If I have following code in my web.config file
<authentication mode="Forms">
<forms name="appNameAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30">
</forms>
do I still have to create "Ticket" manually in code behind to actually create a login ticket as:
[code]....
Does anyone know how to add a generic principal to the HTTPContext from the Forms Authentication Ticket?
View 1 RepliesWay to get FormsAuthenticationTicket after user logged in?
View 4 RepliesLet's say I'm currently authenticated in an application (namely: applicationA) and I click a link that will take me to another application (namely: applicationB). Is it correct that in order to bypass authentication of applicationB, I'll just create a ticket for that application telling the web server that I'm already authenticated?
View 5 RepliesI am using the ASP.NET login control. I want to be able to set the timeout for Forms Authentication individually for each user (instead of globally in the web.config). From what I understand the only way to do this is to set the timeout on the AuthenticationTicket manually. Is there a way to do this when using the Login Control? It seems to me that the Login Control abstracts away all of this. I am hoping that there is some way to continue using the Login Control, but also have the ability to set the FormsAuthentication timeout individually for each user.
View 2 RepliesThe constructors for manually creating FormsAuthenticationTicket objects force us to set an "expiration" value, and this value overrides the "timeout" setting in web.config in my tags, which is not what I want, because now the user doesn't timeout. The "session" just expires at the given time.I need to manually create my ticket for UserData reasons, and it is just the way I decided to build my app. I guess I could spend a whole lot of time and redo the way my app. authorizes, and store the "userdata" elsewhere... but this seems extremely tedious for something so small..Is there anyway to manually create an Auth Ticket and still maintain timeout settings?! And by timeout, I mean resetting the timer on user activity. Not a fixed timeout!
View 1 RepliesWhat is the difference between:
FormsAuthentication.RedirectFromLoginPage
AND
FormsAuthentication.SetAuthCookie(Text_txtUserName.Text, true);
HttpContext.Current.Response.Redirect(RedirectFromLoginAddress);
I am developing a asp.net application using SQLServer 2008 and I have a page "Default.aspx" in which i have userID and Password textboxes and a SUBMIT button. Here is the script I am using to authenticate.
[Code]....
Well now i want to know that by using FormAuthenticationTicket how can I check on other pages if user is authenticated user cause in the URL if i just change the page like "Main.aspx" and hit it takes me there which should not happen and redirected to Login page.
How should i check on every page on page load event if user is authenticated or not and if not then redirected to Login.aspx.
I have a asp.net application where i am using FormAuthentication Ticket when user Sign in....on each page I want to check if FormAuthentication Ticket has expired ...how to do this ?..
View 6 RepliesI have a web app that uses window.openModalDialog to display a page. This page has a hyperlink that connects to an HttpHandler to retrieve a file. The link has a target property of "_blank". We've recently implemented Forms Authentication on this site in place of a flaky proprietary solution and we are noticing that now whenever we click on that link we get a pop-up window and the login screen appears.In the authorization section of the web.config we're saying that we don't want to allow anonymous. However, if I add a location element with the URL the handler is associated with, I can hit the breakpoint in the ProcessRequest method because it doesn't care if I'm not logged in. What's odd is that I should be logged in so it seems that the authentication ticket (which isn't expired yet) isn't being accepted in the popup window. If I allow anonymous I can bypass this problem, however the code that retieves the file relies on Session data and it's null. Therefore, either way I can't get this to work.It has been suggested that instead of a modal dialog just use window.open, however I'm reluctant to do that because when this window is open I don't want users accessing the parent window due to several reasons. Is there any way to get around this problem? I don't want to ditch forms auth for the old way because it wasn't secure.
View 1 Replieshere's what I have:
My asp.net 3.5 app uses Forms Authentication.
I create an authentication cookie (ticket) with an expiration date of one day.The cookie'sIsPersistent is set to true.
I do not use any session variables.
Session timeout is the default 20 minutes.
Here's the problem:
When the session times out in 20 minutes, the user is redirected to the logon page even though the authentication cookie has not expired.
Why does this happen? I thought the cookie and the session worked independently. Shouldn't the user remain logged in as long as the cookie hasn't expired?
i have a secure ASP.net application ,login page and all these stuffs, i want to create a windows desktop application for some resones but i want to use the same security of the asp.net , is there anyway to get the login information of the asp.net to login to my windows desktop application?
View 1 Repliesi have a custom class has extra information about my users , i want to create an object of this class and attach it to current Authentication ticket , what is the best way to do that , i have read there is a userdata thing in the authentication ticket but it's type is String
View 5 RepliesI'm having a problem trying to delete the form authentication ticket (.ASPXAUTH) from the server side. It would be the same to delete or invalidate the ticket so the client could not reuse it.
So far, the only solution I've found is to delete the ticket from the client side (through a "Set-Cookie: .ASPXAUTH=;") but nothing seems to be implemented and/or working for doing so in the server side. The final idea is that if someone steels that ticket
In particular, I'm working in C# but as it's rellated to the Dotnet Framework any implementation of the solution would be OK; I tried all the possible things and nothing worked out, even invalidating the session but nothing.
I simply want to know how to manually check if the value a user has provided for the answer to their security question matches their current answer on record. I want to use the build in support of the membership and membershipuser objects.
I see that via the passwordrecovery control that the actual answer can be returned. However I am currently not using this control and it would take a good bit to integrate it as it does not meet our user's requirements.
In a worst case scenario, getting the actual answer (like the passwordrecovery control does) and manually checking it in our application would be acceptable.
A best case scenario is some sort of API where I can pass in the user name and the answer to their security question that was provided and simply get an indication of whether answer was correct or not.
we recently upgrated our project from 1.1 to 2.0. since then we are seeing "Forms authentication failed for the request. Reason: The ticket supplied has expired" in Event Viewer. this keeps coming 1-2 times for every minute. this is the full message. this also made the response time increased it seems.
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
Event time: 1/25/2010 5:00:30 PM
Event time (UTC): 1/25/2010 10:00:30 PM
Event ID:
Event sequence: 20601
Event occurrence: 2692
Event detail code: 50202.....
I have the following code in my secure/login.aspx page using .NET 3.5 and VB.NET
[Code]....
[Code]....
I read some articles that mentioned specifying the domain attribute within the <forms tag but that did not seem to work either. e.g.
what is the use formsAuthentication.user.identity
is it one of the property of page
I have a login page that is set to the loginUrl property in the authentication section of my web.config file. I am trying to reference a CSS stylesheet, but it doesn't seem to be doing anything. Here is my markup:
[Code]....
I am able to do this just fine on my other page. One thing I noticed was when I click on "View Source" and try to click the link to the stylesheet, it doesn't take me there, and instead changes the "action" property of the form element to this:
[Code]....
Just a quick question i've been asked to look at enhancing security but encrypting passwords we store in a db table, essentially the data thats linked to the user account isnt sensitive however its more to stop someone reading passwords out of the table directly etc
I've read multiple ways of implimenting hashing etc i've started using FormsAuthentication.HashPasswordForStoringInConfigFile
//create new salt and update the password
Hashtable newInfo = new Hashtable();
newInfo["salt"] = GenerateFriendlyPassword(5);
string tmppass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtNewPass1.Text.ToString() + newInfo["salt"].ToString(), "SHA1");
newInfo["passwordHash"] = tmppass;
Generate friendly password returns a 5 char string based on a random position in a valid char array containing a - z and 0 - 9At present the functionality is at page level in the code behind, re this is the forms authentication HashPasswordForStoringInConfigFile function thread safe? Or do i need to look at implimenting this in a different wayCheers appreciate your response as im always jubious about multi threading etc,
In my account controller I am calling FormsAuthentication.SetAuthCookie( emailAddress, rememberMe ).
Response.Cookies has my cookie. However, after the redirect the cookie is gone and the request is not authenticated.
We have a windows 2003 webserver which hosts .NET applications. Since last Microsoft security updates formsauthentication on all websites works only on non IE browsers? Before the update we experienced no problems.
View 2 RepliesI am using Forms Authentication in my VS-2005 website.In case of wrong credentials or while explicitly requesting protected pages the website is able to redirect user to login page. However, when correct login credentials are provided the application is not able to redirect the user to the desired page.While debugging I found that 'Request.IsAuthenticated=False' just before I redirect the user to the desired page.While coding I thought that this property will be set to true automatically after I generate the Authentication ticket. So do I need to set it explicitly inside the submit button click on Login page after validation?BTW I have not used the 'GetAuthcookie', 'SetAuthCookie' or 'RedirectFromLoginPage' methods.
I am posting the code inside the submit button click on the Login page as well as the Authentication and Authorization tags in web.config.
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="~/Login.aspx" cookieless="UseCookies" path="~/"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Protected Sub btnsubmit_click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnsubmit.Click
'here first validate if the user is valid user
ad = New Aranya_Data
[code]....
i have created a custom principal class, and a custom Identity.
named SystemIdentity and SystemPrincipal.
SystemIdentity class has some additional properties ( UserID, UserName, Age, ...)
in my Global.asax file I changed PostAuthenticateRequest event as bottom
[code]....
i wonder theese questions answer now:
1. where i can assign the additional properties of SystemIdentity ( UserID, UserName, Age, ...)
2. which Identity is Authenticated by FormsAuthentication.SetAuthCookie? is my custom Identity, or GenericIdentity?
I have configured Forms Authentication in my web config file as below.
Following is my code
[Code]....
The issue is that FormsAuthentication.Authenticate never returns true. This is a very simple website with only two pages and no other code(The code too was copied from MSDN).
[Code]....