I have an MVC web app and want to setup the security in a fashion that is NOT persisted. The problem is that if a user logs in and closes the browser (all instances) and open a new browser, goes to the site heshe is logged in automatically. I want the "session" to expire if you close the browser but I cannot seem to get the answer.
I have authentication mode="Forms" in the web.config and all my usernamepasswords are kept in a custom SQL DB. I can see that on login, Asp.net drop a cookie called ".ASPXAUTH" that expires in 30 minutes. I changed it to expire "At end of session" but if I close the tab I can see that that cookie is still active.
What do I need to do to get the browser to force a login if the user closes the tab or browser?
I'm having trouble setting up a custom NEW User Screen. Here is my situation, I have a Request for Access Screen that uses the CreateNewUser Wizard Control. I want to leave the Question and Answer for this, however I also want a custom NEW User Setup which I build myself to allow the system administrators to setup users, but for this setup I don't want the administrators to have to pick the question and answer for the NEW user, so I would like to bypass this for this setup. However, my Membership.CreateUser keeps asking for it. How can I accomplish this? I've included a copy of my current web.config file. You will notice a AspNetAdminMemberhip which I use to allow the System Administrators to reset passwords.
I am creating an application hosted on GoDaddy.com. The base files are kept in a folder called /sky while the Admin files and User files are kept in /sky/Admin and /sky/User respectively. I'm having difficulty configuring the security so that when a user tries to access Admin or User files they should be redirected to the login.aspx file in the /sky folder. I keep getting an error that its trying to access sky/sky/login.aspx instead of just sky/login.aspx.
Here are the relevant sections of my web.config file.
I have just added the following to the very last page of my application.
[Code]....
And then i have this on each of the pages before the last, within my Page_load:
[Code]....
I have different sessions thruout the application process, but this one session is only set at the beginning of the process and once i kill it on the last page, any attempt to hit Back or trying to access any page directly without first starting, i need to force them to the beginning, what am i missing or doing wrong?
sessID is set on page 1 and is available until you get to the last page. Where i added the Session.Abandon(); Now if i get to the last page and hit back before the refresh occurs, im able to go back, but the page comes up with null reference for other sessions that are obvisously cleared / killed with the abandon. So i should have to check for each session should i? I mean if the abandon killed them all, then checking for the main session should be enough right?
I have the following connectionStrings in my web.config file: ... <add name="myApp1_dev" connectionString="Server=localhost;user id=root;password=;persist security info=True;Database=dbOne" providerName="MySql.Data.MySqlClient" /> <add name="myApp2_dev" connectionString="Server=localhost;user id=root;password=;persist security info=True;Database=dbTwo" providerName="MySql.Data.MySqlClient" /> ...
I dont know if this was the best way (somewhat new to vb.net), but in my Login.aspx page, I set global session variable to one of the two connection strings. If the user logs into App1, it uses connectionString myApp1_dev; if user selects App2, it uses myApp2_dev. My question / problem is: Each of the two databases have their own MySQL membership and role tables. If the user logs into App1, I would like to the dbOne database tables. If user selects App2, select dbTwo tables. Can I support Roles from multiple databases?
Where can I find a good tutorial on setting up roles and authorizing them? I'm using Windows Authentication for an intra-net based app and need to figure out how to grant the users access to the various pages.
We are using membership and roles.. is there anyway to setup a user that cannot be deleted? We need to setup a default admin account and dont want it displayed in list of user to modify, or if it has to be displayed, it cant be deleted or edited thru the pages that is, if they need to, they can do it thru the website admin section to manage it.
How do I set up an automatic password recovery feature? (This is an internet application using forms authentication.)
I am trying to set up the common senario where when a user who has forgotten his password, clicks a button to request I send him a new password. I then open his browser's default email client (that is no problem, that part I already have coded and it is working fine.) The user then clicks a button to send me his email. Now comes the problem. How do I detect that he has done that?
Am I approaching this problem correctly? Should I be requiring the user to send me an email in order to have his password reset? Or should I just have him fill in textboxes giving me his username & password? Wouldn't this allow a malicious user to abuse the system?
I am trying to setup a notification bar that shows errors when trying to login. I am using MySql as a backend.
Here is the aspx:
[Code]....
Here is the code behind:
[Code]....
I am not sure if I am over thinking what I am trying to do or what. I was able to get it to show the notification bar but it wouldn't show correctly and then somehow it wouldn't let me login.
The above code is what I came up with after reading some articles, which doesn't work. When stepping through the code, I get an "Input string was not in the correct format" error. I think the reason I get that error is because the password format is "Encrypted".
Either way I try it I can't get the bar to show up with the error, or actually login (I am sure I can remove everything that I 'tried' and it would work.
I created a user control for my web application that checks for Session Timeout. If the criteria are met for Timeout, I use Response.Redirect to send the user back to the login page. I include this user control in my Master page, and run the SessionTimeoutcode in the user control's Page_Init event. That all works great. However, once the user logs in again after time-out (and I have verified that the OnLoggedIn event does fire) the user is redirected to the DestinationPageUrl. That page runs the Session Timeout check when it loads (as it should) and the Session Timeout code "says" that the session is still timed-out.
I would like to check if someone tries to access the application with the same username from a different browser/pc/etc. All usernames and passwords are stored in a MSSQL db.
What I am doing at the moment is: In the global.asax-file in Application_start(..) I initialize [Code]....
Now with every user that logs in I can check whether he is allready in ( in that case, he won't be able to log in, he'll be redirected to the login page ). Let's say it's the same user who wants to login but for some reason he wants to start the application from a different pc, maybe in a different building. Unless he hasn't forget to logout, he won't be able to login on this different computer. So he would has to go back and logout or wait for the timeout.
Now wouldn't it be more convenient to abandon the first session and let the same user login to the pc where he is right now?
The question is, is it possible to end the first session without beeing in it? Or is there any other solution for that problem? Since I have the SessionID stored in Application["UserList"] is there any possibility to end that specific session?
I'm hoping this is a simple configuration setting that I have incorrectly defined. I have an application that has a secure (members) area. If a customer tries to browse directly to the secured page (http://www.mysite/members/memberpage.aspx) asp.net loads up my login.aspx page. When the user successfully authenticates from the login.aspx page in they are taken to the secured page they originally requested (so far so good!).The problem I have is that I run some SQL using the User.Identity.Name on the secured page as a reference to who the logged in user is. This way I can show some customer specific information. When I take the login route outlined above, the SQL doesn't seem to run (or the Session Variables aren't loaded yet?)... my page loads up with no customer information in it. If I browse to another page and then back the customer information shows up and all is well.
I have a web setup package project alongside an old .asmx web service. When I build it I only get 'MyService.msi' and not the 'Setup.exe' in the 'Release' folder after build. Normally the .msi suffices for installation, but on Windows Server 2008 R2 I am getting denied from installing the .msi pacakge. I can only install .exe packages after right clicking and stating "Install as Administrator".
The server admin is still new to 2008 R2 and not sure why I can't install an .msi because I am an admin, so for now if I knew how to get that web setup package to generate the Setup.exe file as well I see my other VS.NET setup packages create.
I got this login system where I need to set a session for when a user log's on, eacth user have 2 id's, and I need to get one of them to get the right content from my DB... So how do I get my users id's from my session's?
I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).
I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.
I recently read an article on making ASP.NET sessions more secure here and at first it seems really useful.
Previously I had been storing the user's IP address in the session, then making sure in every subsequent request that the requesting IP was equal to the stored IP.
The code in the article also protects the session by checking the IP address, except it stores a hashed message authentication code containing the user's IP as part of the session cookie. It creates a hashed MAC twice every request, which I imagine would slow things down a little.
I can already see a potential flaw in their code: if you were to somehow get a hold of the key used to generate the MAC, you could then generate a valid MAC with your own IP - you wouldn't even have to fake the IP the session was started on.
It seems like an overly-complex solution to a simple problem which not only incurs a larger overhead but also is more susceptible to attack than the trivial method - unless I'm completely missing the point.
So, why would this approach be any more secure than the more simple approach that I had been using?
As a slight aside, the author also states that you shouldn't use the whole IP address in the comparison, as some user's IPs change every request if they are behind a proxy. Is this still the case if you check X_FORWARDED_FOR?
using the Login control, which I just dragged and dropped from the toolbox, when the user successfully enters his or her username and password, I want the username text to be set as a session.
I don't believe the built-in membership saves username in session, does it? If I'm not mistaken it's saved in a cookie.I've implemented the ImageManager add-on for tinyMCE and trying to set the default folder for images based on authenticated user's username. Looks like out of the box, ImageManager allows this by getting the username from session.
I would like to insert a GUID into my table, then pass that variable to another page where I will use it in an email validation. Is this how you create a GUID?
Is there any way that I can create a session variable AFTER authentication? It needs to be populated from the users record in a sql database. Basically I tried using Application_AuthenticateRequest in global.asax with an application variable but this made it available to all users. Using session_start is not working as when this runs my user is not currently logged in, so the variable is always empty when I try and grab it's value.
I have a web site that streams on demand video content. The video content is stored and delivered from a seperate SMD platform. My website submits a url request to the media server in order to get the media to display. My user session data is held in a sql server database on another seperate server.
I think the best way for me to do this is to create a web service that can validate a session id. So when I create the url on my web site I include the encrypted session id. The media server then sends this encrypted token to my web service which in turns decrypts the token and validates the session id against my database and then returns whether valid or not which is used to check if the content can be displayed.
I expected this would set 30 minutes as timeout for inactive sessions, but they seem to be timing out much sooner.
Is there some other way to specify time for session timeout ?
I know I am using an unsupported AccessMembershipProvider which I was forced to do because my host service does not support SQL Server Database (so I am using an Access Database).
However, this AccessDB provider seems to work fine in all other respects. I'm suspecting that the early timeout is because of some other obscure setting.
