Security :: User Being Asked To Log In Again After Approx 20 Minutes?
I have a web application that uses forms authentication, memberships and roles. I'm finding it difficult to test but it looks as though the application is forcing my users to log in again after about 20 minutes of inactivity. However, the nature of my application requires users to stay logged in for longer than this even if they aren't using the application constantly.
I've already set the following line in my web.config file so that doesn't seem to be making a difference:
Is there something else that I need to set to prevent my users from being redirected to the login page too early on? I'd like them to be inactive for about an hour before forceably logging them off. I don't want them to lose their work if they don't use the system for 20 minutes.
View 4 Replies (Posted: Oct 07, 2010 10:25 AM)
Related Forum Messages For ASP.NET category:
Security :: How To Redirect The User After 2 Minutes If There Is Inactivity For 2 Minutes
I want to redirect the user after 2 mins if there is inactivity for 2 mins. I am not using ASP.NEt membership. And I dont want to use Sessiontimeout for this. Session timeout will logout the user even if he is working on the system. My objective is like screensaver process.
If there is no action for the specified time, the screensaver runs. Similarly, I want to redirect the user to login page.
Here what my problem is,
the user is working on the site...ok.. he want to see someother site.he browse someother site and works on....or even he can do some other work in his system...but he is active in his system... What this script does is, it automatically logout the user and redirect him to login page. But it should not do while he is active...IT SHOULD REDIRECT IF HE IS NOT ACTIVE REALLY (Similar to Screensaver process)
Is it possible ?
Posted: Feb 13, 2011 05:47 AM
View 1 Replies!
Security :: Timeout Is In Minutes?
I have implemented the basic forms authentication.In web.config I have set the following, in the authentication tagtimeout = "50000000000" Other than that, I have an out-of the box implementation.I have no custom provider.My clients want to pretty much enter the username once a day.The timeout is in minutes, so I am sure that they are not waiting over 5 million minutes,so something else has to be booting them.
Posted: Jan 25, 2010 05:18 PM
View 7 Replies!
Security :: Logon Box Appears Every 5 Minutes?
I get about 5 minutes of inactivity before a logon box appears for a site I manage. Once logged in, our users must be able to stay logged on all day with no annoying logon popups. This started happening after a change i made to IIS6. We formerly had digest authentication and windows integrated authentication checked and everything worked fine but our users complained because they had to put creds in as <domainuserid>. We want to get rid of the domain requirement. To do this i unchecked windows integrated authentication and added the domain to the "Realm" text box. I can log in now without the domain, and everything works as before but I only get a few minutes before I have to relogon. I tried increasing the connection timout to 36000 and have keep alives checked on the web site property page. I also tried setting the web servers registry setting: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesInetInfoParametersDigestContextCacheTTL to 36000 (ten hours). these changes had no effect that I can see.Our setup:we use SSL and have a test certificate that is expired We are hitting the site on our intranet with IE7 or IE8. The production version of this site is on the internet though.IIS6 on a 2003 serverkeep alives is checkedanonymous authentication is uncheckeddigest authentication is checkedwindows integrated authentication is uncheckedIISRESET was run after each change.
Posted: Jan 08, 2010 12:56 PM
View 7 Replies!
Security :: Loose Authentication After 30 Minutes?
This is my web.config settings:
neither keep me in for more than 30 minutes.
for some reason the Ticket is set correctly for 90 days. But the cookie is always January 01, 0001. Below is the output of the Authentication Dates.
Ticket Issue Date: Wednesday, January 05, 2011 4:35:42 PM
Ticket Expiry Date: Tuesday, April 05, 2011 4:35:42 PM
Cookie Name: .ASPXFORMSAUTH
Cookie Expiry Date: Monday, January 01, 0001 12:00:00 AM
Posted: Jan 05, 2011 08:46 PM
View 5 Replies!
How To Retrieve Large(approx: 50 MB) Xml String From Webpage
What is the preferred way to retrieve large(approx: 50 MB) xml string from ASP.NET webpage?
Placing the xml string in file and downloading the file is not a choice.(This should be my last resort if nothing else works)
I have following method on ASP.NET server which is exposed through WCF service to silverlight client.
Unfortunately these xml strings are approximately 50MB to 100 MB. Silverlight client needs to retrive these large strings and store it in a file on the client machine at the path selected by the user through saveFileDialog.
My concern is WCF service will not allow such large messages. How can I address this issue?
Posted: Feb 25 10 at 15:39
View 3 Replies!
AJAX :: Display 20 (approx.) Rows In A GridView/DataView?
I need to expose a Web service which will provide an array/DataTable of 20 rows (average) of data - certainly no more than 100 rows would ever be needed. The largest item in these rows would be a date.The Web service would be called by a separate Web site in order to display these 20 (approx.) rows in a GridView/DataView. I would have to be able to dynamically choose which domain to go to and find the Web service.I would possibly have to secure the Web service with a password but this is not vital (possibly with soap headers over https).
My question is what technologies should I use to create this Web service? I know enough about .asmx Web services to struggle through and get this working, but should I get a book on WCF and learn that instead?I use AJAX and jQuery so am also wondering if I should be using one of those client side, to call the Web service and populate the grid?
Posted: Feb 16, 2010 01:33 AM
View 3 Replies!
Security :: Running Application Under The Security Context Of The Logged In User (LDAP Authentication)
We are using membership provider for LDAP authentication. It is working as it should.
But what all configuration settings I have to do so that
all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.
We need to have this working because all the permissions on the database are based on the logged in user.
We are using form authentication for LDAP authentication. And having impersonation = true in web.config.
Posted: Mar 17, 2011 03:55 PM
View 1 Replies!
Security :: Identity Impersonate + Integrated Security(DB) And Programatically Impersonating The User?
I have identity impersonate = true in the Web.config file. I have integrated security = true in the DB connection string in the Web.config file.Before identity impersonate was true,users were able to access the DB through the web service account (seemingly).Now I get an error which says " Login failed for ... " because I am aware there is no specific account for that user in the permissions for that DB instance.I needed to set identity impersonate = true because the web service does not have access to the Active Directory,which I need to retrieve certain user information.
My question is,does identity impersonate = true override the integrated security and attempt to user the authenticated user's account to connect to the DB? Is there a simple way to prevent this in the Web.config itself?If not,would programatically impersonating the user within the Active Directory query functions and setting identity impersonate = false do the trick here?
Posted: Nov 19, 2010 02:22 AM
View 2 Replies!
Security :: SQL Server: Login Failed For User: '$' / Achieve The Security Settings Or Are They Unfeasible / Unnecessary
I hate to be the 12345th person to request assistance on this topic, but despite looking at previous requests, I can't seem to find the solution.
I have a new ASP.NET 2.0 web application which is hosted on (for argument's sake) WEBSERVER (using IIS 6.0), and which accesses data on SQLSERVER (using SQL Server 2000).
Because this is an intranet application, I want the application's authentication mode to be Windows, and the IIS authentication mode to be Integrated Windows (with Anonymous access disabled). ie: IIS should authenticate the user as smithjohn and SQLSERVER should also authenticate the user as smithjohn.
I don't know if this is relevant, but because of an existing nasty Windows application, all relevant domain users already have their own <DOMAIN><username> User account on SQLSERVER.
When I build and browse the pages in Visual Web Developer Express, I can retrieve information from SQLSERVER without any problems.
When I publish the site, and upload it to WEBSERVER, I get the following error upon attempting to retrieve data from a stored procedure on SQLSERVER:
System.Data.SqlClient.SqlException: Login failed for user '<DOMAIN><WEBSERVER>$'. at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) at System.Data.SqlClient.SqlConnection.Open() at snapshot.btnGo_Click(Object sender, EventArgs e)
Connection String (in Web.Config):
<add name="strConnMyDatabase" connectionString="Data Source=SQLSERVER;Initial Catalog=MyDatabase;Integrated Security=True" providerName="System.Data.SqlClient"/>
Authentication Type (in Web.Config)
There are no impersonation settings defined in Web.ConfigIIS 'Directory Security' settings are:
Anonymous Access disabledIntegrated Windows authentication enabled
The stored procedure (usp_MyProcedure) has the following execute permissions:
DOMAINDomain UsersSQLSERVERMyRole (to which my SQL Server User account belongs)
Is it possible to achieve the security settings I've outlined, or are they unfeasible / unnecessary? My assumption is that if I use an 'ASPNET' user account, I'll lose the ability to distinguish between (for example) a Marketing department user, and a Finance department user, and that information may be useful if I develop more sensitive data pages in the future. How do I resolve the SQL Exception I'm generating?
Posted: Dec 11, 2006 03:47 AM
View 8 Replies!
Security :: User Control Library Causing Security Exception?
I have created user web control library project and these controls i'm using in my web application. These User controls just works fine in my local machine but when i moved this project(including Library) to our Local server , it is throwing security exception
Error 1 Cannot register assembly "LocalServerLibraryDemoLibraryDemoLibraryinDebugLibrary.dll". Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. Library
Anybody knows why this error occuring...?
Posted: Jul 22, 2010 11:02 AM
View 2 Replies!
Security :: How To Manually Check A User's Security Question Answer
I simply want to know how to manually check if the value a user has provided for the answer to their security question matches their current answer on record. I want to use the build in support of the membership and membershipuser objects.
I see that via the passwordrecovery control that the actual answer can be returned. However I am currently not using this control and it would take a good bit to integrate it as it does not meet our user's requirements.
In a worst case scenario, getting the actual answer (like the passwordrecovery control does) and manually checking it in our application would be acceptable.
A best case scenario is some sort of API where I can pass in the user name and the answer to their security question that was provided and simply get an indication of whether answer was correct or not.
Posted: Jan 30, 2011 04:45 PM
View 5 Replies!
Security :: Enable User To Edit / Delete Based On User's Role Permission
I'm trying to allow logged user who are in department XYZ to perform some task for my third party App. I have two SQL tables named Users & UserList. The third party app (GoldMine) graps the USERNAME from the Users table and store it as UserID which I then referecnce SessionID. The UserList table has two columns (GM_UserName & Department) which I'm interested in. When a user login into the 3rd party app (GoldMine), i then compare the USERNAME (from Users table) to GM_UserName (from UserList table) and see whether GM_UserName is in = 'Dept XYZ'. Take a look at the SQL query below.
sqlDept = "SELECT USERNAME FROM Users LEFT JOIN UserList ON UserList.GM_UserName=Users.UserName WHERE UserList.Department ='Dept XYZ'"
I'm able to do this.
If Session("Userid") = "TestUser1" Or Session("UserID") = "TestUser2" Then Do this Else Do that End If
BUT unable to do this...
If user's Department = 'Department XYZ' Then
Posted: Feb 24, 2011 02:39 PM
View 2 Replies!
Security :: Admin And User Security Folder Setup
I am creating an application hosted on GoDaddy.com. The base files are kept in a folder called /sky while the Admin files and User files are kept in /sky/Admin and /sky/User respectively. I'm having difficulty configuring the security so that when a user tries to access Admin or User files they should be redirected to the login.aspx file in the /sky folder. I keep getting an error that its trying to access sky/sky/login.aspx instead of just sky/login.aspx.
Here are the relevant sections of my web.config file.
<allow roles="Admin" />
<allow roles="Admin,User" />
<customErrors mode="Off" />
<forms name="login" loginUrl="login.aspx" />
Can someone point me to articles or provide assistance with the proper configuration?
Posted: Mar 11, 2011 01:12 AM
View 3 Replies!
Security :: Access Denied For Logged User (anonymous User Is Fine)
I deployed a website where a logged user or an anonymous user can select data and download a XML file. The website generate the XML file in the server and then deliver it.
It works fine in my development environment, but after deployment, the anonymous user can download the file, but the logged user receive this error:
System.UnauthorizedAccessException: Access to the path 'd:HostsLocalUserheringerwebsiteUpload20110107094051.xml' is denied.
It is weird that as anonymous i can do it.
The website server help states this:
"Grant write, modify, delete access rights on website's folder
Your website executes under unique user account that by default has full control over the website's folder.
So your application can create, open, read, write and delete files and folders inside of your root folder.
There is no need and no way to change this permissions.
If, when running ASP.Net application, you still unable to create file or update it, you have to check your Web.Config file for "<Identity impersonate..." tag and remove it.
The only exception is when the application tries to modify a file or folder in "Application_Start" event of Global.asax file. This is by design that user authenticated only after the Application_Start even. Before the user is authenticated your website runs under an identity of Application Pool which is "Network services". That account doesn't have access to the folder of your website.
To make it work you eather have to move the code that tries to modify files or folders out of the "Application_Start" event of the Global.asax file or inside the event you'll need to impersonate your user by code."
But i am not using impersonate and the tag is not in my web.config.
Posted: Jan 07, 2011 02:55 PM
View 2 Replies!
Security :: Adding User Role Selection To Create New User Wizard?
Im pretty much a newb when it comes to developing throuh ASP.net. I was wondering if there is a way to allow users who create new accounts using the "Create New User Wizard" through VWD to select the type of role they belong to, or do I have to build a custom extender to do that?
The reason for this is I want the end user to select what "Type" (Role) of user they are and then have their user role page load and store their personal information in that role's section of the back end sql database.
Posted: Aug 18, 2009 10:22 PM
View 5 Replies!
Security :: Store User Password In Custom Membership User
I have a custom membership user class and custom MembershipProvider working against database. Due to security reasons the user passwords are stored in the database as hashed values. So my procedure
public override bool ValidateUser(string username, string password) is
//select hashed password from db
return (EncodePassword(password) == dbpassword)
Posted: Aug 12, 2010 01:18 PM
View 4 Replies!
Security :: Accessing User Id Immediately After User Signed Up
On our website users can sign up. The sign up controls (converted to a template) has the usual text boxes and then the create user button. When pressing this button the account is created. After reloading the website, the user can see his credentials in his 'my account' tab. Question: How can we access the newly created user (especially his userid) right after the create user button was clicked? Right now this does not work, we can only start accessing this after the page has been reloaded. But surely the account is created the instant the button was pressed. I have tried this:
MembershipUser myObject = Membership.GetUser();
UserID = (System.Guid)(myObject.ProviderUserKey);
But it looks as if the user is not yet logged in at this stage. Can this somehow be forced so that we can access the newly created userid right after the user has clicked the create user button?
Posted: Jan 08, 2011 09:54 AM
View 2 Replies!
Security :: Getting User Name Of Authenticated User In Session_Start Of Global?
I am using form authentication in my website. I have a scenario wherein the user is authenticated but the session has timed out. So, i would like to initialize some session variables in Session_Start of Global.asax (First i check if Request.IsAuthenticated=True). For that i required the name of the user who authenticated. On .aspx pages we can get it using Page.User.Identity.Name but how to get it in global.asax page.
Posted: Jan 06, 2011 06:49 PM
View 1 Replies!
Security :: Storing User Id Beside The User Name?
Moderator Note:Post split from this thread[http://forums.asp.net/t/1403132.aspx]
Q: Im a novice with ASP.net. I want to append a UserID to the Context.Identity.User.Name field.
Where can I set this code while still using asp.net membership and the login control.
Is it possible to set this in an OnLogin or OnAuthenticate event handler.
Is there someway to see the "login control" code, that way I can just copy it but append my own value when setting the name.
Posted: Jun 13, 2010 10:04 PM
View 2 Replies!