What Will Happen To Membership If The Client Browser Is Not Accepting Cookies
Apr 3, 2011
This thing has just came to my head and I wanna share it.Note : I could easily test it but I am being lazy here to see if anybody has ever experienced something like that before.Let's assume that I have a web site which built-in membership structure of asp.net has been implemented on. What will happen to asp.net membership if the client browser blocks cookies? Does framework throw an exception when a user tries to log in or do something else?
In my website I m using third party cookies i.e. when i logged in then I m accepting cookies from third party through javascript.
Now all done well in firefox and other browser except IE. After doing some r & d i found that default settigs from IE doesn't allow accept third party cookies.So after settings "Allow All Cookies" problem is solved. But now my concern is that is there any way that end user do not have to settings manually in IE ?
I am using asp.net with c#.My issue is this that I am setting cookies to check that the same user is returning or not but user are returing from the same machine with different browser. Is their any alternate I would know that same machine user had visited my site.
I have a web application (SnapshotServer) which uses a WebBrowser control to take a snapshot images of a web page.
I use a WebBrowser control within SnapshotServer to navigate to a entry page of a secure web application (ImageHost) and then redirects me to my required page.The ImageHost application is protected by FormsAuthentication, which uses cookies. The entry page I navigate to takes care of logging me in - which will create an Auth cookie.
Once a response is generated from the ImageHost, I convert the result within the WebBrowser control to an image.
Issue:
When I run SnapshotServer on my PC (Windows 7, IE8), using IIS7, and navigate to ImageHost on my development server (Windows 2008 R2, IE8), the result is as required - I'm logged into ImageHost and redirected to the page I want an image of. When I run SnapshotServer on any Windows 2008 R2 server, using IIS7, and navigate to ImageHost on my development server (Windows 2008 R2, IE8), the result is not as required - ImageHost fails to log in - so my image is of the login page. The reason it fails to log in is that it isn't creating an Auth cookie.
So I'd like to know if anyone can tell me why the WebBrowser control, when run from a Windows 2008 server, cannot create cookies.
The Request.Browser.Cookies property (of type bool) attribute stores information whether client's browser supports cookies and whether or not they are enabled.How reliable is the property Request.Browser.Cookies? Is it guaranteed to be correct ? Or should I rather implement redirection technique suggested by Software Monkey in this question?Please note: This in not a question "are cookies reliable" ? This is a question: "Is the information whether users browser accepts cookies reliable?"
I want to create a custom attribute to check if the browser has cookies and javascript enabled. I'm guessing I would create a ActionFilterAttribute that would redirect to a controller action to load a page to check cookies and javascript on the client side. If they are enabled then it would redirect to the desired action, otherwise display an error message. Is this a correct approach or is there a better way to do this?
As we know that closing a browser will delete cookie if the cookie does not set an expired date. However, I want to set an expired date to all of my cookies and also delete them when browser closed.
Background: From a desktop application, users will navigate to an SSL-encrypted web portal where they will have to enter a username / password if it's their first time logging in. I want to be able to securely persist their user session. I was thinking of using encrypted cookies, storing their username and a unique session token / key, but was wondering what benefits client certificates offered in terms of security.
The way I see understand it currently:
Encrypted cookies:
Saved on the user's machine just like any other cookie Since the entire site is SSL, the contents of the cookie cnnot be tampered withEasily implementableWhen a user logs in again, invalidate the token / key and issue a new one
Problems:
Anyone attempting to access the web portal on the computer with a saved session will be able to, but this is a problem with any persisted session, right?
How do I know that computer A is computer A and not just computer B that copied computer A's cookie?
Client Certificates:
A pain in the ass to install Will uniquely identify that person's computer (or can it be restricted to the user account) to the web portal If the client certificate is stolen, then the account is compromised
Question: For persisting user sessions with the utmost security, would encrypted cookies be sufficient or would I need to install client certificates? How do they differ?
Im calling the new popup window from gridview like
[Code]....
In the AddTargetPopUP.aspx ,I have button Call "ADD".When i click the add button it'll insert datas into database.I want to reload the parent gridview after insert into the database and want to close the popup.
Ive written a custom membership provider for my ASP.Net website.
Im using the default Forms.Authentication redirect where you simply pass true to the method to tell it to "Remember me" for the current user.
I presume that this function simply writes a cookie to the local machine containing some login credential of the user.
What does ASP.Net put in this cookie? Is it possible if the format of my usernames was known (e.g. sequential numbering) someone could easily copy this cookie and by putting it on their own machine be able to access the site as another user?
Additionally I need to be able to inercept the authentication of the user who has the cookie. Since the last time they logged in their account may have been cancelled, they may need to change their password etc so I need the option to intercept the authentication and if everything is still ok allow them to continue or to redirect them to the proper login page.
I am finishing up my asp.net web application targeting .net 4.0. I am using VS2010.
I have deployed my application to a host server and now I am testing with multiple different browsers.
The first issue I ran into comes down to the following code:
[Code]....
If I use IE, login and click something that causes the above code to execute then currentUser is NOT null. However doing the exact same steps in FireFox currentUser is null, even though I know I am logged in as my name and other indications on the webpage confirms I am.
------------------------
Update
----------------------
Since originally posting this thread I have done more testing.
I placed a test button on a random page and the button click will update a label on that page indicating if the currentUser is null or not. This button works both in IE and in FireFox. Also both running locally and running on the host server.
----------------------
So now I am looking at what is different about the one place it appears not to work so let me try to make this clear.
I use a component called Uploadify to upload images into a database. That component calls a page/request called ImageUploader.ashx which inherits from IHttpHandler. Here is all the pertainent code from that file. [Code]....
The problem is when calling from FireFox, imgProvider.Status = null. This is a problem because the ImageProvider will try to insert a record into my database and the column for Status cannot be null so that causes it to crash. I made the change to detect if Status = null and return the user id if so as an error message to help me debug. To understand how Status is set you only have to look at a little code in the ImageProvider class:
[Code]....
You will notice when the ImageProvider is created it calls ClearFields(). Inside ClearFields() is where it gets the currentUser and if not null it sets the UserID property, which case the setter for UserID must set Status to either Approved or Pending. Whats happening is ONLY in FireFox, and after more testing, ONLY on the host server does currentUser = null even when I am logged in. but in other areas of code I can get currentUser and it works, also this works fine with IE, it also works fine with FireFox running locally. So I have icolated it down to this specific piece of code, when using FireFox, when running on Host server.
I am developing an MVC2 application an am using the built in Membership provider. I am just asking myself if the authentication is on the server or the client?
In our application, we have a need for a user to "impersonate" a different user. Think of it as a hierarchy -- Bob is above Frank in a hierarchy. Bob is logged in, and he needs to do things in the system for a short time as Frank. So, we have given Bob a list of users that report to him, and an impersonate link. He clicks on this link, and, behind the scenes, I log Bob out, and log in as Frank. I also set a session variable that tells me that really Bob is they guy who is the user. Also, Bob (acting as Frank now) has a nice little link at the top of every page that says "Stop Impersonation."
In addition, when Bob is impersonating Frank, Bob is restricted from doing some things, like changing Frank's password.
This was working great, until we encountered a situation where, if the session (I think -- getting confused here) gets destroyed (such as when I copy up new code and dlls to the live site), then when Bob clicks on "Stop Impersonation" he gets redirected to the default page, and is still logged in as Frank, but without the Impersonation session variable. So, now Bob really is logged in as Frank, and can change Frank's password (among other things).
How is it that a session variable (Impersonation) gets destroyed, but I guess the session is still hanging around, because it doesn't make the user log in again?
This is a somewhat serious bug for how our system works (bug in our code, I'm sure, not in .Net). We are using ASP.Net c#, aspnet membership services, .net 3.5, forms auth...not sure what else you need to know.
EDIT: Updated information. Looks like when "something" happens, for instance, when I recompile some dlls and copy them to the webserver, the session gets dumped. Or, rather, the variables in the session get dumped. The session id stays the same. I do get to check for Session.IsNewSession and it returns true, even though the id is the same as it was before.
Just like Utaal mentioned, Membership Services is separate from Session, so it's forms auth token is still hanging around in the browser, but my session variable telling me that that isn't really the user who is controlling the browser isn't there anymore.
EDIT: Sky, here is what I'm doing to authenticate a user. I can't figure out where I would insert a ticket into this flow:
if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text)) FormsAuthentication.SetAuthCookie(txtUserName.Text, false);
I have created a web service that authenticates with username and password, works fine. Basically this one, http://msdn.microsoft.com/en-us/library/ff649647.aspx
Now I also want to connect to this web service using client certificates, works fine http://msdn.microsoft.com/en-us/library/cc948997.aspx
But I would like to when authenticated via client certificates, connect that certificate to a user in the membership database. So that I can use Roles.IsUserInRole(...) and such.
I thought that, well if I implement a Custom certificate Validator http://msdn.microsoft.com/en-us/library/ms733806.aspx then I could check for example subject and map that against a created username in the membership database.
But in the class X509CertificateValidator public override void Validate(X509Certificate2 certificate) I don't have the same ability as when the user is authenticated like
app.Context.User = new GenericPrincipal(new GenericIdentity(username, "Membership Provider"),roles); within public override void Validate(X509Certificate2 certificate)
and if that is not possible, can this be solved differently? Bottom line, how do I connect a client certificate to a user account in the membership database. Is there a MSDN article on how to do this?
I have a simple web page as below named eventviewer.aspx. I host it in a server under the default website and when i browse it from the INETMGR it opens and displays teh events.
But when i try to open it from another machine, by reqyestiung the page, it just shows the heading and not the grid. Can you provide some inputs??
I 'm implementing my version of "ShareThis" in my webpage.How can i get the client's browser displayed address with Asp.NET?I am little confused with this one since the url to share...1) is created with URL rewriting2) contains Greek characters.
I'm handling cookies using JavaScript to store some values in my asp.net web application.I use document.cookie to save some values (converted into a lengthy string). But i want that value to be accessible across all the pages in my application.When i try to get that value from a different page, i get the values pertaining to the document in the current URL.
In short i save the value in the cookie in http://myapp/doc1.aspx and want to retrieve it in http://myapp/doc2.aspx
So is document.cookie is pertaining to a single document scope? How can i save/read cookies across the site?
Update.This is how i get and set cookies
function getCookie(c_name) { try{ [code]...
But i'm getting different values for the cookies in different pages.
Is that possible to get the proxy settigns right across several browsers, such as IE, firefox or safari from Asp.net? According to someone it is impossible because ASP.NET runs on the server, and therefore has very limited access to the client's settings.
But having said that, HttpBrowserCapabilities is able to retrieve plenty of information from a client machine, so i thought there is must a way to also retrieve the proxy settings on client's browser/s.
Is there a way to get the precise client's operating system, coz the HttpBrowserCapabilities.Platform property doesn't give me the precise client's operating system.
I need to get client stats for browser (not full long description but short names, generally firefox,ie6,ie7,ie8,safari,chrome,opera and mozilla). Client resolution and OS ie. Windows Vista, Ubuntu .
