Forms Authentication

Thanks a lot guys for helping me to clear the concepts above

"Jim Cheshire (MS)" <jamesche@online.microsoft.com> wrote in message
news:YtIAMGhVDHA.1800@cpmsftngxa06.phx.gbl...

> Boris,
>
> That's a client-side event (onunload of the <body>) that you would

capture,

> and since HTTP is connectionless, you won't be able to run your code. You
> can do it by having a client-side event take you to an ASPX page that runs
> code to sign the user out, but you wouldn't want to do that because it
> would run when the user navigates away from the page as well.
>
> You're not going to be able to do this. You cannot rely on the

Session_End

> firing when the user closes the browser. In fact, it won't. It will only
> fire when the session expires or if you call Session.Abandon.
>
> Jim Cheshire
> Developer Support
> ASP.NET
> jamesche@online.microsoft.com
>
> This post is provided as-is with no warranties and confers no rights.
>
> --------------------

> >Reply-To: "Boris Condarco" <bcondarco@sbef.gov.bo>
> >From: "Boris Condarco" <bcondarco@sbef.gov.bo>
> >Subject: Forms Authentication
> >Date: Tue, 29 Jul 2003 15:00:05 -0400
> >Lines: 23
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> >Message-ID: <uSHgqcgVDHA.532@TK2MSFTNGP09.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet
> >NNTP-Posting-Host: 166.114.44.250
> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
> >Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:163109

> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
> >
> >Hi,
> >
> >I am working with forms authentication, so when the user leaves the
> >application pushing the exit option the program execute the following
> >instrucctions:
> >
> >FormsAuthentication.SignOut()
> >Response.Redirect("login.aspx")
> >
> >but, when the user leaves the application pushing the close button of the
> >navigator (placed at the right top of the screen) the instrucctions won't

> be

> >executed.
> >
> >Is there any way to catch this event in order to make the execution of

the

> >above instructions ??
> >
> >I would really appreciate your helping me...!
> >
> >Thanks in advance....!
> >
> >Boris
> >
> >
> >

>

I'm beggining to migrate one of my asp apps to asp.net but i'm stuck at
some security issues.
My asp application has a custom made auth method (roles, permissions, ip
deny, etc) and I'm thinking to mantain the same base on .net, but I
don't know why, i'm not feeling safe with the FORMS Authentication.

My question is:

Is it fully secure for me to build my entire application based on this
Authentication?

PS. Windows and passport do not combine with the hosting server.

hi,

two people can login to yahoo on the same computer on seperate browser
windows. first one logins using a browser window and then the other
one opens another explorer window and logins. two windows can be open
simultaniously. maybe this is not secure but the two can be very good
friends or a couple :))

my problem is, can we do this with forms authentication in asp.net.
whenever i do this, all user identities turns to the one that lastly
logged in.
how can i solve this.

i know that yahoo uses some kind of forms authentication.

KaaN
kaan.oezturk@spdata.de
www.spdata.de

I have set up forms authentication for my web application.
I have several subdirectories inside a main directory and
I have forms authentication for each of my sub directories.

In the logon page when the user is authenticated, I have

FormsAuthentication.RedirectFromLoginPage(txtLogon id.Text,
False)

And in the web.config files of my subdirectory, I have
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="../Default.aspx" timeout="20"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>

-------------------------

This works absolutely fine without any problems. When I
deployed my entire app to a new server, I started getting
problems. When I click a link to the subdirectory, it
redirects me to a logon page, which means I'm not
authorized.

Does this mean that my Authentication ticket has not been
created or what? I do not understand. The same copy of the
application still works fine in my old server. Do I have
to change any settings in my new server?

Any help is appreciated.

Thanks,
Sudhir.

Hi DotNet Beginner
I don't have a solution on your problem but I still want
to answer because it's a problem that no one want to
answer. I have had almost the same problem since this
summer and I've written 3 messages about the problem here
and no answer. I have a good working website with
framework 1.0. When I update to version 1.1 I get the
same problem as you. If i degrade to 1.0 it works again.
The big problem came when I started to use Visual Studio
2003. No I'm unable to work on my projects because I must
have framework ver 1.1.I don't know if you have ver 1.1
on your new server but that can be the problem!

I hope someone read our messages and come to our help.
/Arne

>-----Original Message-----
>I have set up forms authentication for my web

application.

>I have several subdirectories inside a main directory

and

>I have forms authentication for each of my sub

directories.

>
>In the logon page when the user is authenticated, I have
>
>FormsAuthentication.RedirectFromLoginPage

(txtLogonid.Text,

>False)
>
>And in the web.config files of my subdirectory, I have
> <authentication mode="Forms">
> <forms name=".ASPXAUTH"
>loginUrl="../Default.aspx" timeout="20"/>
> </authentication>
> <authorization>
> <deny users="?" />
> </authorization>
>
>-------------------------
>
>This works absolutely fine without any problems. When I
>deployed my entire app to a new server, I started

getting

>problems. When I click a link to the subdirectory, it
>redirects me to a logon page, which means I'm not
>authorized.
>
>Does this mean that my Authentication ticket has not

been

>created or what? I do not understand. The same copy of

the

>application still works fine in my old server. Do I have
>to change any settings in my new server?
>
>Any help is appreciated.
>
>Thanks,
>Sudhir.
>
>
>.
>

Hello everyone,

I have found a problem with form authentication method that I can't
solve. The problem is:

I want to use a form authentication in my application, so i set :
<authentication mode="Forms">
,and
<forms name="LoginForm" loginUrl="SM_LoginPage.aspx" protection="All">

but the structure of my application folders is following:

root
|
+CommonPages
| + loginPage.aspx
|
+SysPages
| + Sys1Pages
| | +Page1.aspx
| + Sys2Pages
| +Page2.aspx
+ OtherPages
+ Page3.asp

Because of this structure the relative path of LoginPage.aspx is
diffrent for Page1.aspx(../../CommonPages/loginPage.aspx) and Page for
page3.aspx(../CommonPages/loginPage.aspx). I have to set this path in
web.config and I want to use relative path (not http://.....). Is there
any way to do this?? (sth like {root}//CommonPages/loginPage.aspx)??
Thanks for any help

Best Regards
Slawek






*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

I wonder if anyone can help.

We have web application using Forms Authentication that works
perfectly ok in all environments, but in the production environment
the forms authentication isn't timing out and returning the user to a
login screen. Instead it tries to load the requested page and falls
over on a multiple control id. Remember these errors don't happen in
the Development and Testing environments.

Another interesting point is, if I set the persistence of the cookie
to true it doesn't write the cookie. The application continues to
work, but obviously doesn't remember the user on a return (as the
cookie isn't there). This happens in all environments.

Event logs show no indication of the worker process being recycled and
everthing seems to be ok.

Any ideas or suggestions?

Regarding your second issue, the one with the persist that doesn't work. I
stumbled into the same issue working my way through this example:
http://msdn.microsoft.com/library/de...SecNetHT04.asp

The example itself does not offer persisance of the logon cookie, so I tried
to extend it. The only way to set any kind of persistance is by setting it
inside the Global.asax.cs "Application_AuthnenticateRequest" event handler.

In the Logon-button click-event handler, I create a xml document which I
store inside the FormsAuthenticationTicket. The xml document contains a
value indicating wether to persist the cookie or not. If true, I set the
"Expiration" of the cookie to 365 days from now, and then replace updated
values into the cookie:

//Reset the expiration of the cookie
if(persist) {
authCookie.Expires = DateTime.Now.AddDays(365); }
//Replace updated cookie into Response
Context.Response.Cookies.Set(authCookie);

You may download the complete code from here:
http://www.geocities.com/gaupen/NETStuff.htm
The example is called "GenericPrincipalApp".

Your first problem is trickier, and I'm sorry to say I can't offer you much
help from the description you have given. What do you mean by "a multiple
control id"? Do you have the exact error message? Could you perhaps show
some code samples?

Perhaps you could check for a valid authentication cookie in
Application_AuthnenticateRequest, and do a "FormsAuthentication.Logout()" if
there isn't one.

Sincerely
Svein Terje Gaup

"Tony" <questions@resolutionsnet.co.uk> wrote in message
news:bbbbb773.0405290212.71bb6f74@posting.google.c om...

> I wonder if anyone can help.
>
> We have web application using Forms Authentication that works
> perfectly ok in all environments, but in the production environment
> the forms authentication isn't timing out and returning the user to a
> login screen. Instead it tries to load the requested page and falls
> over on a multiple control id. Remember these errors don't happen in
> the Development and Testing environments.
>
> Another interesting point is, if I set the persistence of the cookie
> to true it doesn't write the cookie. The application continues to
> work, but obviously doesn't remember the user on a return (as the
> cookie isn't there). This happens in all environments.
>
> Event logs show no indication of the worker process being recycled and
> everthing seems to be ok.
>
> Any ideas or suggestions?