Ask a Question related to ASP.NET Security, Design and Development.
-
Alex Nitulescu #1
Some simple questions, I assume, on security (Forms authentication)
Hi. I just began reading on security (Forms authentication). I have the
following two questions:
1. Is there a way to specify the expiration date for a cookie set with
FormsAuthentication.RedirectFromLoginPage ? In "C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet Files" I see that
Administrator@localhost is set to expire exactly 50 years from now !
2. In Web.config I have the following:
<authentication mode="Forms">
<forms
name=".MyCookie"
loginUrl="Login.aspx"
protection="All"
timeout="1"
path="/"
/>
</authentication>
Before I go any further (XML/db saving), I harcoded my users as so:
If IsValid Then
If txtUserName.Text.ToLower = "alex" And txtPassword.Text.ToLower =
"pass" Then
FormsAuthentication.RedirectFromLoginPage(txtUserN ame.Text,
chkRemember.Checked)
ElseIf txtUserName.Text.ToLower = "dana" And txtPassword.Text.ToLower =
"pass" Then
FormsAuthentication.RedirectFromLoginPage(txtUserN ame.Text,
chkRemember.Checked)
Else
lblResults.Text = "Bad username and/or password"
End If
End If
So I do the following test: I run the project from within vsnet, I enter
Alex/Pass and I select "Remember Me" = True. I look in "C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet Files" and I see
Administrator@localhost being created. I open it and I see "MyCookie". Good.
Now I can go to [url]http://localhost/aspnetprojects/vsnet/FormAuth/Default.aspx[/url],
my "main" page.
Next, I open a separate instance of IE (planning to login as "dana"), I
type in [url]http://localhost/aspnetprojects/vsnet/FormAuth/Default.aspx[/url] - I
expected NOT to see it, but to be redirected to Login instead. However, I go
directly to Default.aspx - as if if a single user is logged in correctly,
everybody else can go and see the "Default" page.
Now if the "first user" (the one which created the cookie, Alex) logs out
(FormsAuthentication.SignOut), then the cookie is deleted. If at this point
in IE (where for some obscure reason the second user, "Dana", was already IN
"Default.aspx") I hit F5, "Dana" is sent to the LOGIN page - now that's
correct - it was to be expected.
So... I am really confused. Why does this happen ? What am I missing here ?
Thanks a lot for spending time reading my post.
Alex.
Alex Nitulescu Guest
-
A couple of simple forms questions.
Forgive me, it's been awhile since I've worked with this stuff... I'm creating a simple form to use for order entry. I'll need to include... -
Applying security at folder level using forms authentication
Hi I have two folders in the .net application,one can be accessed by everyone adn the other needs to be accessed only through submitting login and... -
Forms Security Authentication.
Hi I have done all the plumbing for a Forms Authentication system. My user logs in, I chek password with ADO.NET to a database with 2 fields. ... -
ASP.Net Forms authentication with basic authentication popup
Relatively new to ASP.Net but have a strange problem. My site uses forms authentication for a large administration section however after the user... -
Authentication ticket, cookieless, forms authentication?
Hi. I want to use Forms Authentication, cookieless. The issue is setting the Authentication Ticket without using cookies (!) That is, the... -
Alex Nitulescu #2 Re: Some simple questions, I assume, on security (Forms authentication)
Me again !
Sorry, I must have been sleeping - the second question was indeed stupid. Of
course it happens this way !
Mea Culpa, Alex.
Alex Nitulescu Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
