In our project we provide users with tumblr like subdomains as well as custom domain names like "mydomain.com". So I have one and the same server and one application but different domain names.
Everything works fine with dns and routing but I've faced authentication problem. Shared authentication for main domain and subdomains can be solved by just specifying machine key and domain name in web config.
<authentication mode="Forms">
<forms domain="xxx.com" loginUrl="~/account/logon" timeout="2880" />
</authentication>
But in this case I have "Sign Out" problem, so Signing Out just don't work even after I added these lines of code (all the solutions of this problem I found):
formsAuthentication.SingOut();
Session.Abandon();
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
After all I still don't know how to implement cross domain authentication for custom domain names. Is it possible somehome to share authentication data for particular server between any domains? Or maybe I can retrieve this information on server side if I know domain name and machine key?
a workaround is to set the user information in the localstorage the client set from the "main domain" then set a cookie created by subdomain, but for all your sing-in/out operations you will have to use the "main domain" you can search for how stakoverflow and all the siblings sites works because they are using SSO so solve that, anyway maybe this post helps you.
EDIT
for more information how SO solve the auto login issue
Related
I'm developing a spring-boot based backend app and an angularjs based frontend app hosted on the same domain with different subdomains.
myapp-frontend.mydomain.com //my angularjs app
myapp-backend.mydomain.com //my spring-boot app
otherapp-frontend.mydomain.com //some existing app running on same domain but unrelated
I'm trying to set the cookie which contains the jwt token generated in the backend to the browser when login api is called from the angularjs.
Cookie is set into browser with this code when I set the base domain url in spring-boot:
Cookie cookie = new Cookie("Authentication", jwt);
cookie.setPath("/");
cookie.setDomain("mydomain.com"); //this works
response.addCookie(cookie);
This set the cookie for other apps hosted on our company domain, but doesn't share user credentials with my app. Since I want the Authentication cookie header to be visible only to my frontend app, I tried to set the frontend subdomain url in the code. But this doesn't work.
...
cookie.setDomain("myapp-frontend.mydomain.com"); //not setting cookie
...
I understand that cookie cannot be set across different domains for security reasons but why is setting the subdomain url not working?
Out of curiosity, I tried putting backend subdomain in the setDomain() and cookie is set under myapp-backend.mydomain.com when I checked in chrome developer tools. Since it's working with base domain url, I believe I have already implemented the CORS correctly.
Am I missing something here? Any input would be greatly appreciated.
I have am ASP.NET Web API application that currently makes use of SQL Authentication when connecting to the database. I would like to change the connection to using Windows Authentication. In doing so, how do I specify the user that the web app, and therefore the database access, makes use of? I am using IIS v8.5.9600.16384
I can't say I agree with using integrated for the applications DB access as it makes security a bit more challenging as well as the coding issues tied to always having to deal with the possibility of different priv's for each user but obviously I don't know all the requirements of your situation.
So to answer your question:
If your connection string is set to Intergated Security the identity of the executing thread is used to provide the credentials.
By default the identity of the ASP.NET Worker Process will be the network credentials tied to the identity.
You can view the credentials like this:
IPrincipal threadPrincipal = Thread.CurrentPrincipal;
Console.WriteLine("Name: {0}\nIsAuthenticated: {1}" +
"\nAuthenticationType: {2}",
threadPrincipal.Identity.Name,
threadPrincipal.Identity.IsAuthenticated,
threadPrincipal.Identity.AuthenticationType);
You may set the identity via impersonation in the web.config or programatically.
Web.config:
<identity impersonate="true" userName="accountname" password="password" />
Code: (using the creds of the HttpContext user) this assumes that IIS is using integrated too
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//User is the HttpContext.User
//Insert your code that runs under the security context of the authenticating user here.
impersonationContext.Undo();
You will have to turn off Anonymous Authentication and enable Windows Authentication via IIS Manager.
i have two web site domain1.com and domain2.com user come in domain1.com and i authenticate
it and create authenticate cookie ,is it possible to share this cookie by domain2.com,for
example when user Soto domain2.com is authenticated because it authenticated in domain1.com?
is it possible?
I'm looking for a simple way and these domains are not
a sub domains they are two separate site
notice i don't want use sql server url parameter or other ways
thanks all
Absolutely. Hopefully both sites share the same username database or it is replicated so that you can secure and access content by using the HttpContext.User.Identity.Name.
Anyways, basically you need to update your web.config <authentication> section to be exactly the same between the two sites. This means your machine key, decryption key, algorithm....everything.
Here is the MSDN article with the full directions on how to proceed to share authentication across several applications
This is possible using <authentication> and <machineKey> in your web config.
Machine Key
Contains a decrytion key and validation key. This must be the same in both web configs.
<machineKey
decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />
Auhentication
This must be in both web configs but the values are specific to the application.
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH"
path="/"
loginUrl="~Membership/login"
protection="ALL"
timeout="1000" />
</authentication>
I have two MVC3 sites, both hosted on the same server that I've configured to use the same authentication cookies.
The first site is an intranet site using Windows authentication. This site has one simple Action that checks to see if the user was authenticated, if the user has been, it creates a FormsAuthentication cookie that it adds to the response. This cookie is created for a generic user that I determine from the User's AD groups. The response then redirects the user to a second site that uses Forms Authentication.
When I run this on my local machine, everything works as described above. When I deploy this to our local web server, it doesn't. I've tested to see if the user's group is correctly determined and that it creates a valid user for the cookie, and I have verified that this is correct on the web server.
Here is how I'm doing all of the above:
First, I made both sites use the same same Machine Key for encryption and decryption.
When I create the cookie in Site1, I ensure that it has the same name and Domain as the cookies created on Site2.
var cookie = FormsAuthentication.GetAuthCookie(userName, false);
cookie.Domain = FormsAuthentication.CookieDomain; //This is the Domain of my 2nd site as they are different
HttpContext.Response.Cookies.Add(cookie); //Add my cookie to the response
HttpContext.Response.RedirectPermanent(urlForSite2);
Again, when I run this on my local machine it works without a problem. But when deployed, it's either not passing the cookie in the request, or the response is ignoring it, but I'm not sure how to verify either of these cases.
Feel free to ask any question regarding more details as to how I'm doing this if it will help in getting an answer I need.
Cross domain cookies are not allowed. If you have two separate domains; one cannot access the others cookies. Two separate virtual directories/applications will work when using the same machine key. http://blogs.technet.com/b/sandy9182/archive/2007/05/07/sharing-forms-cookie-between-asp-net-web-application.aspx
If you want to share login cookies between sub-domains you need to edit the Domain property of the login cookie to the 2nd level domain "abc.com" so that "www.abc.com" and "ww2.abc.com" will have access to the cookie. http://forums.asp.net/t/1533660.aspx
String usrName = User.Identity.Name.ToString();
HttpCookie authCookie = Security.FormsAuthentication.GetAuthCookie(usrName, false);
authCookie.Domain = "abc.com";
Response.AppendCookie(authCookie);
Actually, it is possible, but isn't as simple as the domain/sub-domain cookie sharing.
http://www.codeproject.com/KB/aspnet/CrossDomainSSOModel.aspx
While the example given in this article didn't apply directly to what I was doing, I could use some of the ideas expressed there to get what I needed working. It ended up being my configuration settings in site2 web.config.
My URLs are as follows
Site1 = http://site.stage
Site2 = http://site.stage.MyCompanyName.com
Site 1 requires a host entry addressing it to a specific IP address of the hosting machine. It's also an entry in my IE Security settings - Local Intranet Sites.
I should note that these applications are both virtual directories running under the same default website.
I thought I had solved my problem but setting the Domain in the config file to and empty string, but this didn't work. I'm not sure what can be done now. This still works when I run it on my local machine, but not when I run it on my server. The only difference is the urls.
My dev machine is using the urls
Site 1: http://localhost/CompanyName.TVAP.IntranetSite
Site 2: http://localhost/TVAPDev/
I hope this adds some clarification. This Answer should really be posted as an edit to my question, but when I originally posted it, I thought I had it working.
UPDATE: I think my answer is in my URLs above. My dev machine URLS both are using the same domain name, which in this case is localhost. I think if I alter my deployed websites to use the same domain, I will be OK. I'll post an update when I get it worked out.
has anyone implemented signgle sign on in MVC? Can anyone give me any example for single sign on in MVC.
I've implemented a SSO solution between multiple ASP.NET MVC applications hosted on the same parent domain (app1.domain.com, app2.domain.com, ...) by using Forms Authentication and setting the domain property of the cookie in web.config of all applications:
<forms
name="ssoauth"
loginUrl="/login"
protection="All"
timeout="120"
requireSSL="true"
slidingExpiration="false">
domain="domain.com"
/>
When you set the domain property of the cookie, this cookie will automatically be sent by the client browser to all applications hosted on this domain and will be able to authenticated the user automatically.
If you want to implement a cross domain SSO using Forms Authentication here's what you could do:
The user navigates to foo.com and signs in. The application hosted on foo.com uses standard Forms Authentication, nothing fancy.
The user decides to go to bar.com and clicks on a link that you created. This link could contain a token parameter which will contain the encrypted username. This encryption could be done using the machine keys and look something like this: https://bar.com?token=ABC.
The application hosted on bar.com receives the request and because it uses the same machine keys as the other application it is capable of decrypting the token and fetching the username. Then it simply signs in the user by emitting an authentication cookie locally and the user is automatically signed in bar.com.
Below is an example for SSO for websites sharing same domain
http://www.codeproject.com/Articles/27576/Single-Sign-on-in-ASP-NET-and-Other-Platforms
Please see my answer here. Basically you need to set Authentication mode to windows on web.config and use HttpContext class to retrieve user identity which takes data from Active directory
https://stackoverflow.com/a/40938106/950944