I have a MVC3 project for running on the iPad in the web-app mode. I use FormsAuthentication to realize a login/logout functionality which calls FormsAuthentication.SetAuthCookie(model.Username, true) to store the login information into a cookie. In all major browser including the safari mobile the cookie is saved persistend, across sessions. Only in the web-app mode the cookie is sometimes cleared during browsing the web-app and it is definitely deleted after closing the web-app. Is there any possibility to save the login information across session in web-app mode, too?
I know that the HTML5 local storage feature could be used, but I've no idea how to implement FormsAuthentication.SetAuthCookie(model.Username, true) manually by using the new local storage. And besides that, I'm not sure whether the local storage is safe enough to store such critical data.
I found the answer after a lot of research: You have to force the usage of cookies in the authentication node of web.config through cookieless="UseCookies":
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
Related
I seem to have a problem with timeouts and forms authentication loops in my application. The application is MVC3 based and is AJAX heavy. I find that even when a user is continuously working on the application and not being idle, sometimes they get kicked out and then forms authentication goes into a redirect loop with a 302 error.
The application is hosted with a provider who tells me they have increased the session timeouts to 60 mint. My web.config setting for the application is as follows.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" cookieless="UseCookies" slidingExpiration="true"/>
</authentication>
Why would I be getting the session timeouts? Is there any setting I can check up/change to stop this happening?
Thank YOu,
I finally figured out what was happening. Firstly, I had a Session filter on my base controller, that was catching session timeouts and redirecting it to Account/LogOn. Removing this took out the redirect loops.
I also changed my code to NOT use Session variables, to get around the issue of frequent session timeouts. And this has now been resolved. I hope this helps anybody else out there struggling with similar issues. Do remember and check for any kind of custom attribute filters you may be using in your code.
i have two web site domain1.com and domain2.com user come in domain1.com and i authenticate
it and create authenticate cookie ,is it possible to share this cookie by domain2.com,for
example when user Soto domain2.com is authenticated because it authenticated in domain1.com?
is it possible?
I'm looking for a simple way and these domains are not
a sub domains they are two separate site
notice i don't want use sql server url parameter or other ways
thanks all
Absolutely. Hopefully both sites share the same username database or it is replicated so that you can secure and access content by using the HttpContext.User.Identity.Name.
Anyways, basically you need to update your web.config <authentication> section to be exactly the same between the two sites. This means your machine key, decryption key, algorithm....everything.
Here is the MSDN article with the full directions on how to proceed to share authentication across several applications
This is possible using <authentication> and <machineKey> in your web config.
Machine Key
Contains a decrytion key and validation key. This must be the same in both web configs.
<machineKey
decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />
Auhentication
This must be in both web configs but the values are specific to the application.
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH"
path="/"
loginUrl="~Membership/login"
protection="ALL"
timeout="1000" />
</authentication>
I have a jQuery Mobile page that works ok in Safari on iPhone (iOS 5+). And when clicking at this link...
#Html.ActionLink("Click to download", "Download", "Home")
...I am taken to myapp.com/Home/Download
When clicking the same link in Chrome on iPhone I'm taken to myapp.com/(F(LzXF8gDEEPPgR7F_UZ0wf2uWg1e-aK1mgwtvzxCTIgflM43gYVEY06XIIq91OLlyjnRXo78AXHQLoXMUXRjOLKQltEhrsYgmTnSNsHzBfl01))
/Home/Download
Does anyone have any idea why the URL gets so messed up? (From that url no subsequent link works..)
Your user agent (browser) doesn't support cookies or has cookies disabled. In this case ASP.NET falls to a compatibility mode in which it tracks user Sessions by appending the session id in the url. So now all your urls will have this id. It's perfectly normal behavior.
The same will happen not only with ASP.NET Session but with Forms Authentication cookies. You could disable this behavior for ASP.NET Session in web.config by forcing to always use cookies:
<sessionState cookieless="UseCookies" />
Obviously if the user disables cookies, your application will simply crash as it won't be able to track users. And absolutely the same goes for the forms authentication cookies:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" cookieless="UseCookies" />
</authentication>
I had the same problem and,
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" cookieless="UseCookies" />
</authentication>
solved my problem..
I thing you have to force browser for using cookies because when I checked my settings on my ipad, chrome was already allowing them.
Thanks again..
I realize this is an older post, but..
I believe this is a bug with the newest release of chrome iOS v 30.0.1599
As Daren stated this is the .net framework using the URL to hold the authentication data that otherwise would be in the auth cookie. This is called cookieeless session.
.net should not be interpreting the user agent as one that does not support cookies.
I added testing Request.Browser.Cookies to my login page and am seeing this version of chrome showing as false. This is certainly a bug in the chrome release. This seems to only happen after some post backs and will not resolve itself even with clearing the cookies and data and cashe the content settings.
The only way to solve is uninstalling chrome and using Safari. I am using ios7.
I would live to know how to resolve this but currently we are advising our clients who use iOS chrome to not update or use Safari and uninstall....
Mark
I have a solution that has two applications. Is it possible to make the user sign in only once?
For example, in the main application I do authentication like this:
FormsAuthentication.SetAuthCookie(ContactFound.ContaLogin, model.RememberMe);
And I put this code in the web.config file:
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogIn"
defaultUrl="~/Account/LogOn"
timeout="15"
/>
</authentication>
What should I add, so that, when the user is logged in, in the main application we don't ask him to log in again when he connect to the second application?
Since you are going to host both applications at the same address, it should be easily possible by setting the <machineKey> (web.config) to the same value for both applications. After that, you should automatically be logged in to one application after logging in to the other.
Further reading:
Single Sign On (SSO) for cross-domain ASP.NET applications (see How authentication works in multiple ASP.NET sites under the same domain)
machineKey Element (ASP.NET Settings Schema)
Single Sign On with Forms Authentication
I have the following in my web.config
<sessionState mode="InProc"
timeout="2"
cookieless="UseCookies"/>
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogOn"
timeout="1"
cookieless="UseCookies" />
</authentication>
As far as I understand in MVC3 (or in Asp.Net) sessionState controls when the user's session on the server times out
and the forms authentication timeout controls when the user will be forced to log in to the website again.
This doesn't seem to be exactly true: If I remove the sessionState section from my web.config the timeout in the authentication section is
completely ignored - it seems to just timeout after some default length of time.
In fact the session state timeout seems to be required to control when authentication times out. This doesn't make any sense at all.
Can anyone tell me what I am missing here?
This is related to this question that I asked, but I didn't get to the bottom of why this is the case.
Session timeout is independent of forms authentication timeout.
You didn't elaborate on how you created your ticket, so here are the most common quirks which may affect your observations:
If you instantiated the auth ticket yourself, then the timeout setting in
the config file has no effect.
Sliding timeout is a little funky, the ticket will not be extended unless you visit again in the last-half of the window.
You might want to check out this article for an overview:
http://support.microsoft.com/kb/910443