Configuring FormsAuthentication from code

[ringi]

I have an asp.net application that has more then one login page. Different logon pages are used depending on how the customers have configured the application. We are making use of the FormsAuthentication module to do most of our authentication.

I wish to be able to control the value of “loginUrl� from code, I know I can set in it the Web.Config file, however I do not what our customers to have to edit the setting in Web.Config whenever they change the configuration of our software.

I could have a “fake� login.aspx page that redirects to the true one, however that will slow down logging onto the system.

My ideal solution would be to configure FormsAuthentication from the Application_Start event in Global.aspx, any ideals on how to do this?

I think this is a more general problem, as a ISV, I do not like settings that effects the correctness of my application being in a file that is so easy for the user to mess up! The logic of my application should be compiled into my application.

Ian Ringrose
Ringi at bigfoot dot com

[Jim Cheshire [MSFT]]

Hi Ian,

You cannot do this. The loginUrl is set when the application domain is
loaded. If you were to change that programmatically, you would need to
reload the app domain for it to take effect, and that would cause everyone
accessing the application to lose Session variables and their
authentication. Even if you could do it, it would be a very bad practice.

I'm not quite sure what you specific situation is, but it might be worth
mentioning that the default loginUrl is default.aspx. Therefore, if you
don't set a loginUrl, default.aspx will be the loginUrl. You may be able
to simply change which page is named default.aspx based upon configuration
of your application. Once again, I'm not certain what you are doing and
what issues you are encountering, so I hope that helps.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
[email]jamesche@online.microsoft.com[/email]

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

>Thread-Topic: Configuring FormsAuthentication from code
>thread-index: AcRovEAodb3ET9akQ4ivMEhYPUgAKA==
>X-WBNR-Posting-Host: 212.44.26.106
>From: "=?Utf-8?B?cmluZ2k=?=" <ringi@discussions.microsoft.com>
>Subject: Configuring FormsAuthentication from code
>Date: Tue, 13 Jul 2004 02:32:01 -0700
>Lines: 13
>Message-ID: <78353FFA-F2BB-43B8-8768-107B1A25FCB5@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 8bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFT NGXA03.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 10759

>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have an asp.net application that has more then one login page.

Different logon pages are used depending on how the customers have
configured the application. We are making use of the FormsAuthentication
module to do most of our authentication.

>
>I wish to be able to control the value of “loginUrl� from code, I

know I can set in it the Web.Config file, however I do not what our
customers to have to edit the setting in Web.Config whenever they change
the configuration of our software.

>
>I could have a “fake� login.aspx page that redirects to the true one,

however that will slow down logging onto the system.

>
>My ideal solution would be to configure FormsAuthentication from the

Application_Start event in Global.aspx, any ideals on how to do this?

>
>I think this is a more general problem, as a ISV, I do not like settings

that effects the correctness of my application being in a file that is so
easy for the user to mess up! The logic of my application should be
compiled into my application.

>
>Ian Ringrose
>Ringi at bigfoot dot com
>
>

[Ian Ringrose]

Hi Jim,

Thanks for your response,

My specific situation is that we ship a web browser based application to our
customers. Each customer installs iis on their own server. Depending how the
customer is going to use the application they put it in a different "mode"
at installation time. Different "modes" need different logon pages.

When the customer sets the 'mode' that the application will run in, they
should only have to change the configuration in ONE place, e.g. one line in
the web.config file. However due to the fact that I can find no way to
control FormsAuthentication form software, I have to tell then to ALSO
change to set-up of FormsAuthentication in web.config.

I can not just rename the logon pages, when the "mode" is change, as the
installer for the application set up each logon page differently in iis.

I do not like sealed boxes, that I can not control from my code!

Ian Ringrose

Ringi at bigfoot dot com

"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
news:tkthCnOaEHA.3316@cpmsftngxa06.phx.gbl...

> Hi Ian,
>
> You cannot do this. The loginUrl is set when the application domain is
> loaded. If you were to change that programmatically, you would need to
> reload the app domain for it to take effect, and that would cause everyone
> accessing the application to lose Session variables and their
> authentication. Even if you could do it, it would be a very bad practice.
>
> I'm not quite sure what you specific situation is, but it might be worth
> mentioning that the default loginUrl is default.aspx. Therefore, if you
> don't set a loginUrl, default.aspx will be the loginUrl. You may be able
> to simply change which page is named default.aspx based upon configuration
> of your application. Once again, I'm not certain what you are doing and
> what issues you are encountering, so I hope that helps.
>
> Jim Cheshire [MSFT]
> MCP+I, MCSE, MCSD, MCDBA
> Microsoft Developer Support
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided "AS-IS" with no warranties and confers no rights.
>

[Paul Mason]

I'm afraid you're stuck with it....You're going to have to change the way
that you approach this. In the logon page you have programmatic control,
but only after you've athenticated (however you do that).

You're better off routing into one "mode" or another after you've logged in.
It all depends on what exactly you're attempting to do. If you are trying
to make sure a customer only has access to certain bits of your software,
you may need to include an encrypted file or registry setting in your setup
that include flags that set the "mode"...

P

"ringi" <ringi@discussions.microsoft.com> wrote in message
news:F516F97A-1D98-4368-A6C2-BD695C7C71F5@microsoft.com...

> Hi Jim,
>
> Thanks for your response,
>
> My specific situation is that we ship a web browser based application to

our customers. Each customer installs iis on their own server. Depending
how the customer is going to use the application they put it in a different
"mode" at installation time. Different "modes" need different logon pages.

>
> When the customer sets the 'mode' that the application will run in, they

should only have to change the configuration in ONE place, e.g. one line in
the web.config file. However due to the fact that I can find no way to
control FormsAuthentication form software, I have to tell then to ALSO
change to set-up of FormsAuthentication in web.config.

>
> I can not just rename the logon pages, when the "mode" is change, as the

installer for the application set up each logon page differently in iis.

>
> I do not like sealed boxes, that I can not control from my code!
>
> Ian Ringrose
> Ringi at bigfoot dot com
>
>
> "Jim Cheshire [MSFT]" wrote:
>

> > Hi Ian,
> >
> > You cannot do this. The loginUrl is set when the application domain is
> > loaded. If you were to change that programmatically, you would need to
> > reload the app domain for it to take effect, and that would cause

everyone

> > accessing the application to lose Session variables and their
> > authentication. Even if you could do it, it would be a very bad

practice.

> >
> > I'm not quite sure what you specific situation is, but it might be worth
> > mentioning that the default loginUrl is default.aspx. Therefore, if you
> > don't set a loginUrl, default.aspx will be the loginUrl. You may be

able

> > to simply change which page is named default.aspx based upon

configuration

> > of your application. Once again, I'm not certain what you are doing and
> > what issues you are encountering, so I hope that helps.
> >
> > Jim Cheshire [MSFT]
> > MCP+I, MCSE, MCSD, MCDBA
> > Microsoft Developer Support
> > [email]jamesche@online.microsoft.com[/email]
> >
> > This post is provided "AS-IS" with no warranties and confers no rights.