Security :: C# FormsauthenticationTicket Doesn't Override Configuration Timeout
Jan 7, 2010
I have a testproject and the forms timeout specified in web.config overrules the timeout which I set in FormsAuthenticationTicket. According the documentation, the timeout (expire date) in FormsAuthenticationTicket must override the timeout in web.config.
Documentation found on:
[URL]
[Code]....
Here is my code:
Web.config:
[Code]....
Login.aspc.cs:
[Code]....
Now, when I login, i get redirected after 1 minute of inactivity. This isn't supposed to happen, right? I have to be redirected after 2 minutes.
View 1 Replies
Similar Messages:
Dec 20, 2010
I'm implementing an authentication timeout detection mechanism per a previous question and answer of mine here. I've implemented an HTTP module that uses the AuthenticateRequest event to run code to capture whether the authentication period has expired. The code to do this is below:
public class AuthenticationModule : IHttpModule
{
#region IHttpModule Members
void IHttpModule.Dispose() { }
void IHttpModule.Init(HttpApplication application)
[Code]....
The problem is that, once the authentication period has expired (I set it to 1 min to test), there is no longer a forms cookie (see comment in code). This means that the authentication cookie will be null, and I won't make it past the null check in my code. But there's a convenient "Expired" property for a FormsAuthenticationTicket that I feel like I should be checking to see if the period is expired. But how do I get that far if the cookie is no longer there? Is it reasonable to assume the authentication period has expired if there's no longer a forms cookie?
View 1 Replies
Jul 3, 2010
In the Web.Config we have a timeout property. Ex:
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="2880"/>
</authentication>
When loggin in, we can specify a ticket expiry date. Ex:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, id.ToString(), DateTime.Now, expiryDate, true,
securityToken, FormsAuthentication.FormsCookiePath);
Why there's two places where I can set expiration info about forms-authentication? What's the difference between them? What has more relevance?
View 1 Replies
Mar 13, 2010
I'm trying to dynamically create a url containing a FormsAuthenticationTicket that can then be emailed to a user who has forgotten their password. Then when the user follows the url they will be authenticated by the ticket in the url and be able to access the reset password page
I have tried creating a FormsAuthenticationTicket object and encrypting it but the string it produced seems way longer than the hash in the urls produced when using cookieless authentication.
What I want to do is produce a url say
eg. http://www.mysite.com/lkdjlkj_hashcode_lkoiojiionki/reset.aspx
that will be recongnised by cookieless authentication. But as I said the hash I come up with seems way to long and just not right at all.
you can see how long and different it is here by pressing the forgot password button..
[URL]
it says in the docs for FormsAuthenticationTicket that the encrypted ticket can be stored in a url. but I want to make it the same as those used by cookieless authentication so that it is recognised straight away.
View 3 Replies
Feb 19, 2010
I'm not using the Membership framework built into .NET but I'm using FormsAuthenticationTicket to make sure user is logged in. I have an object for my users in my application -- let's call it MyAppUser object. Can I save this in the FormsAuthenticationTicket as opposed to saving some string?
If I can't do that, I can save the object in session but I'm a little worried that session and FormsAuthenticationTicket will get out of synch.
View 1 Replies
Apr 27, 2010
I assume that any Role information is being stored in the FormsAuthenticationTicket in the UserData (delimited by some character).Second, I assume that any information in the Profile is not stored in memory / session anywhere, but when you do call the profile.VARIABLE, you are in fact doing a call to the DB (although it's simplified by the fact that it knows who you are when calling etc).Assuming the above is correct, I'm trying to complete a custom membership provider. As part of this each user will have a single role. So using a full blown role provider seems to be overkill. I assume that I can write the single role into the UserData in the FormsAuthenticationTicket myself?I would like to also store a number of other small bits of information in the ticket (such as a GroupId, VendorId which are seperate from the user / role). If I wanted to do this, and the role is held in the userdata, how would I identify what is a role and what is someother persistant data I need on the application?I could use Session items for these, but this might cause issues with the web-farm, plus the amount of data is very small (3 or 4, int32 values and maybe one string).Finally, items such as Address, PostCode, Contact Phone number all seem sensible items to place in the profile ( I'm using the table provider). Is the advantage here purely the ease of access? This isn't commonly used data, so if there is a round trip to the db thats not an issue really in this instance
View 4 Replies
Mar 10, 2011
[Code]....
I have an issue to where my users are logged into my system but thier session is null so when they try to do something in the system after 20 minutes, i get null reference expceptions because my session is gon
What is the best practice for handleing the session, should i kick the users out before thier session ends and when they log back in thier session will return or atleast a new one will be created right? How should I handle this?
View 2 Replies
Jan 19, 2010
I'm authenticating my users using the following code for the login event:
[Code]....
The following code runs in global.asax at Application_AuthenticateRequest:
[Code]....
Everything works great so far. Next thing that I need to do is add additional user information to the forms authentication ticket using user profile. When I try to add it right after the login code above, I end up getting an error message about anonymous profile. On the other hand, HttpContext.Profile is read only and doesn't seem to work. Is there any workaround for this?
View 2 Replies
Apr 30, 2010
I have a web application developed using VB .Net 2003, and is running ASP Net 1.1.
The application is running fine on all browser, except for the login/authentication control that doesn't work properly on Chrome.
We have different types of users using the website, and each user type has different menu items displayed for.
The problem is, if a user logs on with let's say Admin account, and logs off and later logs on again using student account, the user still gets the Admin menu, and of course vice versa.
I'm not sure if I'm doing something wrong, or there is something I'm missing here.
On more thing, if the timeout period reached, and the session was timed out , and the user (regardless of the type) tries to log on again, he is successful on all browser except on Chrome again!, where it keeps telling the session was timed out, and never logs on again until clearing the cookies.
This is what i have in my application web.config
<!-- Authentications -->
authentication mode="Forms">
<forms loginUrl="index.aspx" name="authCookie" protection="All" timeout="60" path="/"></forms>
</authentication>
[Code]....
View 2 Replies
Oct 27, 2010
I am using forms authentication in asp.net application. This is working fine in internet explorer. Opening application in firefox is also fine but when i login in second instance of firefox, application in first instance logs out. Following is my code for creating ticket and cookie.
FormsAuthenticationTicket objTicket = new
FormsAuthenticationTicket(1, sUserName,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false,
"");
HttpCookie objCookie = new
HttpCookie(FormsAuthentication.FormsCookieName);
objCookie.Value = FormsAuthentication.Encrypt(objTicket);
objCookie.Expires = DateTime.Now.AddHours(1);
HttpContext.Current.Response.Cookies.Add(objCookie);
View 1 Replies
Aug 19, 2010
The Security is working fine when testing on a local machine, but when it gets published to the server, it seems that It can't get any active directory information at all.
For example, on the local computer <asp:LoginName ID="LoginName1" FormatString="(Welcome {0})" CssClass="loginname" runat="server" /> returns "Welcome DOMAINusername" but when it's published, it doesn't return anything at all.
Using code i've added users to the correct roles and checked they are really in the roles, but security when published won't recognise the current user's name, so it all fails.
View 1 Replies
Feb 13, 2010
I'm using Forms authentication in my application but I'm not using the Membership that's built into .NET.
How do I automatically send user to login page when his/her FormsAuthenticationTicket expires? I just don't want a user log in and leave a page on their computer screen long after their session has expired. I'd like to make sure that as soon as the user's
FormsAuthenticationTicket has expired, I send them to login page.
View 1 Replies
Mar 23, 2011
I'm creating a multi-tenant Asp.Net MVC 3 Web app, and using EF4.1 code first for the db model.For development I'm happy to use SqlServerCE in App_Data, and for production this will move to Sql Server 2008.
Say my context is called "MyModels", by default code-first looks for a connection string called "MyModels" in Web.config. This can be told to use a file in App_Data or changed to access a database in SQL2008. All fine so far.
But because of multi-tenancy, I'd like the SqlServerCE filename to match the unique id of the tenant (so App_Data would have "client_x.sdf", "client_y.sdf"; Sql Server 2008 would have separate databases). I can't work out how to direct to these different databases.
I've tried MyModels inheriting from DbContext and supplying a connection string (using a 'placeholder' conn string in Web.config and replacing "{clientId}" with the unique id), and I've also tried setting the connection string in the MyModels constructor:
base.Database.Connection.ConnectionString = xxx;
but this never seems to work. I always get the following error:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
( it's not yet 'configured' to use SqlServerCE, and so is trying to connect to Sql Server)
Tracing the code, Database.Connection.ConnectionString hasn't been read from Web.config at this point, so I can't search and replace that, and, possibly, it's getting overwritten by the 'placeholder' conn string later in the pipeline.I reckon this must be quite straightforward and I just can't find the 'hook'.
View 2 Replies
Sep 22, 2010
i have add a new column (CustomeAuth) to aspnet_Users but i need to get the value of this column just like:
Membership.GetUser().UserName
so i can use :
Membership.GetUser().CustomeAuth
View 3 Replies
Feb 5, 2011
When a user logs in I check whether they have the minimum profile info entered. If they do not then I want to redirect them to the account maintenance page, otherwise I want to redirect them to the page where the login link was clicked. To accomplish this. I am trying to override DestinationPageUrl at the LoggedIn event. Isn't working ... the redirect is always to the page where the login link was clicked. Here's my (relevant) code:
[Code]....
View 2 Replies
Jun 29, 2010
Here's my environment,Win2003 Standard SP2, IIS 6.0, MOSS 2007, .NET 2.0.50727
IIS website uses MOSS 2007 "Team Site" template and has only IWA enabled. Web.config has Windows auth w/ Impersonation:
<authentication mode="Windows" />
<identity impersonate="true" />[code]...
I'm using the KerbS4U extension to create a new WindowsIdentity which is then used to create a WindowsPrincipal for the new/overriding user:[Code]....
These succeed and I set the new principal to HttpContext.Current.User & Thread.CurrentPrincipal without errors. I've defined both Application_AuthenticateRequest() and Application_PostAuthenticateRequest() functions in global.asax. These show the "new" Identity
in the HttpContext.Current.User & Thread.CurrentPrincipal, but the "Welcome <DOMAINusername>" in the upper-right menu of the default.aspx homepage itself still shows the name from the initial IWA!
I was able to get the "Welcome <name>" to reflect the new user only when using GenericIdentity and GenericPrincipal, but this is a problem as I need to use impersonation to backend services (which can be done using constrained delegation using KerbS4U).
View 2 Replies
Jan 27, 2011
I was hoping some of you would entertain my XmlSiteMapProvider question. I have a portal site that has multiple ASP.NET Role Providers. One for each child web application. I need to basically change the role provider on the fly. Does anyone know if this is possible? My approach is to maybe override the XmlSiteMapProvider and add an attribute indicating which Role Provider to use. Then, in the
IsAccessibleToUser method, I was planning on dynamically change the role provider some how based off the new attribute.
Again, is this approach seem reasonable/doable or am I in the weeds here? I'm open to alternatives if anyone has one.
View 1 Replies
Jan 27, 2011
We have the timeout value set to 120 in our <form> tag within the web.config. We do not have a session timeout set.. and we have various connection strings.
We are having a problem where a session variable will disappear (become NULL) .. but, the form evidently remains 'open'.. or no re-login is required..... so, my question(s):
1. what is the relationship between form timeout and session timeout
2. how do I set session timeout
View 1 Replies
Jul 19, 2010
I am trying to create my own membership system. Therefore I created my own membershipuser class and membership provider class. But I am getting the following error on Createuser method of My membership provider class; no suitable method found to override
This is how my CreateUser method looks like:
public override MyMembershipUser CreateUser(string username, string password, string email, string status, int registerd_on, out UserCreationStatus creation_status)
[code...]
View 6 Replies
Jun 25, 2010
I've been running a customer's webapplication using automatically generated email for some time, being hosted on our company's web server. Send mail was done using the System.Net.Mail API using a 3rd party SMTP server. The configuration has been done in the web.config in the system.net section, something like this:
<system.net>
<mailSettings>
<smtp>
<network host="mail.jazzforum.at" userName="myUsername" password="myPassword" port="25"/>
</smtp>
</mailSettings>
</system.net>
Everything worked fine until we had to migrate to another hosting service; since then, send mail didn't work any longer with symtomatic "timeout" exceptions. We also tried using gmail and changing/omitting explicit port number specification, without any success. The server is running IIS 6 (Windows Server 2003 R2).
View 4 Replies
Aug 8, 2010
My website never logs time out even after I set time out both in Autentication and in session state. What I did wrong? Here is my settings in web.config file
<authentication mode="Forms">
<forms loginUrl ="/default.aspx" name=".ASPXFORMSAUTH" timeout ="1">
</forms>
</authentication >
<sessionState mode="InProc" cookieless="AutoDetect" timeout="1" />
View 1 Replies
Feb 16, 2011
how to set the application timeout in web.config or iis?
View 9 Replies
Jan 12, 2011
We have a asp.net application where users will apply for jobs online. When users fill out the form the page isn't timing out the session. If a user goes back to the main page the last user's information is still available.
I have setup many websites and have never had to make any changes on IIS, under the configuration within the website. The default is 20 minutes we can change it to 8 or 10, but I think this issue should be taken care of in the code. The setting will affect the entire site instead of the pages that need to timeout.
What is the best way to do this within the code?
View 2 Replies
Apr 30, 2010
The error: "DCOM {guid} didn't register within the requied timeout" seems to be a common problem when I search on the internet.I have searched through forums and google and I believe my error is being caused by something else rather than the solution provided for this type of error.To give a brief backgorund, I have developed an ASP.NET application that uses a thrid-party API COM Interop assemblies (.tlb files which already existed when the 3rd party application was installed). The web application was initially hosted on IIS 5.0 in
WInXP and the .exe file gets launched when I run the ASP.NET website through the IIS server.
View 2 Replies
Apr 23, 2013
I tried to insert 3 xml files into database.But while i am trying to insert half of the value gets inserted after that i am getting error like
"Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached."
How to resolve this error....
View 1 Replies
