forms-authentication

For context, I have a forms authentication timeout value set in my web.config, and am using ASP.NET MVC 1. I think it might be easiest to state my problem as 2 use cases -- the first one what happens without an authentication timeout, and the second one what happens with an authentication timeout: Normal case: The user logs into the app, and the authentication timer starts ticking. While the authentication period is still valid, the user clicks something on the page that triggers an AJAX call (through jQuery). We hit the server, process the request, and return a partial view to the user (as an

I have a WCF 4 service which is in a Secure subfolder, accessible after the client has authenticated using Forms authentication using the .NET AuthenticationService. This WCF service is for a mobile app client which communicates via json but is not an ASP.NET app. I have successfully configured the service to use json and the AuthenticationService has the standard configuration as documented in many places e.g. http://msdn.microsoft.com/en-us/library/bb398990.aspx The docmentation for the AuthenticationService says "The application must be able to send and consume a SOAP message". However I

I'm trying to implement the "Writing Information to UserData" section of this article , but it doesn't work properly when the cookie is part of the URI. My code: // Create the cookie that contains the forms authentication ticket HttpCookie authCookie = FormsAuthentication.GetAuthCookie( userName, createPersistantCookie ); // Get the FormsAuthenticationTicket out of the encrypted cookie FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt( authCookie.Value ); // Create a new FormsAuthenticationTicket that includes our custom User Data FormsAuthenticationTicket newTicket = new

First off--thanks for having a look. MY QUESTION In a .NET web app, is using Windows Authentication for a extra-net on a WAN consisting of various users, companies, user-agents, etc a bad idea? BACKGROUND I am lead dev on a fast track (very fast) web application for an extra-net that will allow the client's vendors, suppliers, partners, etc to log on and push and pull certain assets such as image files, videos, flash files, etc. PLATFORM/TECHNOLOGY Asp.Net 4.0, C#, MVC3 PROBLEM (Maybe) The client's IT department has requested that the app use Windows Authentication to authenticate users. One

I want to build a way to automatically redirect users to Timeout.aspx when their session expires due to inactivity. My application uses forms authentication and relies heavily on update panels within the same aspx page for user interaction, so I don't want to simply redirect after a page-level timer expires. For the same reason, I can't use '<meta http-equiv="refresh"/>' What I want to do is create a simple ajax web service with a method called IsSessionTimedOut(), that simply returns a boolean. I will use a javascript timer to periodically call the method, and if it returns true, then

I know I can share forms authentication across 2 subdomains sub1.domain.com , sub2.domain.com by using the following Web.config setting: <authentication mode="Forms"> <forms domain="domain.com" /> </authentication> However, I have 2 "sub-sub" domains (not sure if there's a better term for that) a.sub.domain.com , and b.sub.domain.com . Now I want to share the forms authentication cookies only on sub.domain.com , and not my entire domain.com . Is it possible to do this? I tried the obvious solution below but it doesn't work, and always redirects back to the login page: <authentication mode=

I cannot seem to isolate my forums to set different permissions for them than the rest of the site. Here is the setup for my site. <location path="."> <system.web> <authentication mode="None" /> </system.web> </location> I need to isolate my forums. At the moment, for testing purposes, I have it setup so that all users are denied access. <location path="~/public/public-forum.aspx"> <system.web> <authentication mode="Forms"> <forms loginUrl="public/login.aspx" /> </authentication> <authorization> <deny users="*" /> </authorization> </system.web> </location> What I'm finding is that I can still

I have an asp.net application which is currently using forms authentication with slidingExpiration="true". In web.config, we have the following: <authentication mode="Forms"> <forms loginUrl="Mylogin.aspx" timeout="15" slidingExpiration="true"/> </authentication> This is all to spec: There is a sliding 15 minute expiration. However, we now have a new security requirement: Users must re-authenticate every 24 hours, even if they have been "active" the whole time. In other words, even if you clicked a link in the site every minute for 24 hours straight after logging in, after 24 hours, you will