Re: Login security for a form
From: Jen (polarwarp_at_hotmail.com)
Date: 02/19/04
- Next message: Barry Forrest: "Re: neaten-ing Combo boxes question"
- Previous message: Maximus: "Re: permissions"
- In reply to: David W. Simmonds: "Re: Login security for a form"
- Next in thread: David W. Simmonds: "Re: Login security for a form"
- Reply: David W. Simmonds: "Re: Login security for a form"
- Reply: David W. Simmonds: "Re: Login security for a form"
- Messages sorted by: [ date ] [ thread ]
Date: 19 Feb 2004 15:40:55 -0800
If its redirecting to the login page it sounds like either the cookie
isn't persisting properly or the login isn't successful.
Can I ask why you have two web.config files? I thought (and I could
be wrong) that a Web Application has only one web.config file that it
loads up when running so am a little unclear about why you have the
second one. If you want a timeout value - you would set that on the
cookie you create.
I have this in my web.config file:
<authentication mode="Forms">
<forms name="demoReport"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
I set the start page to be report.aspx and when I run it it send me to
login.aspx to authenticate me. I'm actually authenticating against
active directory in a custom method but my code for the ticket is:
if (sec.authenticateUser(txtUsername.Text.Trim(),
txtPassword.Text.Trim(), "Domain"))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(txtUsername.Text.Trim(),
cbPersistCookie.Checked, 30);
// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket
// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);
// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "/";
// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}
and this works for me. Have you checked that the authenticated method
you're using is returning true (sorry to ask a stupid question).
Hope this helps!! I've only just got this working so am pretty
excited about it :)
Jen
polarwarp@hotmail.com
"David W. Simmonds" <david@simmonds.ca> wrote in message news:<wB8Zb.568446$ts4.160273@pd7tw3no>...
> Even more info:
>
> It seems that the Redirect is working fine, but it is redirecting back to
> the login page even though the url does not contain LoginPage.aspx. It
> contains the url to the aspx page that is in the protected folder. Now I
> really don't know what is happening now. It's as if the authentication
> succeeds, but it redirects me back to the same login page anyway.
>
> "David W. Simmonds" <david@simmonds.ca> wrote in message
> news:lo8Zb.564544$X%5.156411@pd7tw2no...
> > More info:
> >
> > It appears the the url obtained from FormsAuthentication.GetRedirectUrl is
> > not a fully qualified url. It is a relative url. Is there a way for fully
> > qualify it? If I put http://www.microsoft.com in the Response.Redirect
> > method, the redirect occurs.
> >
> > "David W. Simmonds" <david@simmonds.ca> wrote in message
> > news:v38Zb.564404$X%5.377677@pd7tw2no...
> > > I have a form that will prompt for a user name/password. In VS.NET, I
> have
> > > the protected form in a folder named Admin. I have a Web.config file in
> that
> > > folder as well. It contains the following section:
> > >
> > > <authorization>
> > > <deny users="?" />
> > > <allow users="*" />
> > > </authorization>
> > >
> > > In the root folder where the other forms are located I have a Web.config
> > > file with the following section:
> > >
> > > <authentication mode="Forms">
> > > <forms loginUrl="LoginPage.aspx?DB=Photos" timeout="10080" />
> > > </authentication>
> > >
> > > In LoginPage.aspx, I have a user name and password edit box and a Login
> > > button. When clicked it executes the following code:
> > >
> > > private void Login_Click(object sender, System.EventArgs e)
> > > {
> > > if (Authenticated (UserName.Text, Password.Text))
> > > {
> > > string userData = "";
> > > FormsAuthenticationTicket ticket = new
> FormsAuthenticationTicket(
> > > 1,
> > > UserName.Text,
> > > System.DateTime.Now,
> > > System.DateTime.Now.AddMinutes(30),
> > > Persistent.Checked,
> > > userData,
> > > FormsAuthentication.FormsCookiePath);
> > >
> > > // Encrypt the ticket.
> > > string encTicket = FormsAuthentication.Encrypt(ticket);
> > >
> > > // Create the cookie.
> > > Response.Cookies.Add(new
> > > HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
> > > Response.Redirect
> (FormsAuthentication.GetRedirectUrl(UserName.Text,
> > > Persistent.Checked));
> > > }
> > > else
> > > Message("Invalid login");
> > > }
> > >
> > > If I specify an invalid login combination, the Message statement
> executes.
> > > This is good. If I specify a good combination, the form never moves from
> the
> > > login page. The forms are running in a frame on the page that presents
> them.
> > > Why would the page not be redirected when authentication is valid?
> > >
> > >
> >
> >
- Next message: Barry Forrest: "Re: neaten-ing Combo boxes question"
- Previous message: Maximus: "Re: permissions"
- In reply to: David W. Simmonds: "Re: Login security for a form"
- Next in thread: David W. Simmonds: "Re: Login security for a form"
- Reply: David W. Simmonds: "Re: Login security for a form"
- Reply: David W. Simmonds: "Re: Login security for a form"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
