to make session not transferable, so an user can't move/copy the session token ID from one machine to another?
View 2 RepliesOur intranet has a custom membership system (not asp membership) which puts values in the session information to identify users. As the intranet is constantly evolving, I often have to publish changes to the live server several times every day. Each time I do, the users who are logged in's sessions end and they have to log in again. This causes various issues which I won't bore anybody with here.
My question - is there anyway to prevent this, or do I just have to live with it? Have spent the last 3 hours Goggling and can find no solution.
I have a .Net 3.5 website which uses windows authentication and expires the session using a meta tag on the prerender of my base masterpage class.
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
if (Response.ContentType == "text/html")
this.Page.Header.Controls.Add(new LiteralControl(
String.Format("<meta http-equiv='refresh' content='{0};url={1}'>",
SessionLengthMinutes * 60, SessionExpireDestinationUrl)));
}
This works well for pages that do full post backs. However there are a few pages in my application where the user does a lot of work that is inside of an update panel. My company's policy is a timeout of 15 minutes. Which means, after 15 minutes of working inside of an update panel page, the user gets redirected to the application splash page.
Is there a way to reset or extend the meta tag on an async postback? Or perhaps a better way to accomplish this entirely?
i'm using session variables for send variables between aspx page and it works fine ...but after some time of inctivity(user) in the page the sessions is los...how can i resolve this issue ? this is my code below how to send session :
protected void Lst_Interv(object sender, EventArgs e)
{
Session["Id"] = gdMedical.SelectedRow.Cells[0].Text.Trim();
Session["Service"] = gdMedical.SelectedRow.Cells[6].Text.Trim();
Session["Nom"] = gdMedical.SelectedRow.Cells[2].Text.Trim();
string pageurl = "LstIntervention.aspx";
Response.Write("<script> window.open('" + pageurl + "','_blank'); </script>");
}
I want to get username and machine name of local computer logon to domain. So, how can I get it?My site has annonymous access checked in IIS. cause this application is for the Internet not our company's Intranet.for example, I logon to domain (test.com) in the local computer name is PC1, with the account and pass is: client1 and 1234567.I visit my website, now I want to get user and computer name to show up on asp.net.
View 1 Replies