Debug Mode(Padaga): Sharepoint 2010 Fedauth cookie issue

Current Behaviour ---------------------- The fedauth cookie can be used to browse the SharePoint site even if the user sign out of the SharePoint site and close the browser Expected Behaviour -------------------------- User should not be able to reuse the fedauth cookie once the SharePoint site is signed out and browse is closed. Workaround ------------------- You have customized this workaround for your environment as follows, Step1: Once employee authentication is successful, we are updating the flag/Token as Active in SQL level. Step2: Post Authentication we are checking the flag/Token whether it is active or inactive. Step3: When User Sign-out/Close the browser we are updating the same flag as Inactive. Post Authentication Technique: we have added a web part on Master Pages, that web part will check the flag/Token whether user is navigating through Authentication or without Authentication. If user is navigating without authentication that web part will redirect to Sign-out the page. //Code for First

Step 1..

try
{
status = SPClaimsUtility.AuthenticateFormsUser(Context.Request.UrlReferrer, login.UserName.Trim(), login.Password.Trim());
}
catch (Exception ex)
{
Response.Write(status);
Response.End();
}

if (status)
{

e.Authenticated = true;

if (bdays > 0 && bdays < 5)
{

string strCon = ConfigurationManager.ConnectionStrings["Fbadb_sqlConnectionString"].ToString();
// Response.Write(ConfigurationManager.ConnectionStrings["Fbadb_sqlConnectionString"].ToString()); Response.End();
SqlConnection con = new SqlConnection(strCon);
SqlCommand cmd;

string stripadd = HttpContext.Current.Request.UserHostAddress;

cmd = new SqlCommand();
con = new SqlConnection(strCon);

cmd.Connection = con;
con.Open();
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "aspnet_InsertToken";
SqlParameter[] sqlparams = new SqlParameter[3];

sqlparams[0] = new SqlParameter("@userid", System.Data.SqlDbType.VarChar, 50);
sqlparams[0].Value = strLoginname;
cmd.Parameters.Add(sqlparams[0]);

sqlparams[1] = new SqlParameter("@TIn", SqlDbType.DateTime);
sqlparams[1].Value = DateTime.Now;
cmd.Parameters.Add(sqlparams[1]);

sqlparams[2] = new SqlParameter("@IPADD", System.Data.SqlDbType.VarChar, 50);
sqlparams[2].Value = stripadd;
cmd.Parameters.Add(sqlparams[2]);

cmd.ExecuteNonQuery();

if (!Context.Request.UrlReferrer.ToString().Contains("_layouts/login.aspx"))
{
Response.Redirect(Context.Request.UrlReferrer.ToString());
// Response.Redirect("http://a/Functions/ISandIT/Global Service Desk Survey Feedback Analysis/IS and TSG -Survey consolidated-2013.pdf");
// Response.Redirect("https:/ed-2013.pdf");

}
if (Context.Request.UrlReferrer.ToString().Contains("Gsk"))
{
//Response.Redirect("https:///");
Response.Redirect("http://3.pdf");
// Response.Redirect("https://dated-2013.pdf");

}
if (Context.Request.UrlReferrer.ToString().Contains("SSO Survey Sample"))
{
Response.Redirect("http://mple/NewForm.aspx");

}

if (Context.Request.UrlReferrer.ToString().Contains("Functions/Legal"))
{

Response.Redirect("/Functions/Legal/Pages/default.aspx");
//Response.Redirect("https://syntelligence.syntelinc.com/Functions/Legal/Pages/default.aspx");

}

//Added for Telebilling Main Page by Rama K. Sista CM#161134
if (Context.Request.UrlReferrer.ToString().ToLower().Contains("telebillinglmainpage.aspx"))
{

Response.Redirect("http:///_layouts/syntranet/TelebillinglMainPage.aspx");
//Response.Redirect("https://glMainPage.aspx");

}

if (Context.Request.UrlReferrer.ToString().ToLower().Contains("travmainpage.aspx"))
{

Response.Redirect("http:///_layouts/Travel/Travmainpage.aspx");

}
//Added for Travel Main Page by Sushanti

else
{
Response.Redirect("pwd1.html?bd=" + bdays);
}
}
else
{
/*************************Fed-auth******************************************/

string strCon = ConfigurationManager.ConnectionStrings["Fbadb_sqlConnectionString"].ToString();

string stripadd = HttpContext.Current.Request.UserHostAddress;

// Response.Write(ConfigurationManager.ConnectionStrings["Fbadb_sqlConnectionString"].ToString()); Response.End();
SqlConnection con = new SqlConnection(strCon);
SqlCommand cmd;

cmd = new SqlCommand();
con = new SqlConnection(strCon);

cmd.Connection = con;
con.Open();
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "aspnet_InsertToken";
SqlParameter[] sqlparams = new SqlParameter[3];

sqlparams[0] = new SqlParameter("@userid", System.Data.SqlDbType.VarChar, 50);
sqlparams[0].Value = strLoginname;
cmd.Parameters.Add(sqlparams[0]);

sqlparams[1] = new SqlParameter("@TIn", SqlDbType.DateTime);
sqlparams[1].Value = DateTime.Now;
cmd.Parameters.Add(sqlparams[1]);

sqlparams[2] = new SqlParameter("@IPADD", System.Data.SqlDbType.VarChar, 50);
sqlparams[2].Value = stripadd;
cmd.Parameters.Add(sqlparams[2]);

cmd.ExecuteNonQuery();

/*************************Fed-auth*****************************************/
if (Context.Request.UrlReferrer.ToString().Contains("Global Service Desk"))
{
//Response.Redirect("https:///");
Response.Redirect("http://Functions/ISandIT/Global Service Desk Survey Feedback Analysis/IS and TSG -Survey consolidated-2013.pdf");
// Response.Redirect("https:///0consolidated-2013.pdf");

}
if (Context.Request.UrlReferrer.ToString().Contains("SSO Survey Sample"))
{
Response.Redirect("http:///Lists/SSO%20Survey%20Sample/NewForm.aspx");

}
if (Context.Request.UrlReferrer.ToString().Contains("Functions/Legal"))
{
Response.Redirect("/Functions/Legal/Pages/default.aspx");

//Response.Redirect("https://syntelligence.syntelinc.com/Functions/Legal/Pages/default.aspx");

}

if (Context.Request.UrlReferrer.ToString().ToLower().Contains("telebillinglmainpage.aspx"))
{
Response.Redirect("http:///_layouts/syntranet/TelebillinglMainPage.aspx");
//Response.Redirect("https:///_layouts/syntranet/TelebillinglMainPage.aspx");

}

else
{
Response.Redirect("/pages/default.aspx");
}
}

}

STEP2: Add a page viewer webpart on HOme master page or HOmepage of your portal and check the flag for that user.. if user Loggs tru proper channel then flag will be 1 and allow him on HOmepage otherwise redirect to Signout page

STEP 3:Add the below code on sign-out page

protected void Page_Load(object sender, EventArgs e)
{
string strUserid = "";
strUserid=SPContext.Current.Web.CurrentUser.Name.Trim();
Response.Write( IsVaiduser(strUserid));
if (IsVaiduser(strUserid) ==0)
{

//Session.Clear();
//Session.Abandon();
// Session.RemoveAll();
FormsAuthentication.SignOut();
Microsoft.IdentityModel.Web.FederatedAuthentication.SessionAuthenticationModule.SignOut();
Microsoft.IdentityModel.Web.FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Delete();
Microsoft.IdentityModel.Web.FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
//e.Authenticated = false;

//ClientScriptManager.RegisterClientScriptBlock(this.GetType(), "RedirectScript", "window.parent.location = '/_layouts/signout.aspx'", true);
ClientScript.RegisterStartupScript(GetType(), "Load", "");
//Response.Redirect("/_layouts/signout.aspx");

}

}

int IsVaiduser(string strLoginname)
{
string strCon = ConfigurationManager.ConnectionStrings["Fbadb_sqlConnectionString"].ToString();
// Response.Write(ConfigurationManager.ConnectionStrings["Fbadb_sqlConnectionString"].ToString()); Response.End();
SqlConnection con = new SqlConnection(strCon);
SqlCommand cmd;

cmd = new SqlCommand();
con = new SqlConnection(strCon);

cmd.Connection = con;
con.Open();
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "aspnet_checkToken";
SqlParameter[] sqlparams = new SqlParameter[1];

sqlparams[0] = new SqlParameter("@userid", System.Data.SqlDbType.VarChar, 50);
sqlparams[0].Value = strLoginname;
cmd.Parameters.Add(sqlparams[0]);

int _Iout = (int)cmd.ExecuteScalar();
return _Iout;
}

Search This Blog

Monday, January 28, 2013

Sharepoint 2010 Fedauth cookie issue

No comments:

Post a Comment

About Me

Blog Archive