aspnetboilerplate Shared cookie invalid with services.AddDataProtection() - aspnetboilerplate

I have the following scenario:
Server A:abpWeb;
Server B:abpWeb;
A and B are based on MyCompanyName.AbpZero template, abp. Net core version 3.1.1;aspnetboilerplate
Browser access A:abpWeb and B:abpWeb. But after logging in, cookie shared is invalid.
A:User.Identity?.IsAuthenticated equals true after Browser access A:Login;
But refresh B:/index on the browser,B:User.Identity?.IsAuthenticated equals false;
The same browser domain for A and B is the same.
I created two new ASP.NET Core 2.0 MVC apps with ASP.NET Core Identity, using AddDataProtection for the normal shared cookie is ok.
I referred to:
https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?tabs=aspnetcore2x
I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.
Thanks in advance.

The keys that encrypt/decrypt your cookies are probably trying to be written to an invalid folder.
By default AddDataProtection tries to write these keys to:
%LOCALAPPDATA%\ASP.NET\DataProtection-Keys
As long as there is an environment variable being used to create the keys path, you will need to set the following config file setting to true.
Please also see my other answer here:
IIS - AddDataProtection PersistKeysToFileSystem not creating
Fix: Within %WINDIR%\System32\inetsrv\config\applicationHost.config set setProfileEnvironment=true. I think you have to restart IIS as well.

Related

WLP and OpenLiberty prevent me to use LtpaToken2 cookie name

I am planning to implement SSO w/OIDC between several identical Websphere Liberty profile (wlp) instances with the standard LtpaToken2 cookie, but I don't see it being generated under that name. Instead, I see a random WAS_* cookie.
Even when I set it manually in 1 single wlp's server.xml like:
<webAppSecurity ssoCookieName="LtpaToken2" />
I see that wlp intentionally ignores it, as seen in the logs:
[AUDIT] CWWKS9112A: The web application security settings have changed.The following properties were modified: ssoCookieName=WAS_p1887216770
so it doesn't seem to be an app-related issue, or even oidc-related issue.
Why is wlp behaving like this? All the existing documentation doesn't mention any restriction/reservation of the LtpaToken2 name, in fact it should be the default.
Although I can set it to any other custom name, I am interested in understanding this impediment in using the default LtpaToken2 name, and the reason why it doesn't align with the documentation.
Any explanation is deeply appreciated
Enabling either the openidConnectClient-1.0 or openidConnectServer-1.0 will cause the cookie name to be automatically generated with a server specific identifier for either one of those features. In some situations, this allows configuring multiple Relying Parties and Providers in the same host without collisions when processing their respective cookies.
For the openidConnectProvider, you have the option to use LtpaToken2 when setting the allowDefaultSsoCookieName attribute to "true" as documented in https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-openidconnectprovider. The openidConnectClient does not provide this option. We have an issue open to allow using the default cookie name for the OIDC client at https://github.com/OpenLiberty/open-liberty/issues/18803.
On the other hand, you might benefit from using jwtSso-1.0 to do SSO between identical servers after the initial authentication with the OIDC Provider. For example, please see the documentation for the allowCustomCacheKey attribute in https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-openidconnectclient.
Another alternative is to specify a value other than LtpaToken2 for the ssoCookieName attribute. This will override the auto generation of the cookie name when those features are enabled.
Regards,
Teddy

Request.ServerVariables() for Shibboleth in .NET 6

I am trying to use Shibboleth on a site that uses .NET 6. The Shibboleth documentation uses Request.ServerVariables() but when I add that, I get the error "HttpRequest does not contain a definition for 'ServerVariables'".
I instantiated an IServerVariablesFeature object and I can get the SERVER_NAME variable from there, but I can't find any Shibboleth variables like Shib-Application-ID. Is my IServerVariablesFeature the right place to look for the Shibboleth variables or do I need to get Request.ServerVariables() to work?
By visiting https://domain/Shibboleth.sso/Session I can see the session information, so I know that the authentication is working correctly, I'm just trying to access the user information from an application.
Thanks in advance for any help.
IServerVariablesFeature serverVariables = HttpContext.Features.Get<IServerVariablesFeature>(); works, as does HttpContext.GetServerVariable("VARIABLE_NAME");. What I was missing is that these variables are only available to pages that are protected by Shibboleth. I added the path for my page to the shibboleth2.xml file and I could see the variables.

How to set the application domain in Heroku env var

Given an application URL on Heroru like app-123.herokuapp.com, how can I set this value into an environment variable?
I need to set an email template, with the correct links to the app, so there is no HTTP request information available, but I want to have the links with the correct URL.
I'm using Ruby on Rails and using an environment variable, but once I create review apps, with dynamic URL's I cannot rely on this.
Disclaimer: This works only for the review apps, as they are my concern when posting the question.
We can make use of the injected environment variables, as described in the documentation: https://devcenter.heroku.com/articles/github-integration-review-apps#injected-environment-variables
So, given that every application domain will be herokuapp.com we can guess the application address but concatenation of protocal, app and domain:
"https://#{HEROKU_APP_NAME}.herokuapp.com"

Setting Projects to Private by Default

I have my SQ server running in Kubernetes (via Tectonic) and all is going well. We need to tighten the security of our SQ installation, so we have LDAP up and working. We are trying to get all of the projects to be Private by default (which we can do Via the GUI for each project).
However, trying to flip the switch in the GUI to make all new projects Private works, until you refresh the page, then it reverts back to Public.
I have been searching for a way to set this up via the sonar.properties file or sonar-project.properties file (first if the preferred). The server.properties file we use is encrypted as a secret (because the LDAP settings exposes a service account password) and I would like to keep settings there.
I have combed through documentation, posts, discussions and all that, but have not been able to find out what the value=key combination is.
Has anyone seen what this is or if we can even accomplish that? Is it a setting stored in the database? I'm kind of at a loss on this one.
Thanks!
In SonarQube 7.x you can find the public/private setting when you browse to Administration - Projects - Management. This only works for new projects. For existing projects you can use the "Edit the permissions" option on the same page and switch between public and private.
You can also use the web_api to achieve the same results. You can find the documentation when you add "/web_api/api/projects" after the sonarqube URL:
Example of the POST request body: project=MyProject&visibility=private

When copy the url from one browser to another browser my session data are not coming in asp.net MVC3

When i copy the URL from one browser to paste it in another browser my session data not retrieved it shows "Object reference not set to an instance of an object".
(Please note - this answer assumes you are not already using cookieless sessions)
The way sessions work in ASP.NET is that when you first access a site, a cookie-file is placed in your browsers cookie-store. The cookie contains a session ID, so the next time you access that site from that browser the ID is passed to the web-application and it knows which session-state to load.
However, each browser implements it's own cookie-store, so switching browsers means the site cannot determine your session ID.
One way to get around this is to use cookieless sessions. However, these have a number of issues relating to usability and security, so think long and hard before deciding they are for you.
Another option is to tie together your authorization and session systems. However, this is not generally recommended either.
You will not be able to access session values across multiple browsers.
Also, you should check if the value exists in Session to avoid Server Error.
if(Session["Key"] != null)
{
//Write your code here
}
else
{
//Alternative code (redirection code)
}

Resources