I have a website that's using ASP.NET Core MVC. It's hosted as an App Service in Azure. Authentication happens against Azure AD.
The authentication cookie is a session cookie.
Is there a way to force all existing session cookies to be invalid? Back in the day of .NET Web Forms I would have recycled the app pool or changed the machine key.
I don't care if the cookies still exist, I just want them to no longer be accepted by my web application.
In or to invalidate the auth cookies in an ASP.NET Core application, you need to delete the encryption keys. I am hosting my site an Azure and the encryption keys are stored at %HOME%\ASP.NET\DataProtection-API. There will be one or more XML files stored in that directory, those are the keys. Delete the XML files and restart the web application (you must restart the web application as the keys are stored in-memory).
I ran into an issue where I had scaled out my web application and both web apps started simultaneously. This caused each app to create its own key and (more importantly) be unaware of the other app's key. To help prevent this from happening, I perform the following steps:
Scale down my app service to 1 isntance
Delete the XML files
Restart the web application
Request a page from the web application (ensure it has been restarted)
Scale my app service back up
Related
I'm going to move sso server application (ASP.NET CORE DOTNET 6) from app service APS1 located in service plan AP1 to new app service APS2 located in different service plan APS2 (can't use Change service plan due to azure restriction on regions and resoruce groups). I cloned sso app from APS1 to APS2, added certificate and switch custom domain from APS1 to APS2. So after the change we have the same application, but located in another app service plan and another app service, under excatly the same domain. What I'm trying to understand is why cookie issued by app located in APS1 is not accpted by the same application, moved to APS2 under exactly the same domain which was switched from APS1. I tried to perform the same operation using sample app from https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-6.0 but with the same results - cookie is not being recognized after switching domain from APS1 to APS2.
What helped was to set the same application name with:
builder.Services.AddDataProtection().SetApplicationName("appName");
I have a couple of projects:
Chat - SignalR backend (ChatHub)
Web - MVC project that hosts clientside scripts, including those that make calls to the Chat project
I'm in the process of migrating from .NET Framework to .NET Core and am moving to SignalR for Core as part of this work. Cookie authentication is working correctly on the old version, but upon migrating to SignalR for Core, I appear to be having problems.
Cookie authentication is enabled in both projects. The Web project works fine and the Auth cookie is correctly recognised and used for authentication. The Chat project, however, is not correctly authenticated against the cookie, despite the cookie being included at least in the negotiate request:
When I make a call to the ChatHub, Context.User.Identity.Name is empty. The same call returns a populated name when run on the Web project. If I decorate the ChatHub with [Authorize], the call fails with a 401.
Here's a minimalistic repro project showing the issue.
I assume the problem is related to the Authentication I have configured, or perhaps the cross-domain nature of the call?
This documentation is pretty unhelpful, and only says the following:
In a browser-based app, cookie authentication allows your existing user credentials to automatically flow to SignalR connections. When using the browser client, no additional configuration is needed. If the user is logged in to your app, the SignalR connection automatically inherits this authentication.
This appears under some very basic configuration, which basically only calls app.UseAuthentication(). Alas, that configuration does not work for me.
How do I set Cookies authentication in SignalR for Core so it works across two projects?
The issue is that by default, the Data Protection system that ASP.NET Core uses to encrypt the auth ticket isolates apps from one another.
You need to configure data protection on each project you wish to share protected payloads to use the same key ring and app identifier:
services.AddDataProtection()
.SetApplicationName("<appName>")
// as well as the following calls if your projects are to be deployed on different machines
.PersistKeysToAzureBlobStorage(new Uri("<blobUriWithSasToken>"))
.ProtectKeysWithAzureKeyVault(new Uri("<keyIdentifier>"), new DefaultAzureCredential());
I have deployed a staging server under a subdomain and serving it on IIS on a VPS. I published an ASP.NET Core 5 (RazorPages template) app and it is using default identity, requiring login before you can go to any other page. Obviously I want to realize the staging of different applications under this domain so on IIS, I have created a virtual directory under my staging website and pointed it to the physical location where I have deployed the demo app. Physically, the staging website and the demo app are next to each other, but on IIS there is a virtual directory application called /demo under the main iis website. "demo" is also an aspnet core mvc app.
When I type in the Url staging.mysite.com/demo it loads and working fine under its own application pool. What I want to achieve is to create a custom route in the main staging website that will be recognised as /demo (as if there was a demo controller or razor page dir) and redirect back to login if the user is not logged in. Right now it loads the demo app no matter the user is signed in or not. Is this even possible to secure child apps from a parent app? I have read so many articles and msdn documentation but obviously lack fundamental knowledge about IIS and the middlewares. I suspect IIS is not even forwarding the request to aspnet middleware/kestrel when it finds an IIS application on that URL. How should I approach this problem? Any leads will be greatly apppreciated.
Edit: I don't want the authentication on the main website to propagate into the child app. Just want to keep unauthorized access to the child app. Child apps have seperate logins and that is fine for now. Thanks.
I have a .NET Core MVC web application that is containerized and running in Azure Kubernetes Service. The application uses .NET Core Identities for user authentication.
The problem I have is that when I scale up the application to multiple instances, user authentication becomes unreliable. I believe this is because the load balancer does not guarantee that subsequent requests from the same user session go to the same instance, and as the authentication cookies creating on one instance are not valid on another instance, the user is directed to the login page again.
With the .NET Framework I would set the machineKey in the webconfig, and so multiple instances would be using the same key for encryption.
What is the appropriate way to manage this situation with a .NET Core application?
I want to use session with my silverlight4 application to store data for temporary period .
So how to use Session with silverlight4 Application?
Silverlight runs on the client. You don't mention whether you are simply looking at storing data on the clients or whether you want to implement server side session. If you want to store data on the client have a look at Isolated Storage. Silverlight uses Isolated Storage as a virtual file system to store data in a hidden folder on the client machine.
Is your Silverlight app calling WCF services hosted in IIS? If so, and as long as your WCF services opt in for ASP.NET compatibility mode, ASP.NET session is available to you. With ASP.NET session you get the ability to set expiration times, dependencies etc.