Re: How to do forms authentication with cookieless=UseUri?

you are confusing session and authentication. they are unrelated.

forms authentication create a login ticket and stores it in a cookie or the
url. session also creates a session ticket and stores it in a cookie or the
url. they can both use cookies, uri or be configured differently.

storing the login ticket in session just reduces the number of tickets sent
to the client.

cookie is slighty more secure (if you use https) because its not in the url.

the most secure is to not use forms authentication but rather a secure one
like kerberos or basic over https. then you store the login in the session,
and on every session fetch, check the the login matches the authenticated
user (thus preventing session hijacks)

-- bruce (sqlwork.com)


"gnewsgroup" wrote:

On Jan 25, 12:11 pm, bruce barker
<brucebar...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
no codebehind changes usually are required except with redirects. you should
be using relative or "~" urls. links can also be a problem.

this is because cookieless changes the url to have a login ticket. say your
site is:

http://localhost/mysite/default.aspx

in cookieless it becomes

http://localhost/mysite/<login ticket>/default.aspx

if your redirect does not include the login ticket, then the user is logged
out. you can use cookiesless sessions, and the session ticket is appended to
the authenication ticket.

-- bruce (sqlwork.com)


Thanks. Our client is cookie-phobic, even if it is encrypted and only
contains the username (which is public info anyway) and some
timestamp. So, I thought maybe I can do cookieless.

But, after reading some articles online, I find that cookieless
session may even be worse because the session id directly displays
itself in the URL (at least it is much easier to steal).

So, I guess my question becomes this:

Given that cookies are not allowed, what's the most secure way of
doing authentication? I don't want to go for the classic-asp approach
of checking the session value of USERNAME (for example) on each and
every single page. I am using asp.net 2.0.

.

Relevant Pages

  • Re: How to do forms authentication with cookieless=UseUri?
    ... On Jan 25, 12:11 pm, bruce barker ... this is because cookieless changes the url to have a login ticket. ... you can use cookiesless sessions, and the session ticket is appended to ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Session not set.
    ... If so, it will never work properly, as the session cookie is never set. ... Checking Sessionfor login is an ASP model, ... If you TRULY want cookieless (setting session vars is not ... the Framework to handle your authentication needs, ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Security and cookieless sessions
    ... Cookieless sessions are designed to support certain protocols which don’t ... for personal reasons turn cookie persistence off in their browsers. ... surreptiously while the session was active, they could use it to spoof the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Session ID in Query Parameter?
    ... So when posting from such normal html page the session state will ... the ASP.NET buildin cookieless session support does ... It uses the Session object and I really don't want to ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: How To maintain Session state without cookies
    ... Cookieless session is supporting in ASP.NET, you just need to set this ... more details, refer this link ... Somebody know that good alternatives I have, in addition to the cookies, to maintain the session state? ... Agile Processes: "Assume that the most important factor in a project's success is the quality of the people on the project and how well they work together in human terms. ...
    (microsoft.public.dotnet.framework.aspnet)