Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Forms Authentication and Cookies (http://www.velocityreviews.com/forums/t769770-forms-authentication-and-cookies.html)

fcs 02-20-2008 06:59 PM

Forms Authentication and Cookies
 
Hi,
we have an ASP application under C# talking to MS SQL 2000, it has no
problem with windows authentication for almost 200 users who are registered
in Active Directory. Application has several different folders though.

Now we are going to use a copy wide open in the internet, for more users,
under SSL and Forms Authentication.

based on Microsoft best practice, we have users table having userId and
hashed passwords.
passwords are Hashed using forms salt and encryption. no problem with that,
but cookies are not extended when client is sending posts. I tried to
manually extend it in Global file under:
Application_AuthenticateRequest by using let say myCookie.Expires =
DateTime.Now.AddMinutes(1);

but nothing!

and something else, when cookies are expired, user is sometimes sent to Log
On page, sometime not! and when not, there is a prompt for userid and PW
which doesn't help at all.

any note? or resources in the internet? (found some basic examples but
nothing more)



Thanks,

Vaf






Mark Fitzpatrick 02-20-2008 09:51 PM

Re: Forms Authentication and Cookies
 
Which version of ASP.Net are you using?

Did you look at the slidingexpiration attribute of the <form> element in the
web.config? If set to true then it should be extending the timeout value
whenever a new request is made.

Hope this helps,
Mark Fitzpatrick
Microsoft MVP- Expression

"fcs" <fcs@fcs.fcs> wrote in message
news:OX55%23K$cIHA.1184@TK2MSFTNGP04.phx.gbl...
> Hi,
> we have an ASP application under C# talking to MS SQL 2000, it has no
> problem with windows authentication for almost 200 users who are
> registered
> in Active Directory. Application has several different folders though.
>
> Now we are going to use a copy wide open in the internet, for more users,
> under SSL and Forms Authentication.
>
> based on Microsoft best practice, we have users table having userId and
> hashed passwords.
> passwords are Hashed using forms salt and encryption. no problem with
> that,
> but cookies are not extended when client is sending posts. I tried to
> manually extend it in Global file under:
> Application_AuthenticateRequest by using let say myCookie.Expires =
> DateTime.Now.AddMinutes(1);
>
> but nothing!
>
> and something else, when cookies are expired, user is sometimes sent to
> Log
> On page, sometime not! and when not, there is a prompt for userid and PW
> which doesn't help at all.
>
> any note? or resources in the internet? (found some basic examples but
> nothing more)
>
>
>
> Thanks,
>
> Vaf
>
>
>
>
>



fcs 02-20-2008 10:24 PM

Re: Forms Authentication and Cookies
 
thanks Mark! timeout extention is in place now!
Vaf
"Mark Fitzpatrick" <markfitz@fitzme.com> wrote in message
news:%23OMoxqAdIHA.484@TK2MSFTNGP06.phx.gbl...
> Which version of ASP.Net are you using?
>
> Did you look at the slidingexpiration attribute of the <form> element in
> the web.config? If set to true then it should be extending the timeout
> value whenever a new request is made.
>
> Hope this helps,
> Mark Fitzpatrick
> Microsoft MVP- Expression
>
> "fcs" <fcs@fcs.fcs> wrote in message
> news:OX55%23K$cIHA.1184@TK2MSFTNGP04.phx.gbl...
>> Hi,
>> we have an ASP application under C# talking to MS SQL 2000, it has no
>> problem with windows authentication for almost 200 users who are
>> registered
>> in Active Directory. Application has several different folders though.
>>
>> Now we are going to use a copy wide open in the internet, for more users,
>> under SSL and Forms Authentication.
>>
>> based on Microsoft best practice, we have users table having userId and
>> hashed passwords.
>> passwords are Hashed using forms salt and encryption. no problem with
>> that,
>> but cookies are not extended when client is sending posts. I tried to
>> manually extend it in Global file under:
>> Application_AuthenticateRequest by using let say myCookie.Expires =
>> DateTime.Now.AddMinutes(1);
>>
>> but nothing!
>>
>> and something else, when cookies are expired, user is sometimes sent to
>> Log
>> On page, sometime not! and when not, there is a prompt for userid and PW
>> which doesn't help at all.
>>
>> any note? or resources in the internet? (found some basic examples but
>> nothing more)
>>
>>
>>
>> Thanks,
>>
>> Vaf
>>
>>
>>
>>
>>

>





All times are GMT. The time now is 11:22 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.