Security :: User Being Asked To Log In Again After Approx 20 Minutes?
Oct 7, 2010
I have a web application that uses forms authentication, memberships and roles. I'm finding it difficult to test but it looks as though the application is forcing my users to log in again after about 20 minutes of inactivity. However, the nature of my application requires users to stay logged in for longer than this even if they aren't using the application constantly.
I've already set the following line in my web.config file so that doesn't seem to be making a difference:
Is there something else that I need to set to prevent my users from being redirected to the login page too early on? I'd like them to be inactive for about an hour before forceably logging them off. I don't want them to lose their work if they don't use the system for 20 minutes.
I want to redirect the user after 2 mins if there is inactivity for 2 mins. I am not using ASP.NEt membership. And I dont want to use Sessiontimeout for this. Session timeout will logout the user even if he is working on the system. My objective is like screensaver process.
If there is no action for the specified time, the screensaver runs. Similarly, I want to redirect the user to login page.
Here what my problem is,
the user is working on the site...ok.. he want to see someother site.he browse someother site and works on....or even he can do some other work in his system...but he is active in his system... What this script does is, it automatically logout the user and redirect him to login page. But it should not do while he is active...IT SHOULD REDIRECT IF HE IS NOT ACTIVE REALLY (Similar to Screensaver process)
I have implemented the basic forms authentication.In web.config I have set the following, in the authentication tagtimeout = "50000000000" Other than that, I have an out-of the box implementation.I have no custom provider.My clients want to pretty much enter the username once a day.The timeout is in minutes, so I am sure that they are not waiting over 5 million minutes,so something else has to be booting them.
I get about 5 minutes of inactivity before a logon box appears for a site I manage. Once logged in, our users must be able to stay logged on all day with no annoying logon popups. This started happening after a change i made to IIS6. We formerly had digest authentication and windows integrated authentication checked and everything worked fine but our users complained because they had to put creds in as <domainuserid>. We want to get rid of the domain requirement. To do this i unchecked windows integrated authentication and added the domain to the "Realm" text box. I can log in now without the domain, and everything works as before but I only get a few minutes before I have to relogon. I tried increasing the connection timout to 36000 and have keep alives checked on the web site property page. I also tried setting the web servers registry setting: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesInetInfoParametersDigestContextCacheTTL to 36000 (ten hours). these changes had no effect that I can see.Our setup:we use SSL and have a test certificate that is expired We are hitting the site on our intranet with IE7 or IE8. The production version of this site is on the internet though.IIS6 on a 2003 serverkeep alives is checkedanonymous authentication is uncheckeddigest authentication is checkedwindows integrated authentication is uncheckedIISRESET was run after each change.
What is the preferred way to retrieve large(approx: 50 MB) xml string from ASP.NET webpage?
Placing the xml string in file and downloading the file is not a choice.(This should be my last resort if nothing else works)
I have following method on ASP.NET server which is exposed through WCF service to silverlight client.
Unfortunately these xml strings are approximately 50MB to 100 MB. Silverlight client needs to retrive these large strings and store it in a file on the client machine at the path selected by the user through saveFileDialog.
My concern is WCF service will not allow such large messages. How can I address this issue?
I need to expose a Web service which will provide an array/DataTable of 20 rows (average) of data - certainly no more than 100 rows would ever be needed. The largest item in these rows would be a date.The Web service would be called by a separate Web site in order to display these 20 (approx.) rows in a GridView/DataView. I would have to be able to dynamically choose which domain to go to and find the Web service.I would possibly have to secure the Web service with a password but this is not vital (possibly with soap headers over https).
My question is what technologies should I use to create this Web service? I know enough about .asmx Web services to struggle through and get this working, but should I get a book on WCF and learn that instead?I use AJAX and jQuery so am also wondering if I should be using one of those client side, to call the Web service and populate the grid?
I am returning data in a gridview control. Now, I was asked how many is too many in a code review today. They asked me whether I am dumping everything from backend to Grid (with paging), the answer was yet. Now, what if the getData object returns 100,000 records, will I still be dumping all of this into the grid control or dump in portions.
We are using membership provider for LDAP authentication. It is working as it should.
But what all configuration settings I have to do so that all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.
We need to have this working because all the permissions on the database are based on the logged in user.
We are using form authentication for LDAP authentication. And having impersonation = true in web.config.
I have identity impersonate = true in the Web.config file. I have integrated security = true in the DB connection string in the Web.config file.Before identity impersonate was true,users were able to access the DB through the web service account (seemingly).Now I get an error which says " Login failed for ... " because I am aware there is no specific account for that user in the permissions for that DB instance.I needed to set identity impersonate = true because the web service does not have access to the Active Directory,which I need to retrieve certain user information.
My question is,does identity impersonate = true override the integrated security and attempt to user the authenticated user's account to connect to the DB? Is there a simple way to prevent this in the Web.config itself?If not,would programatically impersonating the user within the Active Directory query functions and setting identity impersonate = false do the trick here?
I hate to be the 12345th person to request assistance on this topic, but despite looking at previous requests, I can't seem to find the solution.
I have a new ASP.NET 2.0 web application which is hosted on (for argument's sake) WEBSERVER (using IIS 6.0), and which accesses data on SQLSERVER (using SQL Server 2000).
Because this is an intranet application, I want the application's authentication mode to be Windows, and the IIS authentication mode to be Integrated Windows (with Anonymous access disabled). ie: IIS should authenticate the user as smithjohn and SQLSERVER should also authenticate the user as smithjohn.
I don't know if this is relevant, but because of an existing nasty Windows application, all relevant domain users already have their own <DOMAIN><username> User account on SQLSERVER.
When I build and browse the pages in Visual Web Developer Express, I can retrieve information from SQLSERVER without any problems.
When I publish the site, and upload it to WEBSERVER, I get the following error upon attempting to retrieve data from a stored procedure on SQLSERVER:
System.Data.SqlClient.SqlException: Login failed for user '<DOMAIN><WEBSERVER>$'. at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) at System.Data.SqlClient.SqlConnection.Open() at snapshot.btnGo_Click(Object sender, EventArgs e)
Connection String (in Web.Config):
<add name="strConnMyDatabase" connectionString="Data Source=SQLSERVER;Initial Catalog=MyDatabase;Integrated Security=True" providerName="System.Data.SqlClient"/> Authentication Type (in Web.Config) <authentication mode="Windows"/> There are no impersonation settings defined in Web.ConfigIIS 'Directory Security' settings are: Anonymous Access disabledIntegrated Windows authentication enabled The stored procedure (usp_MyProcedure) has the following execute permissions: DOMAINDomain UsersSQLSERVERMyRole (to which my SQL Server User account belongs)
Is it possible to achieve the security settings I've outlined, or are they unfeasible / unnecessary? My assumption is that if I use an 'ASPNET' user account, I'll lose the ability to distinguish between (for example) a Marketing department user, and a Finance department user, and that information may be useful if I develop more sensitive data pages in the future. How do I resolve the SQL Exception I'm generating?
I have created user web control library project and these controls i'm using in my web application. These User controls just works fine in my local machine but when i moved this project(including Library) to our Local server , it is throwing security exception
Error 1 Cannot register assembly "LocalServerLibraryDemoLibraryDemoLibraryinDebugLibrary.dll". Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. Library
I simply want to know how to manually check if the value a user has provided for the answer to their security question matches their current answer on record. I want to use the build in support of the membership and membershipuser objects.
I see that via the passwordrecovery control that the actual answer can be returned. However I am currently not using this control and it would take a good bit to integrate it as it does not meet our user's requirements.
In a worst case scenario, getting the actual answer (like the passwordrecovery control does) and manually checking it in our application would be acceptable.
A best case scenario is some sort of API where I can pass in the user name and the answer to their security question that was provided and simply get an indication of whether answer was correct or not.
I'm trying to allow logged user who are in department XYZ to perform some task for my third party App. I have two SQL tables named Users & UserList. The third party app (GoldMine) graps the USERNAME from the Users table and store it as UserID which I then referecnce SessionID. The UserList table has two columns (GM_UserName & Department) which I'm interested in. When a user login into the 3rd party app (GoldMine), i then compare the USERNAME (from Users table) to GM_UserName (from UserList table) and see whether GM_UserName is in = 'Dept XYZ'. Take a look at the SQL query below.
sqlDept = "SELECT USERNAME FROM Users LEFT JOIN UserList ON UserList.GM_UserName=Users.UserName WHERE UserList.Department ='Dept XYZ'"
I'm able to do this.
If Session("Userid") = "TestUser1" Or Session("UserID") = "TestUser2" Then Do this Else Do that End If BUT unable to do this... If user's Department = 'Department XYZ' Then Do This Else Do that End IF
I am creating an application hosted on GoDaddy.com. The base files are kept in a folder called /sky while the Admin files and User files are kept in /sky/Admin and /sky/User respectively. I'm having difficulty configuring the security so that when a user tries to access Admin or User files they should be redirected to the login.aspx file in the /sky folder. I keep getting an error that its trying to access sky/sky/login.aspx instead of just sky/login.aspx.
Here are the relevant sections of my web.config file.
I have a site We have different Pages under one folder. we have stored these pages information in a database table with pageid. Then we have User access table. there we store userid and pageid , for which pages user has access. Now I need to provide access to that pages only .
I deployed a website where a logged user or an anonymous user can select data and download a XML file. The website generate the XML file in the server and then deliver it.
It works fine in my development environment, but after deployment, the anonymous user can download the file, but the logged user receive this error:
System.UnauthorizedAccessException: Access to the path 'd:HostsLocalUserheringerwebsiteUpload20110107094051.xml' is denied.
It is weird that as anonymous i can do it.
The website server help states this:
"Grant write, modify, delete access rights on website's folder
Your website executes under unique user account that by default has full control over the website's folder. So your application can create, open, read, write and delete files and folders inside of your root folder.
There is no need and no way to change this permissions.
If, when running ASP.Net application, you still unable to create file or update it, you have to check your Web.Config file for "<Identity impersonate..." tag and remove it.
The only exception is when the application tries to modify a file or folder in "Application_Start" event of Global.asax file. This is by design that user authenticated only after the Application_Start even. Before the user is authenticated your website runs under an identity of Application Pool which is "Network services". That account doesn't have access to the folder of your website.
To make it work you eather have to move the code that tries to modify files or folders out of the "Application_Start" event of the Global.asax file or inside the event you'll need to impersonate your user by code."
But i am not using impersonate and the tag is not in my web.config.
I am createing user dynamially with the below code; string MyPassword = Membership.GeneratePassword(8,0).ToString(); Membership.CreateUser(TextBox7.Text, MyPassword, TextBox8.Text); but before I start creating, I would like to check if the user name is used before or not.
I facing a problem here. how can I make the create user wizard category all the new user become normal user role? I have created 2 role which is Manager and Normal User. Normal User can't view the Manager page. But after i create a new user account, i can view manager and normal user page. I want to make all the new member registration will be normal user role?
Im pretty much a newb when it comes to developing throuh ASP.net. I was wondering if there is a way to allow users who create new accounts using the "Create New User Wizard" through VWD to select the type of role they belong to, or do I have to build a custom extender to do that?
The reason for this is I want the end user to select what "Type" (Role) of user they are and then have their user role page load and store their personal information in that role's section of the back end sql database.
Our application lets the administrator create new users. Since the administrator is logged in, I have set Logincreateduser = false so that the administrator is not logged out even after creating the new user.
The problem is :I need the userid of the newly created user to store additional details of the user in another database table. I see that i can get the username using Createuserwizard1.username; but how do I get the userID?
On our website users can sign up. The sign up controls (converted to a template) has the usual text boxes and then the create user button. When pressing this button the account is created. After reloading the website, the user can see his credentials in his 'my account' tab. Question: How can we access the newly created user (especially his userid) right after the create user button was clicked? Right now this does not work, we can only start accessing this after the page has been reloaded. But surely the account is created the instant the button was pressed. I have tried this: