Can somebody explain what ASPXAuth cookie does?
My website uses forms auth and I am trying to create a load balancer (hardware) rule which will keep track of sessions based on the aspxauth cookie. Is it safe assume that the value of the cookie is unique?
I have a doubt regarding secure cookie.
I have four servers 2 App Server(behind firewall) and 2 webservers and each server is accessing through Load Balancer.
App Server is a modules for Data Access layer and webserver is for Presentation layer.
My Issue is My Load Balancer has Secure certificate installed but certificate is not installed on servers and I want to make cookie as secure in site , as per my understanding " cookie should be set as secure only for SSL site other ways new session will get create every time" so should I install SSL certificate on webserver to make my cookie as secure or will it work properly even if only Load Balance has SSL.
In javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,
I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,
if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.
I have a curl script that logs in to two other websites to submit forms from behind the login successfully. However, I've recently tried to use a variation of this script for a third website. It works as far as returning the first page after login but then it treats any further cURL calls as if I haven't logged in. I discovered (well I think) that it's to do with the .ASPXAUTH cookie not being set. I do have a cookiefile and cookiejar setup in my cURL code and it catches the .ASP.NET_SessionID successfully, but not the ASPXAUTH cookie.
I noticed that I can see the .ASPXAUTH cookie value in the headers when I watch "Live HTTP headers" but I can't get my cURL script to return the header with this set-cookie very easily. It seems that the cookie is set on a 302 after login and cURL is not handling this correctly. So I turned off CURLOPT_FOLLOWLOCATION and was trying to handle the redirect myself but I still can't get it right (the server returns a really strange redirect url and I don't think I'm doing this part right)
Here is my code:
[code]....
Due to a bug in Flash, I have to use the ASPXAuth cookie to log a user in on a page that a flash upload script calls after upload. See this page for more information: [URL]
I have to make the ASPXAUTH string "public" in the sense that it will be in the HTML of the page. My question is, how secure is this?
I understand that anyone that can get to the string in the HTML can probably get to it from the cookie just as easily, but let's say someone does have this ASPXAUTH string. Is it possible that they can login as another user using this cookie? Would they be able to decrypt it?
I'm using ASP authentication and the integrated webservice.
The user logins in with Forms authentication on a login page.
To log out, I call the authentication webservice from Silverlight and call logout.
Everything worked OK but now sometimes IE gets crazy and doesn't log out the user anymore.
I used Fiddler and it turns out that the authentication service returns a SetCookie to clear the ASPXAUTH cookie but on the next call IE still has the cookie set.
So off course because the cookie is there the user is authenticated and logs right back in rather than being directed to the login page.
I checked and didn't see any other description of the issue.
I can't reproduce it and my colleagues that have a misbehaving IE have it working fine on one environment and not on the other (one has the issue for DEV and another has the issue for the PreProd server).
I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or is it some debug thing?
View 1 RepliesWithout reading the whole text below, since this is on the ASP.Net side ... basically I think I need to know if there is a way to reduce the size of the forms authentication cookie. When using a DotNet 2.0 website, the ASPXAUTH cookie is about 232 bytes ... when using the same source code but upgraded to DotNet 4.0. the cookie is approximately 264 bytes, setting the ticketCompatabilityMode does not reduce the size since I think the default setting is Framework20. I length of the cookie, including the its' name can not be larger than 256 bytes in order to use it with the "Client Application Services".
I only did a cursory search of the asp.net forums, but will dilligently look for an existing solution.
----- BACKGROUND AND RESEARCH -----
I have been using all three features of client application services (authentication, profiles, and roles) in my windows app (DotNet 3.5 framework) for almost two years now. Up until now, I have not had any problems. This week I hit a brick wall and am pretty stumped with two seperate but related issues.
Issues:
In development, we decided to upgrade our websites/services to DotNet 4.0. All applications upgraded successfully. However we are unable to log into our application using Client Application services. No matter what user we use, Membership.ValidateUser returns false. Since we know the username and passwords, we thought this was strange. When debugging the application, we found that Membership.ValidateUser was throwing an InvalidOperationException (see below for complete exception) stating that the ASPXAUTH property was too long, longer that the schema created in the SQL/CE database. (See below for things tried).
In production .. A user all of the sudden could no longer gain access to the application. Upon inspection, his ASPXAUTH cookie was 264 characters long (9 characters longer than the schemas nvarchar(256)). Even though the user was being authenticated on the "server side", and the JSON query returned "{"d":true}", Membership.ValidateUser returned false. Again, as in the case above, the actual error was ...
Message=@PropValue : String truncation: max=256, len=264 ...
I am assuming I am missing something very simple or that I overlooked a settings. In development, this is not a huge issue as I can release the Dotnet 4.0 websites when I am ready. But now that this has happened to a client on a production system, it is very worrisome.
[code]....
How would I keep track of number of current sessions on my website?
View 5 RepliesI have a couple of servers and a load balancer. I want to show a server name which is currently serving the page.
I am using HttpContext.Current.Request.ServerVariables["SERVER_NAME"] and HttpContext.Current.Request.ServerVariables["LOCAL_ADDR"] but is shows the same data for all servers (load balancer information is shown but not the information about exact server name).
How to get a relevant information?
I'm creating web application behind load balancer. To this moment I configured it to store session in database but I'm not sure how should I handle session expiration. The problem is not sessions are not removed from database but Session_End event because I have to call some web service method in it.
Assuming Session_End is called when expires the thing I'm afraid of is situation when session is created on one server but finished on another. In this case I'm afraid Session_End on first server will be executed prematurely and I will call web service too early. What would you suggest in this situation?
Edit:
I remember some time ago reading about Sql Agent reacting to session end event and then performing custom code. Can anybody confirm that this solution is possible?
We are using Two servers for our application managed by a load balancer. One of which server contains Windows server 2003 & other one contains Windows server 2008. When a request is served by windows 2003 server and its subsequent goes to the other one (2008 server). Users gets log out. Are we need same Operating systems on both systems because( when request served by 2008, and subsequent on 2003 is served without any issue).
View 1 RepliesI have published a website and installed it on my local machine and it works fine, but when i install it on the both servers who controlled from the load balancer i got an error like the WebResource.axd not found. how can i resolve this problem? i have checked the IIS for axd mapping, the "Check that file exists" is unchecked for both servers.
View 2 RepliesWe host a SaaS application on 4 windows 2008 servers loadbalancer via a LVS. We use infragistics and Ajax Control Toolkit on several pages, one page represents a list of people using a Web Datagrid, each time a person is clicked in the list, an Ultra Web Tab component is updated at the botom of the page with detailed information on that person. After a certain amount of clics on different people (number of clics can be between 1 and 5) Scriptresource.axd craches with the following error :
[Code]....
I don't get this error when I run my application on one server using the server's private IP adress. I tried to synchronize the dates of the dlls System.Web and System.Web.Extensions on each server, I still get the same error.
I haven't deployed behind a load balancer before. My customer has a WCF service built and tested on servers using a service model configuration that is relatively straightforward. It provides a service to return an image of a map for another application. To get the map, it calls other services.
The service was built in Visual Studio 2010 targeting the 3.5 framework. The customer is using IIS 7.5 and an F5 load balancer. When moving to the production server, the Web.config was changed to add the load balancer behavior and specify the endpoint to show the physical and logical address of the service:
[Code].....
There was a problem when the service was deployed to a server behind the load balancer. When I try to call the service from WCFStorm or WebServiceStudio I get the message "The provided URI scheme 'https' is invalid; expected 'http'.
The endpoints for the service itself look right to me. However in the development and testing versions of the config, the client section uses http instead of http, while on the production servers it uses the load balancer's https address. This seems like it should be obvious, but we're missing it.
Our server operations team has asked the web development team (ASP.NET) to provide a URL in our application, which the load balancer can ping to perform health checks.
What should be executed on this page? I think we should attempt a database connection to ensure connectivity between the web and database.
One issue with ASP.NET apps is that they periodically reload themselves, causing a long delay and possibly timeout for users who hit the site during that time.
This may not be a problem for small websites, but it can represent significant downtime for high-traffic sites, if users happen to get routed to node in the web farm that is restarting.
Can load balancers somehow "know" if an ASP.NET application domain on a specific server is restarting? Then, they can route traffic around this server until the application has completed restarting.
Currently, I have my load balancer ping a simple .aspx page on the site. If there is a delay or the page fails to load, the host is taken out of rotation. Is it possible to do a more targeted health check, perhaps at the IIS level rather than ASP.NET level?
we have an web site access on PRODTEST Environment . We are facing an issue site works fine when we try to access the site using the Individual Server names (with Ip address).
View 2 RepliesI have the following web farm setup in production server. Browser --> HTTPS --> Load Balancer --> HTTP --> webserver node F5 Load balancer handles off box SSL termination. It implies that SSL resides on F5 load balancer. Problem Statement: Ajax calls do not go through unless "Access data sources across domains" option is enabled in IE security settings.
I have the similar setup in staging server except F5 Load balancer. The ASP.Net application makes perfect AJAX calls on both HTTP and HTTPS. However, the staging server web farm use windows NLB and SSL resides on individual web server nodes
I have 3 servers where 1 of them serves as a load balancing server. In my ASPX page, I want to add a HTML comment to show the IP address or even host name of the server selected by the load balancer. I tried looking through IIS Server variables and tried using SERVER_NAME but that just returns the domain URL.
View 2 RepliesLet me explain my Previous look of a Viewer before i used Telerik. this is a Custom built interface , built with normal asp.net and a lot of css at runtime. I am changing to Telerik Scheduler and its doing nice things for me.
I am trying to customize the Viewer. My Previous Viewer was like this
as you can see the above viewer it has 2 Slots that i defined like this in the Database
By the Look at the Old Viewer it combined the DayView and the Month View. Now i am using Telerik Schedular that looks like this when all appointments are binded
Now as you can see this one too, it different views, but the Currently displayed is a Month-view. When a user Clicks on the more it brings it in a Day View. Now i want to implement the Slot style as depicted in the Oldviewer Screenshot. I want to have Sessions and Days at the Top as depicted in the following Screenshot
As you can see the 2nd Period. if an activity of subject takes double period it should be displayed as that and the time should be removed there, there should be Sessions. if i put it in simple english. On sunday 7 i have Seminar as period 1 and Labour Law as period 2 and Period 3 because it is a double period and on the 4th Period i have Advanced Constitutional Law.
I'm making a small portal in ASP.net (with C#.net4) where users can login and add, edit their personal information (PI). But I don't get how to load information (stored in a SQL server DB) in the page when a specific user is logged in.
For example: If Sam is logged in, he can view his PI. When Vicky is logged in, she can view her PI.
How to Track the Vehicles using Virtual earth control based on longitude and latitude.Every 5 seconds longitude and latitude values are coming from the database.based on these values vehicle position has to be changed. How to do it. Please give me complete code for this.
View 1 RepliesI would like to count the number of page views. I am able to use the global.asax file and a label to obtain this. However, this gives me the total count of the page. That is great, however I like to count the number of users accessing the page when the user clicks on a particular gridview row value from the previous page.
I have a gridview in the gridview a value that links to a new page. This new page contains the row values. I would like to count the number of users who have accessed this new page based on the gridview row value. As such the page count will be different based on each row.
Rencently, I create a page in ASP.NET MVC. This page contain a form. When user submitte it, I will save a cookie. And I will load the cookie if the user browse it again.But, the page cannot get the cookie each time, after I save the cookie. I'm sure the cookie file is saved in client ( I have found the file).hen,I copy the same code to a WebForm page. Everything is right (same as a anonymouse user). So, I wonder is there some differences bettween them.
[Code]....