Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms authentication - clean cookie when close browser

Reply
Thread Tools

Forms authentication - clean cookie when close browser

 
 
SushiSean
Guest
Posts: n/a
 
      02-23-2007
Hello. I use forms authentication and it's work except one thing.
I want push users make relogin (insert login and pass) when they
close browser.

I have those settings in Web.config :

<authentication mode="Forms">
<forms loginUrl="login.aspx" cookieless="UseCookies"
name="LoginUserCookie" slidingExpiration="true"
enableCrossAppRedirects="true" requireSSL="false" timeout="1"
protection="None" defaultUrl="simple.aspx">
<credentials passwordFormat="Clear">
<user name="test1" password="test2" />
<user name="root" password="admin" />
</credentials>
</forms>

</authentication>

<authorization >
<deny users="?" />
</authorization>


It works like this:
1. Open site and login
2. redirect defaultUrl
3 close browser
4. open browser and get defaultUrl (not login page!!)

The question is why it doesn't ask reinsert login if somebody close browser
and how to do this work?
 
Reply With Quote
 
 
 
 
Dominick Baier
Guest
Posts: n/a
 
      02-23-2007
How do you set the ticket?

using FormsAuthentication.RedirectFromLoginPage or SetAuthCookie -

they both have a boolean paramter - usePersistentCookie (or similar) - if
set to true - the cookie will be saved on the user's harddrive and re-used.

Oh an btw - don't set protection="None" !!! This is very dangerous - leave
it to the default value (which is 'all')

Also disable 'enableCrossAppRedirects' if you don't need it (and you will
only need that in special cases with cookieless auth).


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hello. I use forms authentication and it's work except one thing. I
> want push users make relogin (insert login and pass) when they close
> browser.
>
> I have those settings in Web.config :
>
> <authentication mode="Forms">
> <forms loginUrl="login.aspx" cookieless="UseCookies"
> name="LoginUserCookie" slidingExpiration="true"
> enableCrossAppRedirects="true" requireSSL="false" timeout="1"
> protection="None" defaultUrl="simple.aspx">
> <credentials passwordFormat="Clear">
> <user name="test1" password="test2" />
> <user name="root" password="admin" />
> </credentials>
> </forms>
> </authentication>
>
> <authorization >
> <deny users="?" />
> </authorization>
> It works like this:
> 1. Open site and login
> 2. redirect defaultUrl
> 3 close browser
> 4. open browser and get defaultUrl (not login page!!)
> The question is why it doesn't ask reinsert login if somebody close
> browser and how to do this work?
>
 
Reply With Quote
 
 
 
Reply

« Question about cookie protection and FormsAuthentication.Encrypt | Basic password security question »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Forms Authentication non-persistent cookie not expiring after closingthe browser rh.krish@gmail.com ASP .Net 3 04-10-2008 07:41 AM
Forms Authentication non-persistent cookie not expiring after closing the browser rh.krish ASP .Net 0 04-09-2008 05:23 AM
Browser close event (MSIE and FF): how to detect browser close ? pamelafluente@libero.it Javascript 0 01-23-2007 12:44 AM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication and Authentication Cookie rgouge ASP .Net Security 3 06-20-2005 10:09 PM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top