C# - FormsAuthentication AuthCookie Is Null Only For Some Users?
Jan 14, 2010
I am experiencing a strange problem with asp.net forms authentication. This problem only occurs for 3 users out of 30+ users that have successfully logged in. I am using very basic auth code that I have used many times and have never seen this problem. After the users successfully authenticates and the auth cookie is created, cookie added, and response.redirect to FormsAuthentication.GetRedirect(userid, false) is called. The Application_AuthenticateRequest method in Global.asax is hit.
// Extract the forms authentication cookie
tring cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if (null == authCookie)
{
// There is no authentication cookie.
return;
}
So immediately after a "good" cookie is saved and the redirect occurs the cookie is null. I have run the code through the debugger and the cookie is only null on these 3 users. But the cookie looks the same as the cookie for the many users that login successfully.
I'm trying to encrypt some userData to create my own custom IPrincipal and IIdentity objects using Forms authentication - I've serialized an object representing my logged in user to Json and created my FormsAuthentication ticket like so:
string user_item = GetJsonOfLoggedinUser();/*get JSON representation of my logged in user*/
When i log in, i am creating a cookie like this. when i check if it is secure the answer is yes.
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version UserName.Text, // user name DateTime.Now, // creation DateTime.Now.AddMinutes(60),// Expiration
[Code]....
here i get the cookieName as ".ASPXAUTH" and authCookie.Secure value as False. Why is this happening i want the authCookie.Secure value to be true here.
We've got a fairly large, complex web application that uses Forms Authentication to authenticate users. Throughout the application we store and retrieve information about users in the Session object, and in some cases in cookies. In a couple places we check for the existence of the context, and if it's null we send the user back to the login page to re-establish the session. Just a quick run-down of this web app: C#, .NET 3.5, IIS 6, ASP.NET State Service to manage sessionAs for the session timer, we use our own home-grown timer, which is basically a client-side timer, which is backed up by a check to the SQL database to see when their last activity was. This seems to work well for us. It's not perfect, but it allows us to notify the user before the session times out, and allows us to be certain we're not logging a user out before their 60 minutes of inactivity is up.What's happening is that certain users are being logged out after just a few minutes. We've eliminated the timer as a cause and believe what's happening is the HttpContext.Current is null, so the user is logged out. We do not know why the HttpContext.Current is null, and I understand there are many reasons that may occur. What I'm trying to figure out is, is there any way to re-establish the context once it is null? If not, is there anything I can do at this point other than have the user login again? We're also trying to figure out a better way of managing user information (preferences, roles, flags, history, etc), but everything needs context to use, right? Cookies, sessions, cache, etc. all require a response or request, correct? hope this makes sense, because I really need help with this. I've searched the forums here, and found many posts about HttpContext.Current going null, but not a lot of solutions for this...
URL.... When I wrote this code in other page with different SP It didn't worked correctly I change SP in new SP I used INSERT code instead of UPDATE now when users didn't select Item from ddl3 it insert 'please select' in table these are my code
Is this a security issue or by design?string UID = "randomusername" // does not exists in aspnet_Users table FormsAuthentication.RedirectFromLoginPage(UID, false);Authenticates users, redirects to login page.Profile Page is set to chech User.Identity.IsAuthenticated etc...when they update the profile, it ads the user to the aspnet_users table automatically, which is not what I want.
is it possible to set the FormsAuthentication.FormsCookieName in Codebehind(f.e. in Global.asax)? All properties that i have seen that lead to this config-parameter are readonly.
When i tried to implement form authentication in various subfolders i am getting an error as follows:it is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
I have both the wcf and asp.net project together in the same project. (I'm running on Azure, so this is more convenient).I have this set in the web.config:
<system.serviceModel> <serviceHostingEnvironment aspNetCompatibilityEnabled="true" /> </system.serviceModel> y wcf service is decorated with: [code]...
I have a login page that is set to the loginUrl property in the authentication section of my web.config file. I am trying to reference a CSS stylesheet, but it doesn't seem to be doing anything. Here is my markup:
[Code]....
I am able to do this just fine on my other page. One thing I noticed was when I click on "View Source" and try to click the link to the stylesheet, it doesn't take me there, and instead changes the "action" property of the form element to this:
After browsing the MVC section on CodePlex I noticed that the [Authorize] attribute in MVC returns a HttpUnauthorizedResult() when authorization fails (codeplex AuthorizeAttribute class). In the source of HttpUnauthorizedResult() from CodePlex is the code (I'm not allowed to enter another URL as my rep isn't high enough, but replace the numbers on the URL above with 22929#266476):
// 401 is the HTTP status code for unauthorized access - setting this // will cause the active authentication module to execute its default // unauthorized handler context.HttpContext.Response.StatusCode = 401;
In particular, the comment describes the authentication module's default unauthorized handler. I can't seem to find any information on this default unauthorized handler. In particular, I'm not using ormsAuthentication and when authorization fails I get an ugly IIS 401 error page. Does anyone know about this default unauthorized handler, and in particular how FormsAuthentication hooks itself in to override it? I'm writing a really simple app for my football team who confirm or deny whether they can play a particular match. If I enable FormsAuthentication in the web.config the redirect works, but I'm not using FormsAuthentication and I'd like to know if there's a workaround.
Just a quick question i've been asked to look at enhancing security but encrypting passwords we store in a db table, essentially the data thats linked to the user account isnt sensitive however its more to stop someone reading passwords out of the table directly etc
I've read multiple ways of implimenting hashing etc i've started using FormsAuthentication.HashPasswordForStoringInConfigFile //create new salt and update the password Hashtable newInfo = new Hashtable(); newInfo["salt"] = GenerateFriendlyPassword(5); string tmppass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtNewPass1.Text.ToString() + newInfo["salt"].ToString(), "SHA1"); newInfo["passwordHash"] = tmppass;
Generate friendly password returns a 5 char string based on a random position in a valid char array containing a - z and 0 - 9At present the functionality is at page level in the code behind, re this is the forms authentication HashPasswordForStoringInConfigFile function thread safe? Or do i need to look at implimenting this in a different wayCheers appreciate your response as im always jubious about multi threading etc,
I reach my login page with the parameter "returnUrl" set to the URL I was on. Then, I login via OpenID (DotNetOpenAuth), and call FormsAuthentication.RedirectFromLoginPage(). The login is successful, however I am not returned to the original page I was on.
I'm having the same problem on logout - when I log out I don't remain on the same page, even though the logout link contains the correct "returnUrl" parameter.
What am I doing wrong?
Here is the code snippet. I am returning EmptyResult() after the call to RedirectFromLoginPage, because I don't really know what to do (see this related question)
using (var relayingParty = new OpenIdRelyingParty()) { var response = relayingParty.GetResponse();[code]....
Is it OK to call FormsAuthentication.RedirectFromLoginPage many times?
On login page we test if user is already logged in, and if it is we just redirect him to default page with FormsAuthentication.RedirectFromLoginPage...
Question is if user sets a script that loads login page 10'000 times, would calling the FormsAuthentication.RedirectFromLoginPage that many times make problems?
Now, I login to my web application, but with a user that does NOT have roleA. When I visit SomePage.aspx I get redirected to Login.aspx, the url specified in loginUrl of the forms element. So, my question is shouldn't I be able be specify an authorization denied message or url? If the user is authenticated, but not authorized why would I want to redirect to the login page. It's confusing as hell to the user.
I am having some trouble with active directory authentication using FormsAuthentication in ASP.NET MVC 2 (VS 2010).
As I understand it I should be able to step into/through the Microsoft source code for FormsAuthentication.Authenticate if I check 'Enable source server support' and 'Enable .Net Framework source stepping' in Options->Debug->General and specify 'Microsoft Symbol Servers' in Options->Debug->Symbols.
I have done this and can step into a whole bunch of MS source code, but not FormsAuthentication.Authenticate. The debugger simple steps over it.
If I could step into FormsAuthentication.Authenticate it would make my life a whole lot easier.
I have an ASP.NET MVC app and am using Forms auth. When going to a page that requires authentication, meaning there is an [Authorize] attribute on the controller action, it redirects the user to the login page with a return url like http://localhost/Login?ReturnUrl=/MyAuthorizedUrl.
We have a windows 2003 webserver which hosts .NET applications. Since last Microsoft security updates formsauthentication on all websites works only on non IE browsers? Before the update we experienced no problems.
