i have 2 websites, website1 has window.open link to the website2, authentication is forms (and windows but in web.config is set to forms) for both websites, when i click on the link and debug Request.IsAuthenticated should be true or false? both applications are running on the same machine
View 2 RepliesHow to set Request.IsAuthenticated to true when not using FormsAuthentication.RedirectFromLoginPage?
View 3 RepliesWhen I want to cache I View or an Action like this :
<%@ Page title="" language="C#" masterpagefile="~/Views/Shared/MemberHome.Master" inherits="System.Web.Mvc.ViewPage<IndexViewData>" %>
<%@ OutputCache duration="400" varybyparam="divId;regionId;page" %>
I know that it cache all data in my page ... But in my page I have a condition like this :
<% if(Request.IsAuthenticated) { %>
<a href="/fr/Advertiser/Search"><img src="/content/images/v_2/bot.jpg" alt="Entreprises liées à vos passions" title="Entreprises liées à vos passions" /></a>
<% } else { %>
<a href="/fr/Advertiser/OpenSearch"><img src="/content/images/v_2/bot.jpg" alt="Entreprises liées à vos passions" title="Entreprises liées à vos passions" /></a>
<% } %>
I dont want to cache this variable : Request.IsAuthenticated ... because some result depend of this condition ... I try the donut caching by scottgu's but it return (I think) just some text not a bool ...
http://weblogs.asp.net/scottgu/archive/2006/11/28/tip-trick-implement-donut-caching-with-the-asp-net-2-0-output-cache-substitution-feature.aspx
Now I'm tired to try anything that come to my mind .
Request.IsAuthenticated condition failed on server after I deploy the code. It is working for me when I ran from local server.
FormsAuthentication.RedirectFromLoginPage("user", True)
Session("user") = mUser
Response.Redirect("~Clients.aspx")
I am checking
Request.IsAuthenticated
in Clients.aspx page load. There it is failing.
How can I work it on server also ?.
I am using Form Authentication and sending an Aajx request to the server for authentication. Based on the json result, the client decides where to go and what to do. That is the reason I am not using FormsAuthentication.RedirectFromLoginPage to not interfere the ajax/json response.In this case Request.IsAuthenticated returns false, even after validating the user with Membership.ValidateUser. Then I set the cookie using FormsAuthentication.SetAuthCookie(username, false)
View 2 RepliesI create two pages, the first one is the login page with user name and password textboxes - (not asp login control) , when clicking login button I check the login authentication, if it is true redirect to default page. in the default page if !IsCallBack then i check httpcontext.current.user.identity.isauthenticated
if it is false i redirect the user to the login page. but my problem is that the httpcontext.current.user.identity.isauthenticated is always false.
Below the section of authentication in web config
[code]....
We have an SharePoint site no login (anonymous) with a search module using AJAX. Now the users complains that the module isn't working. When I check the code (not developed by me), I find that the code only runs if "HttpContext.Current.User.Identity.IsAuthenticated=true". Could that ever return true on an anonymous site?
View 1 RepliesI have a page where, when the user has successfully logged in, I store some values in the session.
I then use these values to load an application list page. This page is automatically refreshed after 20.1 minutes, with the sessionstate timeout and forms timeout in web.config set to 20 minutes (with sliding expiration). This means, if the user does not use any page for more than 20 minutes, he is timed out.
My problem is that the User.Identity.IsAuthenticated sometimes returns true, when the session has expired.
Why is this happening, and how can I fix it?
I need an app pool recycle to be completely transparent to the users of my web app. I use ASP.NET 3.5 MVC 1.
Currently, upon an IIS 7 App Pool recycle all users logged into my web app are kicked out and are required to log back in (Context.User.Identity.IsAuthenticated is set to false). I employ SQL State Server, I use forms authentication and both are configured to use cookies. I was under the impression that .NET and/or IIS handles authentication of cookies.
However, every time the app pool is recycled Context.User.Identity.IsAuthenticated is set to false my users are kicked out and are required to log back in. I can see that the session id remains the same throughout logins, I can also view this session information in the database/state server.
Logon method:
[Code]....
Custom Controller Attribute:
[Code]....
WebConfig:
[Code]....
How do you compare the security of websites built in ASP.NET with other websites bulit in other technologies such as Ruby on Rails, PHP..?
View 3 RepliesI have 2 web sites both located physically on the same web server, I'll call them siteA and siteB. These sites are accessed by internal users on our intranet as well as external users on the internet.
SiteA is is setup on IIS6 using basic authentication which we connect to an active directory. The web config is set to use Windows authentication mode. The url to site a is etoolbox.xxx.yyy
SiteB is the same setup. The url to siteB is rdow.xxx.yyy
What I want is once the user is authenticated against the active directory when the login to SITEA for them to be able to click the url in siteA which opens SiteB in a separate browser window and automatically takes them to the welcome page without being prompted for credentials again.
Currently when clicking on the url to go to siteB I am being prompted again for my credentials.
Is there any way for both external and internal users to only be prompted once for their active directory credentials and then be able to go to whatever site they want to without be prompted for credentials again? Is this something I have to code for or is it handled automatically by IIS?
I have created an xml file. and I want only some websites that I have chosen to reach this file and view the datas of this xml file on their sites.
How can I do that? How can I give permission to some sites for and xml file?
the account we use to copy/publish websites to our web server is not allowing us access to push websites. I've added this account to the permissions in the links listed in the below link, but i don't have success when trying to push remotely. When the account is in the local admins account, everything works flawlessly, but we are not allowed to have it in there. http://social.msdn.microsoft.com/Forums/en-US/vssetup/thread/31be047e-4716-4974-b8a1-be0111b50199 I've googled and searched a lot for this particular error, but am not finding an answer that helps. We get this error, 'Unable to create the Web 'http://edea01/test/planning'. You are not authorized to perform the current operation', and the above link is the scenario that matches mine the most. I don't do develompment work, but am asked to figure out this connection problem.
View 3 RepliesI have a scenario with three applications:
1) Portal: where user executes login
2) Site1: after login at "Portal" user is able to use Site1
3) Site2: after login at "Portal" user is able to use Site2
I just need to execute a validation in Site1 and Site2, to validate if they (users) did login at Portal1.
Something like (in site1 main page page_load).
{
if (notFromPortal)
{
//redirect to Denied.apx
}
}
How can I do this in a simple way? With cookies? Does somebody have a url with sample?
My security requirements are almost zero. I just wanna prevent that user put a url from Site2 in browser and see a Site2 page.
We have two different websites that run two seperate web sites (a backend and a front end) for our peice of software. The way we do our authentication is to put the user id into the session when the user logs in, all the pages on the site inherit from one base page if this base page cannot find this value in session it kicks the user out to the login screen.
What we want to be able to do is have a link on the front end after the user logs in and when they click on it it takes them(redirects them) to the back end. However I cannot think about how to do this in a secure and sensible way. I did think of putting the users username and password dynamically generated into the hyperlink that takes them from the front end to the back end. Would this be advisable. It will be clear text but then again we done use ssl in any case just plain forms authentication. I mean I will hash the values anyway but still be sending them. I suppose is there a way to share a session across two app domain without too much dificulty?
I created a mixed mode authentication mechanism based on a few of the articles that I have read on this topic. It's similar to something like this: [URL]
Basically, there are two web applications. One accepts the Windows Auth and one accepts Forms Auth. The Windows Auth then creates a forms auth ticket and passes control to the Forms auth application. This solution works fine when both applications are housed within the same IIS web site.
Now, order to control the security of this solution we set up multiple IIS web sites on the same machine. Web Site 1 serves external traffic (forms auth) and Web Site 2 serves internal traffic (windows auth).
So the design is that an internal user can hit the site using Windows auth via a internal name (myserver) while the external users use Forms Auth hitting [URL].
All that said, the solution works when the two applications are in the same site. Doesn't work when they are in different sites.
I am using Itext sharp to create a pdf. I am adding an image and I keep getting this error
Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, ersion=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
it is this bit of code that is causing this
[Code]....
If i comment this out, the PDF builds and no errors are thrown (there is just no image)
I don't understand cause I am am trying to do is read a file.
I got the error
System.Security.SecurityException: Request failed.
when i use project dll in my code.
Encrypt request.querystring and Descrpt request.querystring
View 1 RepliesWebApp1: on IIS and configured with Windows authentication. Get User account from AD.
WebAPP2: a java web app on another windows box in same domain with authentication from AD
On web app1, I have a http handler like
public class MyHandler : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
string url = "http://WebApp2/Test";
HttpWebRequest myReq = (HttpWebRequest)WebRequest.Create(url);
CredentialCache myCache = new CredentialCache();
NetworkCredential netCredential = new NetworkCredential("myname", "mypassword", "");
myCache.Add(new Uri(url), "Basic", netCredential);
//...
myReq.Credentials = myCache;
//....
}
}
in above way, I can set authentication in code and pass it WebApp2.
But I don't want to put name and password in code. User info already available on WebApp1: in context.User I can find out the user info who already logined into WebApp1, so I want to pass this credential to WebApp2. I have tried to do following:
myReq.Credentials = CredentialCache.DefaultCredentials;
but I am failed becuast there is no data in CredentialCache.DefaultCredentials.
I am trying to implement the Ajax HtmlEditor into my application. I currently am using a regular TextBox to load and save some data to some EMail template files and had to do some work-arounds to get it to accept the HTML Input. I am trying to upgrade it to use the Editor, but as soon as I insert the Editor and do a PostBack, I receive the Security Exception below. There is absolutely no change to the code-behind, so I don't understand the issue. There is so little on Google for the Version 3.5 Editor that I'm stumped. I have Debugging enabled, but it won't give me the Soruce Error either.
Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Request failed. Source Error:
[Code]....
:: REMOVED FOR SIMPLICITY :: Stack Trace:
[Code]....
Here is my code
[Code]....
"fileUpload" is the FileUpload ASP.NET control. The SaveAs method writes the user uploaded file to a specified location on the server. IT WORKS. That tells me that the ASP.NET process has the proper write permission to write to the file.The next line uses an assembly called PdfSharp which you can use to open PDF files and manipulate them. In this case, the line simply opens up the user uploaded file. That is where the error occurs. WTH?
It works on my production machine. It does not work on my local machine. It USED TO. It was never a problem before.So why would it be fine to WRITE to the server, but trying to open a file give an error? Makes no sense. Googling yields a suggestion to put <trust level="Full" originUrl="" /> under <system.web> in web.config. It does not work.
I'm using the UrlRewriting module on my site and I can't seem to get HttpContext.Current.Request.IsAuthenticated to return "true" on any rewritten pages.
If I go to my home page (http://localhost/default.aspx) I get "true", but if I go to something like (http://localhost/contactus) I am always getting "false".
also, for a direct example, I have an edit bar that is supposed to appear to anyone who is authenticated. The if statement fires in the Page_Load method
If HttpContext.Current.Request.IsAuthenticated Then _
Me.FindControl("EditBar").Visible = True
I have also tried putting this in the page load event
Response.Write(HttpContext.Current.Request.IsAuthenticated.ToString)
Every page that is rewritten says "False" where pages that are not rewritten say "True".
I am trying to create a httphandler which will intercept a sample pdf file which we have in our website. The httphandler works fine from within my development machine and even my locally published website that if I just try to connect to the test url: [URL] I will get sent to the invalid access page. So pushing it to our IIS6 machine when I try to go to the URL it serves up the PDF document. context.User.Identity.IsAuthenticated is always showing as true. I'm using forms authentication. below is the code I am using as the handler.
public void ProcessRequest(HttpContext context)
{
if (context.User.Identity.IsAuthenticated)
{
string SampleURL = context.Request.AppRelativeCurrentExecutionFilePath;
context.Response.Buffer = true;
context.Response.Clear();
using (FileStream fs = new FileStream(HttpContext.Current.Server.MapPath(SampleURL),FileMode.Open))
{
int length = (int)fs.Length;
byte[] buffer;
using (BinaryReader br = new BinaryReader(fs))
{
buffer = br.ReadBytes(length);
}
context.Response.Clear();
context.Response.Buffer = true;
context.Response.ContentType = "application/pdf";
context.Response.BinaryWrite(buffer);
context.Response.End();
}
}
else
{
context.Response.Redirect(
"~/Error/invalid_access.aspx");
}}
in web.config I have the following for form authentication:
<authentication mode="Forms">
<forms name="Sample.Web" loginUrl="~/Security/" defaultUrl="~/default.aspx" protection="All" timeout="60" path="/" requireSSL="false" slidingExpiration="true" enableCrossAppRedirects="false" cookieless="UseDeviceProfile" domain="">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Environment is IIS 7 integrated pipeline, ASP.NET 4.0. I have a .aspx page configured without anonymous authentication and with windows authentication:
<location path="auth/windows">
<system.webServer>
<security>
[code]...
When I request the page, a normal Windows auth (NTLM/Negotiate) challenge response happens, and ultimately the page is returned.I have an HttpModule in which I handle the PostAuthorize event. As expected, this event is only raised once the challenge-response authentication has succeeded and access to the page has been authorized.However, the Request.IsAuthenticated property is false; and HttpContext.Current.User.Identity reflects an unauthenticated user (.Name returns the empty string). Interestingly, Request.ServerVariables["LOGON_USER"] does return the value of the authenticated Windows user.I'd have thought that once the user was authenticated (and authorized, for that matter), the request would reflect being authenticated; and the User / Identity for the request would have been properly set.