How does ASP.NET WebAPI using IIS maintain user authentication state?

Question

How does ASP.NET WebAPI using IIS maintain user authentication state?

I have an asp.net Web Api 2 / Identity 2 application that requires user authentication. Authentication works, but I notice that when I restart my local development machine and try to access a method that requires authentication, I get a failure.

Since my application does not change from the asp.net sample, I think it uses cookies to store user data on the client. Where and how do the server or IIS store information on which users authenticate? Does it do it only once or every HTTP? Is there any difference between my use of Token authentication or cookie in how authentication and authorization is checked on the server?

+4

asp.net iis asp.net-web-api

Samantha JT Star May 04 '14 at 16:52

source share

7 answers

, , . ( asp.net) cookie , , , cookie " " .

" " Application_AuthenticateRequest global.asax. , SQL, , . (, ), , . User.Identity. , [Authorize], , , .

cookie, . , InProc, , ( -, -) , cookie / .

EDIT: ... . , . . - . , , , , , .

+5

Elad Lachmi 11 '14 16:25

, , . (, ?), , , , API.

, , , , , , .

+4

Tom Hall 04 '14 22:45

IIS , ?

IIS cookie. . , . ASP.NET, cookie .ADUAUTH... cookie . cookie , reset, IIS.

HTTP?

HTTP- , , HTTP-.

Token Cookie , , ?

: , : ASP.NET Security: http://msdn.microsoft.com/en-us/library/ks310b8y.ASPX

+3

Domin8urMind 12 '14 22:34

, .. , .

IIS ASP.NET, .

. : , ADFS, , -, , . ADFS , , cookie . .

. ADFS , .

, .

, 3 : 1. InProc ( ASP.NET Worker process - RAM) 2. State Server ( ASP.NET, , Azure) 3. SQL Server ( SQL)

, 1, - . 2 3 .

+3

Adithya Kumaranchath 13 '14 7:50

-

. ( , ..), - (, IP-) ( ?). , , , .

Cookies . -auth -, .

+2

Sujay Sarma 11 '14 12:25

: , //cookie, . , cookie , . , , . , - , .

, .

There is a whole pipeline in the structure that makes all this happen (dealing with authentication, authorization, and personality), and there are a number of good articles on the Internet explaining this, but imo, they are almost all incomplete or difficult to follow. If you want a great explanation of nut soup, PluralSight.com has several tutorial videos that will deconstruct and explain the entire conveyor for you. Understanding the pipeline can help you do your own authentication, and I highly recommend it.

+2

Sinaesthetic May 12, '14 at 5:41

source share

Mister Epic · Accepted Answer · 2014-05-10T00:24:43+0000

I think you do not understand how authentication works with ASP.Net. As an example, let me show you some cookie data for my website that uses Identity (note that the token is actually in the cookie, these two are not mutually exclusive concepts):

Name    __RequestVerificationToken
Value   afeILhaIvRr56jXXXXXXXXXXX
Host    site.azurewebsites.net
Path    /
Expires At end of session

Please note that the default cookie expires at the end of the session. This means that when you reboot your development machine, your cookie has expired and your token is no longer valid.

In particular, I read that when authentication with a token, then there is no need for constant re-authentication every time a request is made to the server

, HTTP - . , , , , , B. . , , cookie.

, , cookie ( - ). - . :

Inproc. , . , ,

. , ASP.Net, .

SQL Server: , . , . , -.

ref: http://msdn.microsoft.com/en-us/library/vstudio/ms178586 (v = vs .100).aspx

How does ASP.NET WebAPI using IIS maintain user authentication state?

More articles: