Blog posts by Tanuj Joshi

Blog posts by Tanuj Joshi2018-02-20T18:30:02.0000000Zhttps://world.optimizely.com/blogs/tanuj-joshi/ Optimizely World Make OWIN PCI Compliant using cookie authentication timeouts (ValidateInterval vs ExpireTimeSpan]<!DOCTYPE html> <html> <head> </head> <body> Let’s talk about PCI first, In order to make login PCI compliant, session timeout needs to be set for 15 mins, I had to make two changes to my Startup.cs file. <ol> <li>Set SlidingExpiration to False. Sliding Expiration is set to true by default. [This is optional and depends on requirements.]</li> <li>****Add ExpireTimeSpan to 15 mins. ExpireTimeSpan field by default is 14 days.</li> </ol> If you are using cookie authentication in ASP.NET Identity, there are two timeout settings that may look very similar, ValidateInterval and ExpireTimespan What is ExpireTimeSpan? ExpireTimeSpan allows you to set how long the issued cookie is valid for. In the code sample below, the cookie is valid for 15 minutes from the time of creation. Once those 15 minutes are up the user will have to sign-in because the SlidingExpiration is set to false. However, let’s suppose, Sliding expiration is true [by default]. What would happen then? The cookie would be regenerated on any request within 15 mins. For example, if the user logged in and subsequently made a second request 5 minutes later the cookie would be regenerated for another 15 minutes. If the user logged in and then made a second request at 16th min or later, only then, the user would be prompted to log in. What is ValidateInterval [this can be tricky]: In order to understand ValidateInterval, let’s talk about Security stamp first. A Security stamp for a user is created/updated every time a password is created/changed or an external login is added/removed. Every time a user logs in, SecurityStampValidator.OnValidateIdentity validates the security stamp using the cookie. And now, if the user has changed a password, the cookie becomes invalid next time. The validateInterval attribute of the SecurityStampValidator.OnValidateIdentity checks the security stamp to ensure the validity of the cookie after the given interval. This is different than ExpireTimeSpan.However, the end result will be same Logged out state. <pre class="language-csharp"><code> // Use cookie authentication app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Login"), Provider = new CookieAuthenticationProvider { // If the "/util/login.aspx" has been used for login otherwise you don't need it you can remove OnApplyRedirect. OnApplyRedirect = cookieApplyRedirectContext => { app.CmsOnCookieApplyRedirect(cookieApplyRedirectContext, cookieApplyRedirectContext.OwinContext.Get<ApplicationSignInManager<ApplicationUser>>()); }, // Enables the application to validate the security stamp when the user logs in. // This is a security feature which is used when you change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager<ApplicationUser>, ApplicationUser>( validateInterval: TimeSpan.FromMinutes(15), regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user)) }, SlidingExpiration = false, ExpireTimeSpan = TimeSpan.FromMinutes(15) });</code></pre> In above example, both timeouts are set to 15 mins. Ideally, ValidateInterval should be set less than ExpireTimeSpan. This is because, once ExpireTimeSpan is reached, the user will automatically get re-validated upon next login request. </body> </html>2018-02-20T18:30:02.0000000Z

Blog post

Extending EPiServerLog.config <!DOCTYPE html> <html> <head> </head> <body> <h3>Log custom errors or success/fail information for REST APIs, Web services etc using EPiServer Log4net namespace [EPiServer.Logging]</h3> Step 1: Add your custom Logging information to EpiserverLog.config         a. Add your Appender         Sample  File Appender: <pre class="language-csharp"><code>  <appender name="MyCustomLog" type="log4net.Appender.FileAppender">  <file value="App_Data\MyCustomLog.log" />  <appendToFile value="true" />  <encoding value="utf-8" />  <staticLogFileName value="true"/>  <threshold value="All" />  <lockingModel type="log4net.Appender.FileAppender+MinimalLock" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%date %message%newline" /> </layout> </appender>  </code></pre>     b. Add Logger tag right after </root> & before </log4net>           <pre class="language-csharp"><code> <logger additivity="false" name="MyCustomLog"> <level value="All"/>  <appender-ref ref="MyCustomLog" /> </logger> </code></pre>        Step 2: Write to your log   <pre class="language-csharp"><code>EPiServer.Logging.ILogger mylog = EPiServer.Logging.LogManager.Instance.GetLogger("MyCustomLog"); // Appender name: "MyCustomLog" mylog.Info($"This is test data."); </code></pre> Preview:   <img src="/link/a0d20bd0f88a4a41a5eff7c8af7df303.aspx" alt="Image 111.bmp" />     Different Appender types available: <ol> <li>Write to File: [log4net.Appender.FileAppender] - Write to a file.</li> <li>Write To Rolling File: [log4net.Appender.RollingFileAppender] - Rolling Style used by EPiServer.</li> <li>Database log: [log4net.Appender.AdoNetAppender] - write logs to database.</li> <li>Write to Event log: [log4net.Appender.EventLogAppender] - Write events to event log.</li> </ol> More Info Here: <a href="/link/c09626448b6648d6b1a6f660d7abba65.aspx">https://world.episerver.com/documentation/developer-guides/CMS/logging/</a> </body> </html>2018-02-01T20:00:56.0000000Z

Blog post