Security :: Forms Authentication Resetting On Every Postback?
Feb 3, 2010
I have a web site that works fine on the server. I purchased a new domain and set that up on my web server and set the home directory on to the server to the same location as the site that works.
However, my forms authentication ticket is being recreated on every page post back. Is there some setting in IIS that I'm missing under the new domain(IP)? If I access the site under one domain the ticket is saved and tracked fine. When I access it from the second domain (same home directory as first domain) the ticket is lost on postback.
View 1 Replies
Similar Messages:
Nov 18, 2010
Probably a simple fix to this I am not sure. Basically, I have a MasterPage that contains a Dropdownlist. This DDL controls what is displayed in ContentPlaceHolder. However, when postbacks are caused within the Contact Pages the DDL is resetting itself. How can I keep the selected value for the DDL between postbacks?
View 3 Replies
Jan 13, 2010
I'm trying to set the where clause on a LinqDataSource object bound to a GridView programmatically on a button click, but when the GridView rebinds data (for instance, when the user sorts) the Where clause resets back to the empty string. Is there a way to prevent this, or is there a better way to filter my results?
View 1 Replies
Nov 23, 2010
Pinging back to a webservice in ajax from the client keeps the user's session alive, I don't want this to happen. More extensive summary For a website we're developing, we need the client to ping back (in js) to a webservice (ASMX) on the server (IIS7.5). This happens to let the server know that the user is still on the site, and hasn't browsed away to another site. This is as our customer wants to let users lock records, but if they browse away to other sites, then let other people take over those locked records. Perhaps the distinction between the client being on the site but inactive and on another site seems unimportant, but that's kinda irrelevant, I don't get to write the UI spec, I just have to make it work.
My problem is this, the ping stops the user from being timed out on the server through the standard forms authentication timeout mechanism. Not surprising as there is that 30 second ping in the background keeping the session alive. Even though we want to know if the user is still on the site, we want the normal forms authentication timeout mechanism to be honoured. I thought I might be able to fix this by removing the ASP.NET_SessionId and .ASPXAUTH cookies in the XMLHttpRequest that is the server ping, but I can't figure out how to do this. This is how my web service & method are defined:
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[ScriptService]
public class PingWS : WebService
{
[WebMethod]
public void SessionActive(string sessionID)
{
// does stuff here
}
This is how I'm calling it in js (request is over HTTPS, :
$.ajax({
type: "POST",
url: "PingWS.asmx/SessionActive",
data: 'sessionID=' + aspSessionID + '}',
beforeSend: function (xhr) {
xhr.setRequestHeader('Cookie', '');
xhr.setRequestHeader('Cookie', 'ASP.NET_SessionId=aaa; .ASPXAUTH=bbb;');
},
dataType: "json"
});
I was trying with the setRequestHeader, but that just appends to the header rather than overwrites the header, and IIS is happy to ignore that junk I added. I'm thinking maybe I should be trying to do this at the server end, someone take PingWS.asmx out of the loop so that it doesn't keep the session active, but I'm not sure how to do this. Although the title of the question is focused on clearing the cookie in the header, I'd be super happy if anyone points out that I'm being really stupid and there is actually a much better way of trying to do what I'm doing.
I'm thinking at this stage maybe I need to add something to the webmethod that says how long this particular page has been inactive, and use that knowledge to timeout manually. That actually sounds pretty easy, so I think I'll do that for now. I'm still convinced that there must be an easy way to do what I originally wanted to do though. Update I'm thinking I'm pretty screwed in terms of cookie manipulation here as both the .ASPXAUTH and ASP.NETSessionId cookie are HttpOnly, which means the browser takes them out of your hands, you can't access them via the document.cookies object. So I would say that leaves me with:
Updating my SessionAlive webmethod to track each request so I can tell how long the user has been sitting idle on a page and timeout if needs be Marking the .asmx page somehow on the server end so that it's taken out of the normal authentication/session tracking flow I know how to do 1. so I'll start there but 2. seems much cleaner to me.
View 3 Replies
Sep 13, 2010
I've got a routine that tries to import files from an import directory, spitting them out to an Error directory if the import fails. The Error directory is shared and users have access permissions to delete files in there, so they can try to fix the problems and then move the files off to the import directory again. I use File.Move to move the files to the Error directory and this is working fine, apart from the permissions - it seems to revert to a default set of permissions, rather than the directory's one, and so the users can't remove the files - how can I reset the permissions on the file to those of their containing directory? I've tried poking around with SetAccessControl and SetAccessRuleProtection but I don't seem to be having any luck?
View 1 Replies
Sep 10, 2010
I've got a routine that tries to import files from an import directory, spitting them out to an Error directory if the import fails. The Error dicretory is shared and users have access permissions to delete files in there, so they can try to fix the problems and then move the files off to the import directory again. I use File.Move to move the files to the Error directory and this is working fine, apart from the permissions - it seems to revert to a defaul set of permissions and so the users can't remove the files - how can I reset the permissions on the file to those of the parent directory? I've tried poking around with SetAccessControl and SetAccessRuleProtection but I don't seem to be having any luck?
View 7 Replies
Sep 3, 2010
What do I need to do in order to change an application from Forms Authentication to windows authentication?
View 2 Replies
Jun 3, 2010
I have developed the authenticated rss feed using the basic http authentication for my site.I also have the admin module for the site which uses the Asp.net Forms Authentication .Both are in the same project.When i turn on the forms authentication module to None in my web.config.My rss feed authentication works fine(the browser pop up the dialog box for the username and password) and upon entering the username and password the rss feed gets displayed.But with forms authentication turn on when i click the rss feed link i am getting redirected to the administrator login page.
If i set my authentication mode to none than the feed works like dream but the admin module do not work as it uses forms authentication.
How can i resolve the conflict for that one.I am using the asp.net mvc filter on my feed contoller to pop up the dialog box for the username and password.
[Code]....
View 1 Replies
Feb 16, 2011
I'm developing an internal booking sytem. Users log in to the sytem and can view existing bookings and search for bookings. They can also create new or edit existing bookings. When completing such actions I need a confirmation prior to completing the booking or updating the recorded. The confirmation is based on a reauthentication of the user.... in otherwords he needs to enter his passord again.
How can I achieve this? The system is internam and I'm using Forms Authentication. I an also using roles as som of the admin forms can only be viewed by administrators.
View 1 Replies
Jul 14, 2010
This could be very straight forward for some of you, but I got caught up. I am doing very simple test - browsing from IIS Manager to see the default page or "under Construction", however I am being challenged to provide my login credential . When I provide my login credential, I am able to see the default page. I wanted to see the default page without providing my credential since Enable anoymous access + basic authentication I am simply wanted to see the default page asit is working on other servers except this one. I have included screen print to make sure may question is clear.
View 3 Replies
Jan 4, 2011
What's the difference between Basic Authentication and Integrated Windows Authentication in IIS?
View 3 Replies
Mar 10, 2010
I set authentication mode to Windows in the web.config and I enable Windows Authentication and disable the Anonymous Authentication in IIS 7 on win 7, but HttpContext.Current.User is always null.It works fine when I host the web app in IIS 6.0.
View 1 Replies
Aug 9, 2010
I have a web farm web project, and want to make sure windows authentication is working well without any problem in web farm, can any one give me some web sites or information about that?
View 1 Replies
Feb 8, 2010
Am going to develop authentication part in the web site. I want my authentication module should not be hacked by any one and also want in secure side.
View 1 Replies
Sep 2, 2010
I needed information regarding the capabilities & integration of AzMan tool with Asp.net.Currently, I got a Sharepoint 2007 website along with ASP.NET 2008 where I am using Form Based Authenication.Now, the requirement is any user within a domain registered in AD should be able to login in website through intranet.
Can I acheive this using AzMan, or I need to create two websites one with FBA for internet users and the other one for the intranet users with AD authenication. Also my intenet website is deployed and in use where usermapping and roles are already created, so using this tool what will be the impact on existing webiste.
View 2 Replies
Dec 15, 2010
I have to invoke SSIS packages from web service in the most secure way. I think that windows authentication will be secure but i am not sure. I do not have much knowledge about how to achieve this and the information on the internet is very distributed.
View 1 Replies
Apr 6, 2010
We use Sharepoint to control our websites. We build the sites, then load them into the sharepoint server. My question is if I use windows authentication, how can I get my role security in my web config file to coencide with the asp.net controls that use the Forms authentication. Is there a differenence? Our security uses a session variable for security but there is no where to set up their permissions except in active directory. I hope this makes sense because I would like to implement the LoginView with Role groups but how can I give them the role="administrator"? Do I have to go into active directory and give them these permissions(would take awhile due to the size of the company)? Or do I have to set up priveladges in the web.config file for each user(difficult I think)?
View 5 Replies
Aug 18, 2010
I'm writing a simple Intranet application using windows authentication. I want to restrict access to Safe/UCantSeeMe.aspx. I am aware of the AuthorizeAttribute, but this only works on methods. I also found a good post on doing this with the MVC pattern, but I'm not using MVC. This can be done with roles in forms based security. I read on MSDN that using windows based security means roles are based on groups, but it doesn't go into any detail. how can I restrict access to Safe/UCantSeeMe.aspx?
View 1 Replies
Mar 17, 2011
We are using membership provider for LDAP authentication. It is working as it should.
But what all configuration settings I have to do so that
all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.
We need to have this working because all the permissions on the database are based on the logged in user.
We are using form authentication for LDAP authentication. And having impersonation = true in web.config.
View 1 Replies
Sep 21, 2010
I have an application that has a user Login Control (provided by ASP). I am just now working with the integration of a dataBase created in MS visual studio 2010, to a developed website created in MS visual web developer 2010. My main goal is to create an authentication ticket that enables a user to be able to see a dataBase information only after that user has been successfully authenticated.
Up to now I'm able to see the dataBase when i run the website even if I'm not log-in, how i can create a home page that tells the user to log-in and once that user has successfully log-in it redirects the user to another page where the user can see the database and how I can add information to that dataBase only to specific members
View 4 Replies
Mar 15, 2010
I have the same exact problem here [URL] I have a multi-project solution with role based security. I login with admin and hit logout. Then, I can login with a user that has a different role and access an admin page by typing the address. Once I try to do something on that admin page that postbacks then I get kicked out and redirected to the login page. If I don't write in redirect to login page in logout page, I have to hit logout twice for logout to work properly. Also, it works fine if I close the browser and run a new browser.
Web.config:
<authentication mode="Forms">
<forms name="AppAuth" path="/" loginUrl="login.aspx" protection="All"
timeout="5" slidingExpiration="true" defaultUrl="default.aspx"></forms>
</authentication>
[Code]....
Something else I am wondering is if there is a way to redirect a logged in user to default page instead of login page when they try to access a page they don't have a permission for access.
View 2 Replies
Feb 2, 2010
I understand that we can easily secure the menu pages by enabling SecurityTrimming and putting role information in web.sitemap.
But my problem is that we have to use a 3rd party authentication piece. The ASP.NET application gets the UserId and roles from the authentication module.
I need to show/hide ASP.NET pages based on the incoming user's roles.
Is it possible somehow to use web.sitemap with these roles?
Or should I come up with my own way to map a web page to role/s?
View 1 Replies
Aug 5, 2010
I am developing a small website in vs-2005.
Here I am using forms authentication and I have used an access database. I have put the db in App_Data folder and declared the connectionstring in web.config. The problem I am facing is that when I request any page without logging in the browser displays the requested page. At the bottom of the page there is a script error when I check the details it says Sys is not defined. Has this something to do with this issue??
In web.config file I have added the following lines in the <system.web></system.web> section.
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="Default.aspx" protection="All" path="~/" timeout="30"/>
</authentication>
<authorization>
<deny users="?"/>
<!--<allow users="*" />-->
</authorization>
On login button click after comparing userid & password I am using the foll stmts:-
If code = 0 Then ' code 0 means match for userid and pwd
FormsAuthentication.RedirectFromLoginPage(txtuserid.Text, False)
Else
Response.Redirect("~/Default.aspx")
End If
View 3 Replies
Feb 2, 2010
I am using ASP.Net's forms authentication, but do not want the default behavior of redirecting to a login page when a restricted area is accessed. Instead I would like to invoke a javascript JQuery dialog for the login on the current page, preventing the content behind from loading.My only issue is that by default the forms authentication wants to redirect. Is there a handler that I can hook into, or some other option to prevent the redirect?
View 3 Replies
May 18, 2010
I'm using Forms authentication in ASP.NET MVC website and I store user account login name in AuthCookie like this: FormsAuthentication.SetAuthCookie(account.Login, false); I want to ask if there is a possibility that user on client side will somehow manage to change his login name in AuthCookie and thus he will be for example impersonated as someone with higher privileges and authorized to do more actions than he is normally supposed to have. Also is it better to save in this cookie user account login name or user account ID number?
View 3 Replies