<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00008C1YVYSA3Okta Classic EngineSingle Sign-OnAnswered2024-04-22T18:44:47.000Z2020-04-03T16:25:20.000Z2020-07-04T17:56:42.000Z

JacobB.54005 (Customer) asked a question.

April 3, 2020 at 4:25 PM
How to automatically login Okta user with active login session to .NET 4.5 Web Forms app

I've got a .NET 4.5 Web Forms app with Okta authentication on top. The authentication setup seems to be working fine; I can login and logout and get my Okta user info/claims from the context variable.

What I'd like to do is detect on page load whether a user already has an active Okta session in their browser and then log them into the application. Or if they don't have a session do nothing and stay on the application page.

Making a challenge call to the authentication manager

```

HttpContext.Current.GetOwinContext().Authentication.Challenge(

   new AuthenticationProperties { RedirectUri = "/Login.aspx" },

   OpenIdConnectAuthenticationDefaults.AuthenticationType);

```

almost does what I want. If the user has an active session it'll do some redirects and log them in. But if they're not logged in they get sent to, and left on, the Okta login page. Which is not what I want.

I thought I would be able to access some cookies that Okta sets when a user logs in via an Okta page, but when checking through the browser debugger and checking `Request.Cookies` they don't seem to be available at that stage. And the context doesn't have access to the user info either. I've looked through the APIs and didn't notice anything that I thought would help, but maybe I missed something.

  • 1 answer
  • 3.65K views

  • MARKG.61851 (Customer)

    First, the session token can only be used once. Then it's worthless.

     

    That said, have you tried something like this yet? For this to work, the response mode must be "form_post". I believe this behavior comes from setting AuthenticationMode to Passive in your Owin startup. Hope this helps.

     

    [HttpPost]

    [ValidateAntiForgeryToken]

    public ActionResult Login(FormCollection form)

    {

        var returnUrl = Session[SessionKeys.ReturnUrl] as string;

        if (!HttpContext.User.Identity.IsAuthenticated)

        {

            var properties = new AuthenticationProperties();

            properties.Dictionary.Add("sessionToken", form.Get("sessionToken"));

            properties.RedirectUri = returnUrl ?? "/Home";

            HttpContext.Current.GetOwinContext().Authentication.Challenge(properties, OpenIdConnectAuthenticationDefaults.AuthenticationType);

            return new HttpUnauthorizedResult();

        }

       

        if (returnUrl != null)

        {

            return Redirect(returnUrl);

        }

        return RedirectToAction("Index", "Home");

    }

     

    Expand Post
This question is closed.
Loading
How to automatically login Okta user with active login session to .NET 4.5 Web Forms app