I have MVC application which uses Forms authentication. For some reason any session variable that I declare are not saving whenever the user is not logged in. My application needs to support both authenticated and unauthenticated users. The applications works fine when ran locally. The issue only occurs on our remote server. We're using appfabric for session state. I'm trying trouble shoot the issue but I don't know where to start. Any advice would be welcomed!
Edit-when I change the value for httpCookies domain = "future.domain.com" to httpCookies domain="" it works fine. I was told by our admins that we need this setting to not change.
Related
I'm writing an app that's supposed to run with MVC5 and using parse as a backend.
I'm using the new Identity feature of the MVC5 to login an user. I also tried to use this solution but I couldn't make it work.
What is happening is that when I login with the user A and then login with the user B in a different session (a incognito windows or a new browser) whenever I try to insert something related with a ParseUser object using the first user that was logged in I get an exception: UserCannotBeAlteredWithoutSessionError.
I'm not sure if I'm doing the implementation in a wrong way, or if it is a limitation of the Parse (I think it was designed to run using one user per device).
If you have a workaround for this situation please help me.
There is a good answer which may help: Parse Database Authorization - Security For User Objects.
So, it's a kind of Parse SDK limitation, when you can work with only one user per device (as ParseUser is cached locally). The only workaround that I can see is to perform SignOut/Login explicitly, when you need to do something from other user's context. There is no way to have two users work simultaneously from the same device.
I use two different applications in my CI installation. The first is called "admin"... obviously an admin panel. The second is "frontend" where everything else is. I use the same database for each of the apps and the same member tables, both for admin authentication and member auth. The problem is, since the CI session class doesn't use native PHP sessions, the session only works in the application that it is set in(which makes sense)... for example, if a user that is indeed an admin logs into the system through the frontend app and then clicks the link to the admin app, they are required to login again. If they have the "Remember Me" option selected across when they login to both apps, this obviously isn't a problem.
How would I fix this? Or do you guys think it's better to have them login to the admin app again, just to validate their admin status again?
Thanks for your time.
You could use the native php session instead. There's a class which you can just copy paste, and you'll not have to change any of the rest of your code.
I have a site which is built in ASP.net and C#. Let's call it webapp. it uses a Form system to log on into it, and cannot be changed easliy.
I got a request to change the log in to some kind of windows authentication. I'll explain.
Our windows login uses active directory for users to log into their windows account. their login name is sXXXXXXX. X are numbers.
in my webapp, I want to take the users numbers from their active directory login, and check if those exist in the webapp database. if it exists, they will automatically log in. If it doesn't, they will be referred to the regular login page for the webapp system which is currently in use.
I tried changing my IIS to disable anonymous login and enabling windows authentication, therefore making the user browser to send it's current logged in user name to my webapp. I changed the web config as well from "Forms" to "Windows", which made my whole webapp obsolete as the whole forms system did not work.
My question is this - is there a different way for the browser only to send the username to my webapp? I thought maybe javascript, I just don't know how to implement that, if it's even possible. I know it's not very secure, but all this platform and system is built outside the internet, it's on a private network.
<script language="javascript">
var username = '<%HttpContext.Current.User.Identity.Name %>';
</script>
The only way you could get at the user's domain credentials via javascript would be by deploying some type of ActiveX component to expose that data to the browser. I wouldn't recommend that.
I would look at implementing a Login page for forms authentication that authenticates the user on the page load using HttpContext.Current.User.
The way forms works is that if an unauthenticated user attempts to access an access-controlled page and have not logged in (no cookie), they will be redirected to a login page that gives the facility to log in (this sets a cookie on the client-side). The user is then directed to the page they initially requested. You would simply be automating the login part.
If you have a mixture of pass-through and user who need to manually login you could check their client IP address to see if it matches one on your domain or not.
The solution I found for getting the username sent to the server was:
string winlogon = Request.ServerVariables["LOGON_USER"];
After enabled Windows Authentication Mode in IIS.
I am using MVC3 along with Autofac & EF4.1 to build an secure web app deployed on two servers.
A very few users are experiencing a strange issue where user is logged into system as wrong user with different account/branch settings.
I am authentication user using form authentication(.ASPXAUTH cookie) and roles are decided from active directory contents. user being logged in is assigned an unique token which flows during all transaction.
Could this be related to Autofac or authentication cookie is cached somewhere?
Are you users using shared computers?
If so, then I suspect that the cookie is to blame.
If not, then context information somewhere else in the application is to blame.
it was actually a static image file having set-cookie inside which was causing the trouble.
I’m calling the Magento (1.3.1.1) API http://MAGENTO/api/v2_soap?wsdl . And I’m getting Access Denied Soap exceptions when I call the Login method.
I have created a webservice user called Admin and assigned them to a role that has access to ‘ALL’.
I have another instance of Magento hosted on the same server and it works fine, and I have asked a colleague to give it a try, setting up their own user and calling the webservice and they experience the same problem.
**EDIT:**I tried starting from scratch again, reapplying my changes and testing at each stage. Iv managed to pin it down to something in the database as the error occurs again when I re-import the database. So I know its nothing to do with any code or template changes I have made. Still lost though!