Is it possible to steal a cookie and authenticate as an administrator? Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack their cookie to give them elevated privileges or if SSL is not require, copy someone another person’s cookie. However, there are steps you can take to mitigate these … Read more
I’m taking a guess here and suspect that you have the following setting configured in your web.config file: <modules runAllManagedModulesForAllRequests=”true”> This means that every request, including those for static content is hitting the pipeline. Change this setting to: <modules runAllManagedModulesForAllRequests=”false”> This is assuming your application is running under ASP.NET 4.0 and MVC3. For this to … Read more
This is a known issue. I had the same problem with my custom authorize attribute. I found the solution somewhere on the net, can’t remember where. Just add this to appSettings in your web.config <add key=”loginUrl” value=”~/Account/LogOn” /> Note: This works with MVC 3, I didn’t try it with previous versions. EDIT: Found it mentioned … Read more
I found it myself. This is the article on MSDN that talks exactly about this scenario. I decided to keep this question anyway for anyone that would be chasing the same information some time later. MSDN: Forms Authentication Across Applications In brief You have to configure machine keys in web.config of both applications so they … Read more
This was my solution: In Global.asax, method: Application_BeginRequest, place the following: if (Request.AppRelativeCurrentExecutionFilePath == “~/”) HttpContext.Current.RewritePath(“HomePage.aspx”); Nice and simple, and you have a chance to build logic around what home page you want to use if your website uses multiple home pages based on configuration variables. Dmitry.Alk
To get the UserName of the authenticated user: HttpContext.Current.User.Identity.Name;
This is the nature of Forms Authentication. (which im guessing you’re using). That is, when you access a page which requires authentication, ASP.NET will redirect you to the login page, passing in the ReturnUrl as a parameter so you can be returned to the page you came from post-login. To remove this functionality would break … Read more
In MVC you normally use the [Authorize] attribute to manage authorization. Controllers or individual actions that are dressed with that attribute will require that the user is authorized in order to access them – all other actions will be available to anonymous users. In other words, a black-list approach, where actions that require authorization are … Read more
It is not that simple 🙂 In the Startup.cs, configure method. app.UseCookieAuthentication(options => { options.AutomaticAuthenticate = true; options.AutomaticChallenge = true; options.LoginPath = “/Home/Login”; }); Add Authorize attribute to protect the resources you want to secure. [Authorize] public IActionResult Index() { return View(); } In the Home Controller, Login Post action method, write the following method. … Read more
Here is a very simple authentication scheme for Sinatra. I’ll explain how it works below. class App < Sinatra::Base set :sessions => true register do def auth (type) condition do redirect “/login” unless send(“is_#{type}?”) end end end helpers do def is_user? @user != nil end end before do @user = User.get(session[:user_id]) end get “https://stackoverflow.com/” do … Read more