13

I've been hitting this one for hours and I'm stumped. I'm making an ajax post request to an MVC 5 controller in an attempt to auto-login a specific pre-defined "super" user. In the controller method, I'm trying to programmatically set the HttpContext.Current.User and authenticate, so the super user can skip the process of manually logging in. The consensus on this seems to be here, which I implemented:

setting HttpContext.Current.User

This seems to work until I try to view any other controller methods with a custom AuthorizeAttribute.

Controller method:

[HttpPost]
[AllowAnonymous]
public ActionResult Login(string username)
{
    string password = ConfigurationManager.AppSettings["Pass"];

    User user = service.Login(username, password);

    var name = FormsAuthentication.FormsCookieName;
    var cookie = Response.Cookies[name]; 
    if (cookie != null)
    {   
        var ticket = FormsAuthentication.Decrypt(cookie.Value);
        if (ticket != null && !ticket.Expired)
        {
            string[] roles = (ticket.UserData as string ?? "").Split(',');
            System.Web.HttpContext.Current.User = new GenericPrincipal(new FormsIdentity(ticket), roles);
        }
    }

    //...processing result

    return Json(result);
}

The service.Login method above creates the cookie:

FormsAuthentication.SetAuthCookie(cookieValue, false);

Though I'm setting the User, which has an Identity and IsAuthenticated is true, the filterContext.HttpContext.User below is not the same user. It's essentially empty as if it was never assigned, and is not authenticated.

public override void OnAuthorization(AuthorizationContext filterContext) 
{
    string[] userDetails = filterContext.HttpContext.User.Identity.Name.Split(char.Parse("|"));
}

The closest post I could find is here: IsAuthenticated works on browser - but not with Air client!

However, the fix for that was already in place for me:

<authentication mode="Forms">
  <forms cookieless="UseCookies" timeout="60" loginUrl="~/Account/Login" />
</authentication>

What am I missing to make the AuthorizationContext.User match the HttpContext.Current.User that I'm authenticating in the controller?

UPDATE:

I realize I need a redirect to set the cookie properly, I'm just not able to make that work remotely, via an ajax call. Here's what the script in site A looks like, when executing the controller method on site B. This redirect doesn't set the session. It still isn't present when authenticating the user on the next controller method. It just redirects me back to the login view.

function remoteLogin(id) {
    $.ajax({
        url: "/MyController/RemoteLogin",
        type: "POST",
        dataType: "json",
        data: { "id": id }
    }).done(function (data) {
        if (data) {
            if (data.user) {
                var user = data.user;
                $.ajax({
                    url: "http://siteB.xyz/Account/Login",
                    type: "POST",
                    dataType: "json",
                    data: { "username": user.username, "password": user.password }
                }).done(function (data) {
                    if (data) {
                        window.location.href = "http://siteB.xyz/Next"
                    } else {
                        alert("Fail.");
                    }
                }).fail(function (data) {
                    alert("Fail.");
                });
            } else {
                alert("Fail.");
            }
        }
    }).fail(function (data) {
        alert("Fail.");
    });
}
Community
  • 1
  • 1
Tsar Bomba
  • 1,047
  • 6
  • 29
  • 52

2 Answers2

3

The problem you have is at this point you're only setting the authentication cookie, the IPrincipal that gets created inside the forms authentication module will not happen until there is a new request - so at that point the HttpContext.User is in a weird state. Once the redirect happens then, because it's a new request from the browser the cookie will get read before your page is reached and the correct user object created.

Cookies are only set on the browser after a request is completed.

yazan_ati
  • 263
  • 3
  • 3
  • That's what I've found myself, looking around - what I'm looking for is a way to do this in the context of what I'm attempting - a remote login. For example, setting the "location.href" on success, in my script, doesn't make any difference. I need a way to do what your'e describing, remotely, through an ajax call. – Tsar Bomba Dec 10 '15 at 14:38
  • Confirmed! What I did (and it's questionably-secure), is write a cookie with the username/password on App A side, then open a new window from the script, on success of the ajax call. In App B, I read and destroy the temp cookie, perform the login, then redirect to the authenticated view. It all seems to work. Will update my OP with details, later. – Tsar Bomba Dec 17 '15 at 15:18
2

The issue has to do with where your action code is running relative to the request processing pipeline. Your code is running in the ProcessRequest step (see below).

The HttpContext.Current.User is expected to be set by the AuthenticateRequest event handler. FormsAuthenticationModule takes care of this, turning the Request.Cookies' FormsAuthenticationCookie back into a FormsAuthenticationTicket and then into an IPrincipal. That Principal gets set as Request.CurrentUser and I believe Thread.CurrentPrincipal

This needs to be done at the AuthenticateRequest step because the request cache can vary by user (ResolveRequestCache) and session state always does (AcquireRequestState). Also, the AuthorizeRequest step makes decisions about whether the user principal set in the AuthenticateRequest step has the permission required to pass through the AuthorizeRequest step without getting a 401 or 300-level redirect to a login page (and I believe MVC and WebAPI's Authorization mechanisms work as part of ProcessRequest)

  • BeginRequest
  • AuthenticateRequest (FormsAuthenticationModule)
  • AuthorizeRequest (e.g., UrlAuthorizationModule)
  • ResolveRequestCache
  • MapRequestHandler
  • AcquireRequestState
  • PreRequestHandlerExecute
  • ProcessRequest (HttpHandler, Web Forms, MVC controller actions live here)

You can try to force this by setting HttpContext.Current.User and Thread.CurrentPrincipal to your IPrincipal, but it will only apply to code running after that point in the ProcessRequest phase... important decisions about session state, cache, and authorization have already been made.

In theory, you could implement something similar to what you're trying to do by writing an HttpModule and implementing it in/before AuthenticateRequest (or global.asax), but you wouldn't yet have access to higher level MVC controller concepts, Session state, etc. You'd be able to inspect HttpContext.Request.QueryString, HttpContext.Request.Form, and HttpContext.Request.Cookies, but not much else. You'd have to grab the username from your AJAX call out of the HTTP request, and either call FormsAuthentication.SetAuthCookie() or create a FormsAuthenticationTicket and FormsAuthenticationCookie yourself and stuff the cookie in the Request.Cookies and Response.Cookies. By the time your controller logic runs, I'm pretty sure the request would appear authenticated.

scottt732
  • 3,877
  • 2
  • 21
  • 23
  • @scott732 - Really appreciate the in-depth response. Sounds like a more complicated approach than I what I finally went with. This is all good to know though, thanks. – Tsar Bomba Dec 17 '15 at 15:14