I have an asp.net web site which uses asp.net membership to authenticate and authorize users. When a user is not authenticated and types url of some page from the web site, then the user is redirected to login.aspx with ReturnUrl initialized as the Page that was requested. Because of a requirement, I got rid of my login page. It still exists on the web site, but users would log on from a different site. As a result, I don't want unauthenticated access to a page to redirect to login.aspx page. I want to redirect users to some custom page I want. How can I achieve this?
The authentication node in the Web.config should be able to specify this. For example, in Forms authentication, one might have something like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/MyCustomPage.aspx" />
</authentication>
<authorization>
<deny users= "?"/>
</authorization>
<system.web>
Related
I've to enable SSO authentication on a Sitefinity application that before was using Form Authentication with a custom provider.
I've enabled it in the web.config
<authentication mode="Windows">
<!--<forms slidingExpiration="true" name="xxx.ASPXAUTH" cookieless="UseCookies" requireSSL="false" ticketCompatibilityMode="Framework20" timeout="180" />-->
</authentication>
<authorization>
<deny users="*" />
</authorization>
And when I try to access to a page I got the domain popup to appear. I insert mine credential but I go again the domain popup
I've cross checked everything but everything seems ok... what can be the reason I can't logon? and it falls me back as I've entered a wrong password?
I'm trying to redirect users to my login page if they're aren't logged in. Using areas in mvc, I have an Admin area which holds the login view.
In the root web config i set the authentication mode to forms and the url to point to the login.cshtml in the Admin area. The browser show default aunthorised page, instead of redirecting to login page.
Root Web Config
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Areas/Admin/Views/Account/Login" />
</authentication>
</system.web>
I have a ASP.NET WebAPI project that servers json data to my mobile application.
On each mobile request to my Api I send http headers with the user sessionid so I can validate that request on server side.
So if my mobile application request for 10 json data catalogs, each request will have to validate if the sessionid is valid in order to return the data.
My question is if its possible to save the state on server (like a traditional http session) so I can save round trips to my DB each time to validate the user sessionid.
I used to have <authentication mode="None"> in my web.config file and had a filter on each controllers method that Validate the user sessionId. Inside my filter I used to have:
....
if (Thread.CurrentPrincipal.Identity.IsAuthenticated) return;
....
And that did the trick but now I was forced to add a Razor website in my WebAPI project so I had to change my authetnication mode to:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" defaultUrl="~/Home/Index" name=".ASPXFORMSAUTH" protection="All" timeout="30" slidingExpiration="true" />
</authentication>
I'm upgrading user management pages of my old web forms project to use new Identity 2.0. This means introducing MVC pages within web forms solution but so far it does not seem to be a big issue. Most of the functionality works fine except when I'm trying to add external auth provider (Google, FCBK) to already signed in user. I'm working off Identity 2.0 sample app and my problem happens in equivalent of /manage/linklogin action within Identity 2.0 sample app.
In here, external auth provider (let's say Google) should be challenged by setting HTTP 401 into current response, resulting in a browser redirect:
Location: https://www.google.com/accounts/o8/ud?openid.ns=[edited out...]
However, what happens to me is that I only get redirected to a local login page:
Location: /Account/Login?ReturnUrl=%2fManageAccount%2fLinkLogin
Please note that the very same code is called when I try to register (i.e. user is not logged in, not authenticated) using Google account - so it is not an issue that I'd have app.UseGoogleAuthentication() set wrongly in Startup.Auth.cs.
I suspect "something" in the response pipeline catches StatusCode 401 set by Microsoft.Owin.Security.AuthenticationManager.Challenge() method before Owin.Security.Google auth middleware kicks in and set the proper redirect location, though I cannot find what that "something" is.
Anyone successfully imported Identity 2.0 into web forms project already?
More info on my issue can be found here: Identity2.0 Codeplex discussion
Please refer to this sample for ASP.NET Web Forms which shows the Identity 2.0 features https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/Webforms.Samples/
You should also make sure the order of registering the middlewares is correct. For eg. Cookies should come before Google
Yeah this was a challenge. You are correct in your observation of it's
behavior. The config info below resolved this issue for me.
The very bottom config tag that excludes the callback path caused
it to start functioning as expected for me.
<system.webServer>
<modules>
<remove name="FormsAuthentication"/>
</modules>
</system.webServer>
<system.web>
<authentication mode="None"/>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<!-- the callback path has to be open to anonymous so that owin can do it's redirect magic-->
<location path="signin-google">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
i have two web site domain1.com and domain2.com user come in domain1.com and i authenticate
it and create authenticate cookie ,is it possible to share this cookie by domain2.com,for
example when user Soto domain2.com is authenticated because it authenticated in domain1.com?
is it possible?
I'm looking for a simple way and these domains are not
a sub domains they are two separate site
notice i don't want use sql server url parameter or other ways
thanks all
Absolutely. Hopefully both sites share the same username database or it is replicated so that you can secure and access content by using the HttpContext.User.Identity.Name.
Anyways, basically you need to update your web.config <authentication> section to be exactly the same between the two sites. This means your machine key, decryption key, algorithm....everything.
Here is the MSDN article with the full directions on how to proceed to share authentication across several applications
This is possible using <authentication> and <machineKey> in your web config.
Machine Key
Contains a decrytion key and validation key. This must be the same in both web configs.
<machineKey
decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />
Auhentication
This must be in both web configs but the values are specific to the application.
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH"
path="/"
loginUrl="~Membership/login"
protection="ALL"
timeout="1000" />
</authentication>