WIF Security Token Service Not Staying Logged In

Aug 27, 2010

I'm using the Windows Identity Foundation (WIF) Security Token Service (STS) to handle authentication for my application which is working all well and good. However I can't seem to get any long running login with the STS. From my understanding I shouldn't care about the client tokens at the application level since they can expire all they want to and it should redirect me to the STS and as long as they're still logged in on the STS it should refresh their application token. Yet it doesn't seem to want to keep them signed in.

Here's what occurs in my login.aspx on the STS
var cookie = FormsAuthentication.GetAuthCookie(userName, persistTicket);
if (persistTicket) cookie.Expires = DateTime.Now.AddDays(14);
Response.Cookies.Add(cookie);
var returnUrl = Request.QueryString["ReturnUrl"];
Response.Redirect(returnUrl ?? "default.aspx");

Which was taken almost directly from existing application using normal Forms Auth.
From my web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" timeout="2880"
name=".STS" path="/" requireSSL="false" slidingExpiration="true"
defaultUrl="default.aspx" cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>

Looking at the cookie after I sign in I can see the expires time on the cookie is set for 14 days in the future and that the cookie is NOT a session cookie. When I'm required to log back into the STS I can see that my original cookie is still there. Is there some kind of time stamp functionality that the STS embeds into the cookie that is invalidating my cookie even though as far as I know it should still be valid?

View 2 Replies


Similar Messages:

Security :: User Is Staying Logged In After Session Ends

May 12, 2010

My web application uses forms authentication. One of my users who uses IE8 says that she always stays logged into the website on her computer. This is even after she closes the browser window and restarts the computer. This only happens on her computer, if she switches computers the same thing won't happen.

I'm baffled by this. Is there a setting in IE that could save her login information and automatically sign her in every time she accesses the website? Is there anything else to look into?

View 5 Replies

Security :: Not Staying Logged In when Moving From Page To Page?

Oct 1, 2010

Recently upgraded my site to 4.0 and now having major log in issues

1) not staying logged in when moving from page to page

2) not logging it at all, just refreshing the page when log in button is clicked

3) not staying logged in after browser is closed

<authentication mode="Forms">
<forms timeout="120160" cookieless="UseCookies"></forms>
</authentication>

nothing fancy there, and it worked perfectly before the upgrade.

View 4 Replies

Security :: How To Security Token Transfer To J2EE Web Application

Mar 6, 2010

Here is 2 web applications: 1 is asp.net, another is J2EE base webapplication.Both them are using same AD ( e.g. DomainTest ) as authentication source.Question here:1. User log in the asp.net application ( form based log in DomainTest, not IE prompt authencation dialog ), on the left navigation ( link to J2EE web application), just click this link, SSO to J2EE application.I think should transfer identity token from asp.net to J2EE, but don't know how, and for JSP, how to modify it to use token tranferd from asp.net ?

View 3 Replies

Security :: Use Token Based Authentication?

Mar 2, 2010

How to create Uniue Token with properties like expiration time,

Any standars method provided by Microsoft,

View 2 Replies

Security :: Storing A Token In Browser Or In Querystring?

Feb 17, 2010

We have developed a system to allow users to access another one of our web applications by placing a token in the db and then when they redirect passing this token in the browser to the new apop and using that as an authenication method. However I am thinking that it might be better to simply place this token in the browser cookie as then the user doesnt have to physically click a link they can simply do straight to it because the token wont be in the query string anymore....

Will it add much of an overhead doing it via cookies are there any disadvantages?

View 4 Replies

Security :: Add An Expiration Token To A Existing Querystring?

Jul 2, 2010

I don't know if the following is possible or not but in brief, here is what I'm trying to achieve:

1. When a user requests to view a document, they click on a link (could be other) which contains an encrypted query string containing data required to retrieve the relevant document. i.e.[URL]

2. I want to ensure that if after x minutes the user goes back to their history and select the link again or re-type the same url as above that it will not request the document and redirect them to a page letting them know that the requested document "link" is no longer valid.

I don't want to rely on cookies or sessions, so thought that maybe there would be a way to add a datetime token at the end of the existing url but this needs to be done at run-time as the url is already predefined when the link is created, so I'm not sure how can I do this?

ideally, I'd like something like this [URL] where the token would contain the date & time when the link was clicked.

Once re-requested, I would decrypt the token and validate it again the server time and if it was over the x minutes defined, it would redirect me to the "link is no longer valid" page.

View 2 Replies

Security :: Token Login Don't Keep Session With Two Applications?

Jun 15, 2010

I've two application ASP.NET (once is Mojo Portal). I can navigate from one to other using an URL token id.

To this way, by token, I create a new session and save the relative auth cookie.

But, sometimes, the asp web application don't keep the session and put me down. When this happen I can't login until the session cookies is not deleted.

Both the two application are behind an reverse proxy.

View 3 Replies

Cookies - Windows Identity Foundation - How To Get New Security Token

Feb 1, 2010

I'm writing an ASP.net application that uses Windows Identity Foundation. My ASP.net application uses claims-based authentication with passive redirection to a security token service. This means that when a user accesses the application, they are automatically redirected to the Security Token Service where they receive a security token which identifies them to the application.

In ASP.net, security tokens are stored as cookies.

I want to have something the user can click on in my application that will delete the cookie and redirect them to the Security Token Service to get a new token. In short, make it easy to log out and log in as another user. I try to delete the token-containing cookie in code, but it persists somehow.

How do I remove the token so that the user can log in again and get a new token?

View 2 Replies

Security - Securing Forms Authentication Token On Client Side?

Jul 16, 2010

In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages. How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?

View 1 Replies

Security :: Running Application Under The Security Context Of The Logged In User (LDAP Authentication)

Mar 17, 2011

We are using membership provider for LDAP authentication. It is working as it should.

But what all configuration settings I have to do so that
all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.

We need to have this working because all the permissions on the database are based on the logged in user.

We are using form authentication for LDAP authentication. And having impersonation = true in web.config.

View 1 Replies

Security :: Used Security In Login Page Which Restricts All Users Who Have Not Logged In To All Pages?

Jun 23, 2010

i used security in login page which restricts all users who have not logged in to all pages. I need to restrict specific users to specific pages. I'm not using AspSqlService provider. So i cannot create roles and restrict automatically. And the pictures i use in login page are not visible @ runtime.

View 1 Replies

Web Service And Membership - Get UserID Of User When Not Logged In

Jul 21, 2011

I am creating a few web services for use with a mobile application. My current site uses asp .net membership and one of the web services will validate username and password.

In the web service I get passed uname and pword and just use

Code:
If Membership.ValidateUser(username, password) = True Then
Return "True"
Else
Return "false"
End If

Is there a similar way to get the userid without logging the user on or do I need to create a Stored procedure?

View 2 Replies

Security :: Seeing Who Is Logged On?

Feb 14, 2011

Is it possible to see who is currently logged on?

View 5 Replies

Security :: How To Prevent From Getting Logged Out

Mar 24, 2010

I've set up a page where create logins with createuserwizard. I can login with created account but I get logged out after like 20min if I dont do anything (reload etc). How can I remove this timeframe? I dont want a timeframe at all, i want to stay logged in until i close the browser.

View 3 Replies

Security :: Log Out User When Logged In Somewhere Else?

Sep 1, 2010

Our users are only only allowed to log into our site from one location at a time. If they attempt to login from a second location, how do I log them out of the first location?

View 1 Replies

Security :: Set A Visitor As Logged In?

Mar 27, 2011

I created my own register system with my own register form together with the asp.net login control

the user register and the data is sent to my custom table and I used a method that check if the user exists in my table and the asp.net login control display the correct result "if exists or not"

everything appears to work correctly but I cannot access pages that deny anonymous users with the configuration file.

View 3 Replies

Security :: Set Logged In Time In Web.config?

Jan 26, 2010

I need to set my logged in time in web.config but I do not know how? I get logged out after a while if I do no do anything in the website but I wanna be logged in for 120 minutes.

View 3 Replies

Security :: Best Way To Identify All Users Currently Logged In?

Feb 10, 2011

I know how to identify the current user during a specific browsing session and can thus control the data, etc, made visible to that individual user. I also know how to find out how many users logged in within the recent past, using:

Membership.GetNumberOfUsersOnline()
.... which I believe calculates the number of users who have logged in within the past 15 minutes. However, I would like to know if there is any way to identify all the users who are logged in at a point in time. Is this possible?

View 9 Replies

Security :: Getting A Unique ID For Logged In Users?

Mar 8, 2011

I am using ASP.Net Forms based security with the login control. On my site a user will make a number of selections that will be written to a database. Is their a unique user id that I can get from the AspNetSqlProvider that I can use to id users in my database? When a user logs back in after being away I want to be able to retireve the users information using this id.

View 7 Replies

Security :: User Being Logged Out Straight Away?

Jun 9, 2010

I have been creating a website using the SQLMembershipProvider. I have been using an administration account to create the back-end system for generating the users fine for about 2 weeks. I now have more users created and I can log in fine. However, when I log in as the newly created users, they can get to the page they are after, but if they refresh the page or redirect to another page, they get redirected to the login page. I have checked permissions, iis recycler, session state and security setting in my web.config (posted below) but nothing has fixed it. It cannot be IIS because it does it on my development machine as well as on the actual webserver and it works fine for the admin user.

Ttype="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
[code]...

View 4 Replies

Security :: How To Get The Current Logged In UserId Value

Aug 20, 2010

I'm trying to get the current logged in UserId Value, using this code

[code]...

But, I getting an error (NullReferenceException), I did set a url authorization on the page that i try to get the logged in user information, witch is info.aspx, and I made the login.aspx control to be redirected to the info.aspx after the login process, But the info.aspx only shows me (access in denied), how can i make this page knows that i am already logged in?

View 3 Replies

Security :: How To Sign In As Another User While Already Logged In

May 30, 2010

I have used membership provider to implement my system. The system administrator can list the users. What I want to do is, administrator should be able to sign-in as the selected user. I can sign out administrator by FormsAuthentication.Signout but how can I sign in as the selected user? Passwords are hashed so I can not retrieve the passwords.

View 3 Replies

Security :: How Does Each Page Get The User That Is Logged In

May 21, 2010

I've successfully made a custom membership provider that connects, queries, and updates my custom Oracle database. I found a good sample on MSDN. I also found documentatio on the provider itself. However, I cannot find anywhere example calls you have to make for the different actions within the web pages themselves. Where can I find that?

For example

How do I check if a user is already logged in? What do I do when a user hits the login button? How does each page get the user that is logged in? etc.I am not using the asp login control. I have custom form, custom data, and custom graphics.

View 3 Replies

Security :: Getting Logged In Domain User

Apr 5, 2010

All I'm trying to do is pull the current user's login name from Active Directory. I've tried User.Identity.Name.ToString, which returned nothing at all. I tried Environment.UserName.ToString, Which returned "NETWORK SERVICE" which is not the firstname.lastname username that I was expecting.

View 3 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved