ASP.Net 5/MVC 6 how to retrieve SessionID - asp.net-core-mvc

My solution directory has ASP.Net 4 web-forms project, that at present has all the development of my website.
The plan is migrate some of the existing front-end to ASP.Net5/MVC6 web application. And for that to happen, I have added ASP.NET 5 empty web application to the existing solution directory. The reason I have decided to use blank template is so that I can add all the required capabilities myself, and understand the flow better.
Capabilities like MVC, Session, Caching, Logging etc.
I have added MVC capabilities. And to add Session related capabilities I have followed the steps given in the below documentation,
https://docs.asp.net/en/latest/fundamentals/app-state.html#installing-and-configuring-session
After this, I am able to add the access the Session in my controller class. I can put some values in the session and can access it in view to verify Session is operating fine.
Both of my web applications (ASP.Net 4 and ASP.Net 5) would be running side by side, and I want to enable user to navigate back and forth with a single sign on. That effectively means, they to share same session.
And hence, I am looking for a way to access SessionID from the Session, so that I can check whether the value is same for both the websites, however there is no method that gives me SessionID...
Can someone explain why it is so and how to retrieve unique session identity?

Related

MVC can not log on online

I'm learning how to write simple websites with MVC 3. I have a little problem with loging on to my website. I created an account via ASP.Net Configuration site and there is no problem to log in unless I try to do this not on localhost. When I use log in form on my published online site, it takes a while and redirecting me to /shared/error. What did i wrong? Maybe I forgot about some libraries? I use default Account system, just this one which is created in new Web App project.
What are you using for persistence on the server? the ASP.Net Configuration is creating a user account in a database. If you don't explicitly specify a database, one is created for development purposes for you, but it is not copied to the server.
Also, there are some tables inserted into the database for you by the ASP.Net Configuration site for supporting users, roles, etc. These tables would need to be created on your server. see Creating the Membership Schema in SQL Server
If possible, you should consider MVC 4 instead of MVC 3, since the pre-built templates for it use Simple Membership instead of the full featured ASP.net Membership providers. Simple Membership uses only a few tables, and the views and stored procedures have been removed.

Session identifier in Portal Application

I'm building several Portlets to deploy on a WebSphere Portal Server, and each Portlet is deployed in it's own WAR. Now, I'm needing to track every Portlet a user visits while it's logged on the Portal. I was trying to get the Session Identifier from a Portlet using this:
HttpServletRequest servletRequest = PortletUtils.getHttpServletRequest(request);
String sessionId = servletRequest.getSession().getId();
But after I logged in, I'm getting different sessionId values from every Portlet/WAR I visited. I guess that makes sense since there's one Session Scope per WAR.
So, how do I get an identifier for the Portal Session (not the Portlet one)? I'm seeing that JSESSIONID cookie is the same in every HTTP Request, but I'm not sure if that's exposed through Servlet or Portlet API.
Users that are not logged into the portal don't have a session like that. You can have Portal keep track of session information for anonymous users by enabling public sessions.
http://www-10.lotus.com/ldd/portalwiki.nsf/xpDocViewer.xsp?lookupName=IBM+WebSphere+Portal+7+Product+Documentation#action=openDocument&res_title=Portal_configuration_services_wp7&content=pdcontent
Look under navigator service for the property to change.
Also, I think this might be more easily accomplished in the theme or a portlet filter. You should still be able to get access to the Portal session in either of these places but you won't need to include code in every portlet.
Here's a link for creating a global portlet filter.
http://wpcertification.blogspot.com/2010/11/applying-global-filter-to-all-portlets.html
UPDATE: Like any big framework there are lots of options. I'll offer a brain dump of what I can think of / find. You may have to experiment and see which method you prefer.
The JSESSIONID cookie should be same for a user throughout the whole session. If the session expires they'll get a new JSESSIONID cookie. Using this you'll be able to track a user through a single session but possibly not across multiple sessions.
You could consider using getUserPrinipal() or getRemoteUser() off of the PortletRequest object. I haven't used those method in a while so you'll have to see what info comes out of them.
There is also request.getAttribute(PortletRequest.USER_INFO). You'll have to do some config in the portlet.xml to make certain attributes available in the Map that returns. There is an example here. We're using ibm-primaryEmail instead of the first and last name like the example on my current project.
Lastly you could look into using the PUMA API thats built into Portal. It'll will be a bit heavier on the coding and is obviously more container specific but should be able to do just about any job you need related to users.

Cannot access a cookie from a Virtual Directory configures as application

Setup:
The main application is a classic ASP running on app-pool v2.0
Reporting application was added later on which was written in .Net 2.0 framework. The classic form model with aspx pages. The application was configured as an application under the main website (from 1)
The Reporting application is now to rewritten using MVC 3, and will be deployed similarly on the IIS as an Application under the classic asp website.
Problem,
The login page on the Classic ASP website stores the session ID on a cookie. This cookie is read every time Authentication is required. The MVC application needs to read this cookie but the System.Web.HttpContext.Current.Response.Cookies collection doesn't have it. The application (from 2) which needs to be replaced can however easily read it.
Things I have tried,
Made sure that the cookie exists by looking at the cookie collection for the main application (from IE8>Tools>Developer Tools> Cache> View Cookie Information).
Removed the IsolateApps setting from the the machine key.
Made sure the new application is using the same app pool, don't think if that will really cause an issue here.
Appreciate any help with this, Many thanks in advance.
Surya
You are probably not using the same cookie to fetch values in MVC, check the below link
http://www.codeproject.com/Articles/30723/Handle-session-variable-problems-between-classic-A

Is this how the WIF Extensions for SAML2 are supposed to work?

I downloaded the WIF Extensions for SAML2 a few days ago and have been experimenting with them. The samples in the download use a WebForms application, and I am trying to figure out how to use them in MVC3.
I am currently able to auth against the sample Identity Provider that comes with the download, using this:
Saml2AuthenticationModule.Current.SignIn(
"~/sign-on/saml2/success", "urn:samples:identityprovider");
I have an action method at the "sign-on/saml2/success" route / URL, and when the application flow reaches it, the Thread.CurrentPrincipal.Identity is indeed an instance of IClaimsIdentity. Although the Identity.IsAuthenticated equals true, the Identity.Name is an empty string. (This will be problematic in our app, which so far has used FormsAuthentication, and relies on Identity.Name to resolve to a user account in the db.)
I also see that there are 4 new cookies at this point:
FedId
FedAuth
FedAuth1
[fourth cookie name is a GUID, changes for each SSO]
My inclination at this point is to delete these 4 cookies and use the claims NameIdentifier to create a new account in our app (unless one already exists), and then use FormsAuthentication to write a .ASPXAUTH cookie for the user.
The first affiliate IdP we will be integrating with uses Shibboleth, and they do not yet implement SingleLogOut. So my assumption is that the following would have no effect when we begin testing this integration:
Saml2AuthenticationModule.Current.SignOut("~/sign-off/saml2/success");
So, manually deleting the 4 cookies is the only way we would be able to get the Identity.IsAuthenticated back to a false value.
Am I going about this in an incorrect fashion? Are there any implications of trashing the IClaimsIdentity after it has been consumed and transferred to FormsAuthentication, that I am not considering?

How to store additional user info?

Here's the issue at hand: I have developed an ASP.NET MVC3 application using Razor. I have also implemented a custom membership provider and overridden the ValidateUser() method. Within, I query my db and get a lot of user information in addition to the password auth.
At the moment, I am pushing this information, i.e. companyId, to static properties of a class. This works and I can display/use this information throughout my app. The problem arises when a user closes their browser tab. Upon re-opening the app, the user is authenticated via a cookie, so they don't need to re-login; however, those static variables are blown away.
So guys and girls, how would/do you conquer this issue? Should I append the extra info to the session cookie? Or perhaps a better solution?
Use the ProfileProvider in ASP.NET.
For application level variables, they are going to be subject to application pool recycles and similar "simulated" restarts related to users starting all over. These variables should be completely independent of user usage and should be able to be recreated easily. If you have variables that are user dependent or that can't be restored easily without some sort of outside intervention then you will definitely need a different method of storage.
If the data is user specific, storing it in the session cookie is probably the best idea. If the data is user-related but branches multiple users it should be stored in a database or a flat file somewhere. If the data has nothing to do with users specifically then it should just be in a database or configuration file.

Resources