Let me try to explain this in english :).
I'm having trouble with the authentication in Mvc. I use my layout page to login and to show the other partial views with content.
I decorated the login methods with <AllowAnonymous()> _ to let people login into the page and in my webConfig i have the following entry:
<authentication mode="Forms">
<forms loginUrl="~/" timeout="2880" />
</authentication>
What's happening is when the session expires, the partial view renders the entire page again and i get the entire page twice (one inside the content).
Any help?
You may checkout the following article from Phil Haack which illustrates a nice technique allowing you to prevent the forms authentication module to automatically redirect to the LogOn page but return 401 status code. This could be done conditionally only for AJAX requests. And since the server now returns 401 status code you could detect it on your client side AJAX call and act accordingly.
Thks for the answer, but i solved my problem with the following post :
C# MVC: How to override configured authentication redirect?
Related
Application is accessed under https:// url.
In MVC application we have added ##Html.AntiForgeryToken() on cshtml razor engine and ValidateAntiForgeryToken on controller.
It all worked fine for after login pages, but with login page it goes to application error as there was no cookie seen on browser before logging into the system.
Went through several forums, articles and even added the following piece of code in global.asax.
AntiForgeryConfig.CookieName = "CSRF";
AntiForgeryConfig.SuppressIdentityHeuristicChecks = true;
//AntiForgeryConfig.RequireSsl = true; -- only for https.
Even wrote a simple SetCookie in get method of login page, that cookie doesn't show up on browser. What could be the problem.
Why i was able to see the below in cshtml but controller doesn't accept the post with antiforgeryvalidation before login.
.
Any help would be greatly appreciated
when we decorate any action with Authorize attribute then how MVC redirect to login form because my login controller name could be different and also view name also could be different. login view also could be stored in different folder instead of shared folder.
so tell me how MVC engine understand that it need to load login form when face Authorize attribute ?
how MVC engine would know where login form template is stored because it location could be different instead of shared folder?
how MVC engine would know what is login controller name if my login controller name is different ?
please discuss 3 points i asked here in details. thanks
The AuthorizeAttribute is a filter, which means that it can execute before the associated controller action. The AuthorizeAttribute performs its main work in the OnAuthorization method. If the user fails authentication, an HttpUnauthorizedResult action result is returned which produced an HTTP 401 status code. In previous versions of ASP.NET MVC the user redirected to the application login page defined in the application's web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
In ASP.NET MVC 5, the redirection process is handled by OWIN middleware components. It redirects unauthenticated requests to a LoginPath value, which
defaults to "/Account/Login":
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType =
DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
});
I have an mvc 4 application and I want to redirect to the login screen when the session times out.
Any idea how to do this?
Thanks
Add in web.config file
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1" defaultUrl="~/" />
</authentication>
I think it will help too.
Did you try with creating your ActionFilterAttribute ?? Action filters allow you to overide OnActionExecuting and it calls before an action method and this can be applied to any of your controller and then write code in there to check for the expiration of a session. Try this I think it can help.
Had to do the following to fix this
Change the web config for the session worked
I was overriding the cookie on the Application_PostAuthenticateRequest event and had to update the expiry date.
set the form authentication to
httpOnlyCookies="true"
added javascript setInterval to pop up after 4 mins and call the logout script. abandon the session and log the user off
Seems to be working now.
I'm using Forms Authentication for an internal company website. I authenticate users against the local Active Directory server.
I have my Web.config file set up as follows:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Login" timeout="30" slidingExpiration="true" protection="All" defaultUrl="/" />
</authentication>
This works fine as long as a user moves to a new page, or refreshes the page they're on. However, much of my UI is based on javascript templating and AJAX, so it's quite possible for a user to be working on a page for longer than 30 minutes.
So, how do I query and/or extend how much time they have remaining in their session via an AJAX call? I don't need help with the AJAX call, just what I'd put in a controller (such as /user/keepalive)
I've set basic spring authentication. When user comes to page and enters secured URL, login form is rendered, but I want to show error 403 page (or any other page i choose).
If I understand correctly I can't use access-denied-handler because user is not authenticated at all.
How do I show any other page than login form page to non-authenticated user, when he accesses secured URL?
When you are using form-login the default AuthenticationEntryPoint redirects to the login page.
You can override this by injecting a custom entry point using the entry-point-ref attribute.
You can use the code for Http403ForbiddenEntryPoint as a guideline (or use that directly if all you want is a response code sent to the client).
Add the below tag in your security context file.
access-denied-page="<name of the page>"
add this in http tag like below:
<http auto-config="true" access-denied-page="/authenticationfailed.jsp">