User from the first website is logged to another website issue - security

I created two websites in ASP .NET MVC4. Both are having different names.
I registered a new "userA" for the website #1 and signed in.
When I start the website #2 I see that the "userA" is already logged in.
How is it possible?
What do I have to do so website #2 is not going to work like that?
What exactly I have to change to get rid of that? web.config, cookies or what and how?
Thanks!

Try changing the name of the Forms Authentication Ticket, by default it is set to .ASPXAUTH which can cause issues if you're running multiple apps locally. This caught me up a few weeks back.
<forms
name=".myappauth"
loginUrl="~/Account/Login"
protection="All"
timeout="30">
<credentials>...</credentials>
</forms>
MSDN Documentation
http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.85%29.aspx

Related

Oauth and excel links

We have a web app that used to be authenticated through forms and we changed it to use oauth with azure ad. Some users save links to different pages in the app in excel files. The problem is that since we changed the authentication we get an error when an excel link is clicked : "Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolInvalidNonceException
IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'."
I tried adding the OPTIONS and PROPFIND verb to requestFiltering but no luck...
Installing the fix from this page :Microsoft support
fixed the problem. We are also looking into changing the SSO cookie policy because we don't want to have every user installing the fix if is not necessary.
Updated 2018.01.18
We updated the OS in the company to windows 10 and the issues reappeared. Implementing this code seems to fix the problem: https://github.com/aspnet/AspNetKatana/issues/78

Using 'Facebook login' with C# SDK , plus ASPNET Membership Integration

I followed the tutorial page on doing the basic Facebook authentication and login, but it seems to create a redirection loop.
The parent page sets up a listener which, on authResponseChange, redirects to a handler.
The handler then gets the token and redirects back to the parent page
Which then sets up a listener, logs in, triggers authResponseChange and redirects to the handler. Etcetera...
Have I misunderstood something, or is this a bug or expected behaviour? I need to find a way to NOT have this happening.
Secondly, the documentation for 'Using Facebook & ASP.NET Membership for Authentication' is obviously not ready, but I would appreciate some pointers on how to do you would advise doing it.
EDIT: I presume that both of these issues would be fixed with the same solution, ie - getting the handler to redirect to a new page which creates a new ASPNET Membership user based on the facebook credentials - however I am unsure how to do this as the documentation for this section just says TODO. Any pointers? Would you need to just extend the Profile system to store the access token and facebook ID ? Or am I on totally the wrong track?
On another demo here some folks said it was a problem with ie9/chrome and cookies on localhost. Pointing to 127.0.0.1 and run it on iis it fixed the issue for me.

Sharepoint problem: switching user correctly but internaly maintains "old" user

I'm facing an extrange behavior in my Sharepoint 2077 farm:
We have configured windows integrated authentication with NTLM, and all clients authenticates correctly to the portal.
When they proceeds to "login as" diferent user, it seems to be all fine (appears user name in top of page) , but internally the page user is the old user. I know this because I have a customized web page that reads page user name and print it to the page.
after some refresh or waiting some time, the current user is applied "internally" too.
Do you know is there is any configuration option for avoid this delay?
Many thanks in advance,
any help would be appreciated.
solved there:
http://support.microsoft.com/default.aspx/kb/970814

Why does HttpContext.Current.User.Identity.Name return the wrong username when used in a webpart?

In a Sharepoint web page I am having a problem identifying the logged in user!
The Masterpage contains a normal ootb control that displays the username
<%# Register TagPrefix="wssuc" TagName="Welcome" Src="~/_controltemplates/Welcome.ascx" %>
.....
.....
<wssuc:Welcome id="explitLogout" runat="server" />
This always displayed the correct logged on user.
However if I call
HttpContext.Current.User.Identity.Name
from within a webpart then In 1 or 2 % of cases I will get the incorrect name returned.
This gives me a page that will have the correct username at the top, and the incorrect one in the webpart. Other methods of getting the name in the webpart return the same incorrect name. If the name checker webpart is on the same page multiple times then very rarely the second copy of the webpart will have the correct name or a third incorrect identity!
The identities are stored in Active Directory, and the users authenticate against and ISA server, users are not on the same domain as the SharePoint infrastructure. The sharepoint farm is rather complex with the ISA servers, four web front ends, an apps server and finally a database server.
Has anyone had this happen before? or have any clue as to the direction I should take to investigate the problem!
The servers are running IIS6 on server 2003. Sharepoint is at SP2 but without the latest bunch of patches.
Additional:
Output Cache is enabled. Authenticated Cache Profile is "Intranet"
The settings for that profile are as follows
Title Intranet (Collaboration Site)
Display Name (BLANK)
Display Description Optimized for collaboration sites where authoring, web part cusomization, and minor version are enabled.
Perform ACL Check Yes
Enabled Yes
Duration 180
Check for Changes Yes
Vary by Custom Parameter (BLANK)
Vary by HTTP Header Browser
Vary by Query String Parameters (BLANK)
Vary by User Rights Yes
Cacheability ServerAndPrivate
Safe for Authenticated Use Yes
Allow writers to view cached content (BLANK)
SharePoint runs under the application pool account. You need to use
SPContext.Current.Web.CurrentUser.LoginName
to get the current user.
This was a while ago and I am sorry for not reporting back our solution... and now I don't remember clearly what it was! Something to do with Donut Caching that we had misunderstood.
http://blogs.catapultsystems.com/tlingenfelder/archive/2011/03/24/sharepoint-caching-techniques.aspx

Cannot login to WSS 3.0 site using forms authentication

A changed Windows authentication to Forms authentication. Using the following example.
I added a user with Web Site Administration Tool. Finally I added this user as Site Collection Administrators and the user is recognized by SharePoint. Happy with that is started my WSS site in the browser but when I try to Sign in using this sign in form it is not working. Returns to this form after the submit (//spvm:100/_layouts/login.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252f&Source=%2f)
I have been scanning my Eventviewer but no succes for any comment what tells me what I am doing wrong. Maybe some of you guys can help me out?
Once you are redirected to this page, try navigating to http://spvm:100. Sometime I get this kind of case where I move make to the root, then it works. I really didnt know the reason why sometime it behaves like that.
I had the same issue. I found that something was wrong with my browser's settings. I tried to log in with another browser (Firefox) and that worked for me.
I don't know yet what was wrong with my IE7's settings, on another machine I could log in to a forms auth site without any problem.

Resources