Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Programatically Logging in a User

Reply
Thread Tools

Programatically Logging in a User

 
 
Jonathan Wood
Guest
Posts: n/a
 
      10-20-2009
I'm writing code to log in a user without using the standard Login control.

The following code seems to do the trick.

if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
FormsAuthentication.RedirectFromLoginPage(txtUserN ame.Text, true);

But I don't get why.

Membership.ValidateUser() tells me if the credentials are valid but appears
not to actually log the user in.

FormsAuthentication.RedirectFromLoginPage() appears that it DOES log the
user in. But the docs don't seem to say anything about that:

"The RedirectFromLoginPage method redirects to the URL specified in the
query string using the ReturnURL variable name. For example, in the URL
http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, the
RedirectFromLoginPage method redirects tothe return URL caller.aspx. If the
ReturnURL variable does not exist, the RedirectFromLoginPage method
redirects to the URL in the DefaultUrl property."

My question is: Does anyone know if this is the "preferred" way to log in a
user without using the Login control. And if RedirectFromLoginPage logs a
user in, does anyone know why this wasn't documented?

Thanks.

--
Jonathan Wood
SoftCircuits Programming
http://www.softcircuits.com


 
Reply With Quote
 
 
 
 
Gregory A. Beamer
Guest
Posts: n/a
 
      10-20-2009
"Jonathan Wood" <(E-Mail Removed)> wrote in news:eBJuQkTUKHA.4780
@TK2MSFTNGP05.phx.gbl:

> FormsAuthentication.RedirectFromLoginPage() appears that it DOES log the
> user in. But the docs don't seem to say anything about that:



It does not directly, but look at the signature:

public static void RedirectFromLoginPage(
string userName,
bool createPersistentCookie,
string strCookiePath
)

The only reason to create a cookie is to track the user, so this does log
the user in at this time. I am not sure this is the best design, but since
you are in control of the code, you can determine whom to redirect and whom
not to.

Peace and Grace,


--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

*******************************************
| Think outside the box! |
*******************************************
 
Reply With Quote
 
 
 
 
Jonathan Wood
Guest
Posts: n/a
 
      10-20-2009
"Gregory A. Beamer" <(E-Mail Removed)> wrote:

It still seems like the docs would mention that the user is logged in, as
that is the end result.

BTW, I noticed that the createPersistentCookie flag appears to mean logging
back in is not required for, maybe, 20 minutes. Does anyone know how to
increase this amount of time?

>> FormsAuthentication.RedirectFromLoginPage() appears that it DOES log the
>> user in. But the docs don't seem to say anything about that:

>
> It does not directly, but look at the signature:
>
> public static void RedirectFromLoginPage(
> string userName,
> bool createPersistentCookie,
> string strCookiePath
> )
>
> The only reason to create a cookie is to track the user, so this does log
> the user in at this time. I am not sure this is the best design, but since
> you are in control of the code, you can determine whom to redirect and
> whom
> not to.
>
> Peace and Grace,
>
>
> --
> Gregory A. Beamer
> MVP; MCP: +I, SE, SD, DBA
>
> Twitter: @gbworld
> Blog: http://gregorybeamer.spaces.live.com
>
> *******************************************
> | Think outside the box! |
> *******************************************



--
Jonathan Wood
SoftCircuits Programming
http://www.softcircuits.com


 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      10-21-2009
On Oct 20, 5:54*am, "Jonathan Wood" <(E-Mail Removed)> wrote:
> I'm writing code to log in a user without using the standard Login control.
>
> The following code seems to do the trick.
>
> if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
> * * FormsAuthentication.RedirectFromLoginPage(txtUserN ame.Text, true);
>
> But I don't get why.
>
> Membership.ValidateUser() tells me if the credentials are valid but appears
> not to actually log the user in.


It looks like the description on MSDN site is not correct. They said
"Membership.ValidateUser: Verifies that the supplied user name and
password are valid.", while I think they need to mention that this is
also "Authenticates a user using supplied credentials." like this
stays here: http://msdn.microsoft.com/en-us/magazine/cc163703.aspx
 
Reply With Quote
 
Jonathan Wood
Guest
Posts: n/a
 
      10-22-2009
"Alexey Smirnov" <(E-Mail Removed)> wrote:

>> I'm writing code to log in a user without using the standard Login
>> control.
>>
>> The following code seems to do the trick.
>>
>> if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
>> FormsAuthentication.RedirectFromLoginPage(txtUserN ame.Text, true);

>
> It looks like the description on MSDN site is not correct. They said
> "Membership.ValidateUser: Verifies that the supplied user name and
> password are valid.", while I think they need to mention that this is
> also "Authenticates a user using supplied credentials." like this
> stays here: http://msdn.microsoft.com/en-us/magazine/cc163703.aspx


Based on my tests, Membership.ValidateUser does not authenticate. It only
tells you if the login is valid. So I think the MSDN documentation is
correct there. However, I think the MSDN documentation for
FormsAuthentication.RedirectFromLoginPage is incomplete.

The article you linked looks interesting though. I'll check that out.

Thanks.

Jonathan


 
Reply With Quote
 
Gregory A. Beamer
Guest
Posts: n/a
 
      10-22-2009
"Jonathan Wood" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> It still seems like the docs would mention that the user is logged in,
> as that is the end result.
>
> BTW, I noticed that the createPersistentCookie flag appears to mean
> logging back in is not required for, maybe, 20 minutes. Does anyone
> know how to increase this amount of time?


The main difference between cookies is this:

false = session cookie - deleted when browser is closed
true = persistent cookie - stays despite browser close

The persistent cookie is set to 30 minutes, by default, but can be extended
by the cookieTimeout attribute of the roleManager tag in web.config. This
can be a sliding amount of minutes, as set by the cookieSlidingExpiration
(true|False) in roleManager. The default for sliding is true, so it is
normal the user gets X minutes after his last hit and not just x minutes.

Peace and Grace,


--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

*******************************************
| Think outside the box! |
*******************************************
 
Reply With Quote
 
Jonathan Wood
Guest
Posts: n/a
 
      10-22-2009
"Gregory A. Beamer" <(E-Mail Removed)> wrote:

> The main difference between cookies is this:
>
> false = session cookie - deleted when browser is closed
> true = persistent cookie - stays despite browser close
>
> The persistent cookie is set to 30 minutes, by default, but can be
> extended
> by the cookieTimeout attribute of the roleManager tag in web.config. This
> can be a sliding amount of minutes, as set by the cookieSlidingExpiration
> (true|False) in roleManager. The default for sliding is true, so it is
> normal the user gets X minutes after his last hit and not just x minutes.


Right. But for more relaxed security requirements, I'd like to implement a
*real* remember me checkbox along the lines of sites like Facebook where
users don't have to log in for many days or even months. (The "remember me"
option used by the Login control seems rather pointless.)

I'll check out the cookieTimeout attribute; however, it sounds like that's
in minutes, which may not sufficiently address what I'm trying to do here.
I'm just wondering if the ASP.NET membership can support a real remember me
option, or if I just need to implement it myself.

Thanks.

Jonathan


 
Reply With Quote
 
Gregory A. Beamer
Guest
Posts: n/a
 
      10-22-2009
"Jonathan Wood" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> Right. But for more relaxed security requirements, I'd like to
> implement a *real* remember me checkbox along the lines of sites like
> Facebook where users don't have to log in for many days or even
> months. (The "remember me" option used by the Login control seems
> rather pointless.)


Store your own cookie and log them in using the same mechanism if the
cookie is present. That is essentially what other sites do for "remember
me". If you don't think so, then delete all cookies and go back to one of
those sites.

Peace and Grace,


--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

*******************************************
| Think outside the box! |
*******************************************
 
Reply With Quote
 
Jonathan Wood
Guest
Posts: n/a
 
      10-23-2009
I believe you. I was just trying to figure out if ASP.NET membership
included this functionality (being how they included it partially via the
"remember me" check box). If not (and it appears they don't) I'll need my
own cookie as you suggest.

Thanks.

"Gregory A. Beamer" <(E-Mail Removed)> wrote in message
news:Xns9CAC873499F56gbworld@207.46.248.16...
> "Jonathan Wood" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>> Right. But for more relaxed security requirements, I'd like to
>> implement a *real* remember me checkbox along the lines of sites like
>> Facebook where users don't have to log in for many days or even
>> months. (The "remember me" option used by the Login control seems
>> rather pointless.)

>
> Store your own cookie and log them in using the same mechanism if the
> cookie is present. That is essentially what other sites do for "remember
> me". If you don't think so, then delete all cookies and go back to one of
> those sites.
>
> Peace and Grace,
>
>
> --
> Gregory A. Beamer
> MVP; MCP: +I, SE, SD, DBA
>
> Twitter: @gbworld
> Blog: http://gregorybeamer.spaces.live.com
>
> *******************************************
> | Think outside the box! |
> *******************************************



--
Jonathan Wood
SoftCircuits Programming
http://www.softcircuits.com


 
Reply With Quote
 
Gregory A. Beamer
Guest
Posts: n/a
 
      10-23-2009
"Jonathan Wood" <(E-Mail Removed)> wrote in
news:#(E-Mail Removed):

> I believe you. I was just trying to figure out if ASP.NET membership
> included this functionality (being how they included it partially via
> the "remember me" check box). If not (and it appears they don't) I'll
> need my own cookie as you suggest.


At one time, I thought that was the purpose too. And, you could make the
cookie last for a ridiculous number of minutes and have it serve that
purpose, if you needed to. But if you need a "forever" type of cookie, then
code your own.

Peace and Grace,

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

*******************************************
| Think outside the box! |
*******************************************
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Logging to a file and closing it again properly (logging module) Christoph Haas Python 1 06-14-2006 08:47 AM
Logging to a file and closing it again properly (logging module) Christoph Haas Python 0 06-12-2006 09:58 PM
logging buffered vs. logging history Christian Roos Cisco 4 02-05-2006 10:55 PM
java.util.logging, where to put logging.properties? janne Java 0 09-10-2004 10:18 AM
[java.util.logging] logging only to _one_ file Stefan Siegl Java 0 08-27-2003 12:29 PM



Advertisments