Security :: FormsAuthentication.SetAuthCookie(Session["UserSession"].ToString(), False)?
Jul 22, 2010What is the use of FormsAuthentication.SetAuthCookie(Session["UserSession"].ToString(), false);
View 1 RepliesWhat is the use of FormsAuthentication.SetAuthCookie(Session["UserSession"].ToString(), false);
View 1 RepliesWhat is the difference between:
FormsAuthentication.RedirectFromLoginPage
AND
FormsAuthentication.SetAuthCookie(Text_txtUserName.Text, true);
HttpContext.Current.Response.Redirect(RedirectFromLoginAddress);
In my account controller I am calling FormsAuthentication.SetAuthCookie( emailAddress, rememberMe ).
Response.Cookies has my cookie. However, after the redirect the cookie is gone and the request is not authenticated.
i have created a custom principal class, and a custom Identity.
named SystemIdentity and SystemPrincipal.
SystemIdentity class has some additional properties ( UserID, UserName, Age, ...)
in my Global.asax file I changed PostAuthenticateRequest event as bottom
[code]....
i wonder theese questions answer now:
1. where i can assign the additional properties of SystemIdentity ( UserID, UserName, Age, ...)
2. which Identity is Authenticated by FormsAuthentication.SetAuthCookie? is my custom Identity, or GenericIdentity?
I Need to Authenticate a User by using FormsAuthentication.SetAuthCookie and Check User is Authenticated in Another page Load How to Do this anyone?
Login Page
if (txtuname.Text == "mike")
{
FormsAuthentication.SetAuthCookie("mike", true);
Response.Redirect(FormsAuthentication.DefaultUrl);
}
Welcome Page
PageLoad()
{
}
Problem: I am using FormsAuthentication.SetAuthCookie(UserId, False)[Snip]Response.Redirect("~/login_pages/home2.aspx") ' Force round trip so that logon works OK to logon a user. It all works fine with other browsers, and IE7 provided that IE7's PRIVACY (originally I had written "Security") setting is Low. However it doesn't work when the PRIVACY setting is Medium (the default).
How do I solve this problem? I would have expected that FormsAuthentication.Authenticate(Userid, password) was the solution, but this doesn't seem to work at all.
the question is how can i delete a coockie that is created with FormsAuthentication.SetAuthCookie?and how can i set the coockie to have more duration?
View 39 RepliesI have configured Forms Authentication in my web config file as below.
Following is my code
[Code]....
The issue is that FormsAuthentication.Authenticate never returns true. This is a very simple website with only two pages and no other code(The code too was copied from MSDN).
[Code]....
I am using DotNetOpenAuth in my ASP.Net Website. I have modified it to work with Facebook Connect as well, using the same methods and database structures. Now I have come across a problem.
I have added a Facebook Connect button to a login page. From that HTML button, I have to somehow pull information from the Facebook Connect connection and pass it into a method to authenticate the user. The way I am currently doing this is by:
Calling a Javascript Function on the onlogin function of the FBML/HTML Facebook Connect button. The javascript function calls a Web service to login, which it does correctly. The web service calls my data access layer to login. And here is the problem: FormsAuthentication.SetAuthCookie is set at the data access layer. The Cookie is beyond the scope of the user's page and therefore is not set in the browser. This means that the user is authenticated, but the user's browser is never notified. So, I need to figure out if this is a bad way of doing what I need or if there is a better way to accomplish what I need. I am just not sure and have been trying to find answers for hours.
I have a littel problem.
In my asp.net application iam using Form FormsAuthentication.... and also use a session var to save a userID..
The problem is that ´when my session espire, the Form cooki is not expired.
I want form cooki to expire, when session expires....how?
Do i have to do it in Session_end event..
How do the code look like?
When I run the following debugging code it writes out credits:0
Dim MembershipUser As MembershipUser = Membership.GetUser()
Dim UID As String = MembershipUser.ProviderUserKey.ToString
SQL = "SELECT SUM(Credits) As Credits FROM Credits WHERE " & _
"DateDiff(m, [DateTime], GETDATE()) < 6 AND [UserID]=@UserID;"
cmd = New SqlCommand(SQL, Conn)
cmd.Parameters.Add(New SqlParameter("@UserID", UID))
DataReader = cmd.ExecuteReader()
If DataReader.HasRows Then
Do While DataReader.Read
[Code]....
I have created an asp.net site with anonymous access turned off. Its for an internal (intranet) system which uses User.Identity.Name.ToString() to get the users login windows ID and then displays some records from a datagrid depending on their login ID. Is this secure? Also i am struggling to workout how best to store the result of User.Identity.Name.ToString() as I am not keen on storing it in a hidden text field and would rather not call it all the time unless this is the best way?
View 3 RepliesI have the following code in my secure/login.aspx page using .NET 3.5 and VB.NET
[Code]....
[Code]....
I read some articles that mentioned specifying the domain attribute within the <forms tag but that did not seem to work either. e.g.
what is the use formsAuthentication.user.identity
is it one of the property of page
I have a login page that is set to the loginUrl property in the authentication section of my web.config file. I am trying to reference a CSS stylesheet, but it doesn't seem to be doing anything. Here is my markup:
[Code]....
I am able to do this just fine on my other page. One thing I noticed was when I click on "View Source" and try to click the link to the stylesheet, it doesn't take me there, and instead changes the "action" property of the form element to this:
[Code]....
Just a quick question i've been asked to look at enhancing security but encrypting passwords we store in a db table, essentially the data thats linked to the user account isnt sensitive however its more to stop someone reading passwords out of the table directly etc
I've read multiple ways of implimenting hashing etc i've started using FormsAuthentication.HashPasswordForStoringInConfigFile
//create new salt and update the password
Hashtable newInfo = new Hashtable();
newInfo["salt"] = GenerateFriendlyPassword(5);
string tmppass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtNewPass1.Text.ToString() + newInfo["salt"].ToString(), "SHA1");
newInfo["passwordHash"] = tmppass;
Generate friendly password returns a 5 char string based on a random position in a valid char array containing a - z and 0 - 9At present the functionality is at page level in the code behind, re this is the forms authentication HashPasswordForStoringInConfigFile function thread safe? Or do i need to look at implimenting this in a different wayCheers appreciate your response as im always jubious about multi threading etc,
We have a windows 2003 webserver which hosts .NET applications. Since last Microsoft security updates formsauthentication on all websites works only on non IE browsers? Before the update we experienced no problems.
View 2 RepliesI am using Forms Authentication in my VS-2005 website.In case of wrong credentials or while explicitly requesting protected pages the website is able to redirect user to login page. However, when correct login credentials are provided the application is not able to redirect the user to the desired page.While debugging I found that 'Request.IsAuthenticated=False' just before I redirect the user to the desired page.While coding I thought that this property will be set to true automatically after I generate the Authentication ticket. So do I need to set it explicitly inside the submit button click on Login page after validation?BTW I have not used the 'GetAuthcookie', 'SetAuthCookie' or 'RedirectFromLoginPage' methods.
I am posting the code inside the submit button click on the Login page as well as the Authentication and Authorization tags in web.config.
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="~/Login.aspx" cookieless="UseCookies" path="~/"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Protected Sub btnsubmit_click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnsubmit.Click
'here first validate if the user is valid user
ad = New Aranya_Data
[code]....
I've implemented my custom membership provider. I use third server for authentication (call web method that validates user/password). I need this user/password for retrieve some additional data from this server. Asp.net MVC uses FormsAuthentication and cookie for keep 'login state' by default. It works well when I login on site first time. But when I close and open site again sometime after, cookie keeps it 'login'but I don't have credential for access to server data. I can change cookieless attribute (to 'UseUri' for example) in configure file but in this case I should login again if I open second tab with this app in same browser.My questions:
Is way to call SingOut of FormsAuthentication (remove authentication ticket from browser) when user closes asp.net mvc app?Is secure way to pass user/password data through session? Because server is unstable and interrupt connection often and app should have possibility for silent reconnect.
My client wants 2 separate login pages for an ASP.Net app, one for regular users, one for support staff. I am using the standard FormAuthentication component for authentication. Is it possible to redirect a regular user to one login page after a timeout, and also to redirect an admin user to a different page after a timeout? The loginUrl attribute of <forms> in web.config is read-only, and cannot be edited at runtime.
Regular User -> Timeout -> Login.aspx
Support User ->Timeout -> SupportLogin.aspx
I'm trying a lot a things in these days around the Login control. What I want: to keep the user logged ind also when she close the browser. When se returnes to the page, she should be moved to the DestinationPageUrl of the login control.
My Login control:
[Code]....
My Codebehind file for the login control:
[Code]....
My web.cofig settings:
[Code]....
As you can se, I have learned (from google and here in forums.asp.net) that I need to do a FormsAuthentication.SetAuthCookie but I have one problem....... If I do nothing in the page_load the control doesn't keep me logged in through sessions.Is there anyone who can help me, and either explain og link me to a page, where I can see, how I can get the UserName and Password from the FormsAuthentication.SetAuthCookie I maid. I also need to know if when I get UserName and Password from cookies andthen redirect to the /Content/Default.aspx page in page_load the system knows (formsauthentication) the user is logged in?
I am getting a "System.NullReferenceException" when I call
View 3 RepliesI know this post is the same than other around but I can't get it to work the way I want, the thing is that the Login.aspx page have it in a folder not in the root of the directory, also the page that I want to redirect the user to is in the same folder, so far I got this in my web.config file
[Code]....
All pages contained in the Admin folder want it to be protected, the administrator needs to authenticate first, so my question is what I am doing wrong? need to take the Login.aspx and the admin.aspx out of the admin folder?
How to set Request.IsAuthenticated to true when not using FormsAuthentication.RedirectFromLoginPage?
View 3 RepliesIn my website i am creating a custom FormsAuthentication ticket during log in. This ticket stores the userid but i also need to specify the role of the logged in user. How do i do it?
View 2 Replies