forms-authentication | 易学教程

OWIN Cookies vs FormsAuthentication

阅读更多关于 OWIN Cookies vs FormsAuthentication

Are there any major advantages of using OWIN cookie-based authentication over Forms Authentication cookie-based authentication for developing MVC web applications? The reason I ask is that I would not be using any of the Entity Framework based hooks for OWIN authentication. I've built apps based on Forms Authentication for years and have been able to do things like create different authentication tokens for admins (faster timeouts), anonymous users, and registered users. Using the UserData portion of the ticket I was able to implement universal sign out, store custom properties, etc. One of

Programmatically enable or disable anonymous authentication in IIS

阅读更多关于 Programmatically enable or disable anonymous authentication in IIS

问题 I have a web application and I need to provide its users the option to switch login method from FormsAuth to WindowsAuth. I managed to change the web.config file via code: Configuration config = WebConfigurationManager.OpenWebConfiguration(Url.Content("~")); AuthenticationSection auth = ((AuthenticationSection)(config.SectionGroups["system.web"].Sections["authentication"])); auth.Mode = AuthenticationMode.Windows; // Or Forms if I want to. config.Save(); But the problem is, when I use

Forms Authentication across virtual directories

阅读更多关于 Forms Authentication across virtual directories

问题 I am trying to share forms auth from a root application to a sub application running in a virtual directory. I am having trouble with authentication in the subsite. In the parent application everything works as expected. I have the following setup: Parent application: URL : http://localhost:1336/ <forms loginUrl="~/account/sign-in" protection="All" timeout="30" name=".MYAPPLICATION" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" enableCrossAppRedirects=

<machineKey decryptionKey=“AutoGenerate”… being ignored by IIS. Won't invalidate previous session's cookies

阅读更多关于

(See question below for more context): Are there any situations in which <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps"/> in web.config would fail to AutoGenerate a new machineKey on App Pool recycle? This is the behavior I'm seeing... I'm using standard ASP.NET FormsAuthentication in an MVC app. If I log a user in using FormsAuthentication.GetAuthCookie and don't use a persistent cookie (relying on the browser's session to remember my authorized state), I would expect recycling the IIS App Pool to invalidate the session's knowledge of this cookie

default login url on HttpUnauthorizedResult in asp.net mvc

阅读更多关于 default login url on HttpUnauthorizedResult in asp.net mvc

I have written a custom AuthorizeAttribute which has the following condition in asp.net mvc3 application: public override void OnAuthorization(AuthorizationContext filterContext) { //auth failed, redirect to Sign In if (!filterContext.HttpContext.User.Identity.IsAuthenticated) { filterContext.Result = new HttpUnauthorizedResult(); } } And in my web.config, i have: <authentication mode="Forms"> <forms loginUrl="~/User/SignIn" timeout="2880" /> </authentication> On authentication fail, it redirects to "/Account/Login" page by default. How do i change this default redirect url and redirect it to

forms authentication asp.net vb

阅读更多关于 forms authentication asp.net vb

问题 I have a log in page which is the home page so is located at www.domainname.com when someone goes to this page it adds a returnurl to the string so they are at: www.domainname.com/default.aspx?ReturnUrl=%2f so when they log in they get returned to http://www.domainname.com/, which is the login page again, so to access the site they have to login twice. Does anyone know how to fix this? I think a fix to this would be to allow everyone access to the home page - http://www.domainname.com/ as

Method for Sharing Forms Authentication Login between MVC.net and Web API Sites on the Same Domain

阅读更多关于 Method for Sharing Forms Authentication Login between MVC.net and Web API Sites on the Same Domain

问题 I am going to have an ASP.net MVC web site (example.com) and a Web API site (api.example.com) running on the same domain. What is the best and most secure way to use Forms Authentication to allow a user to log in to the MVC site, and have that login accepted by the [Authorize] filter in the API site? Additionally, there is the possibility that both sites will be hosted on multiple servers (each of which might have its own subdomain), so a solution that would allow for a single sign on

Is there any real benefit to using ASP.Net Authentication with ASP.Net MVC?

阅读更多关于 Is there any real benefit to using ASP.Net Authentication with ASP.Net MVC?

问题 I've been researching this intensely for the past few days. We're developing an ASP.Net MVC site that needs to support 100,000+ users. We'd like to keep it fast, scalable, and simple. We have our own SQL database tables for user and user_role, etc. We are not using server controls. Given that there are no server controls, and a custom membershipProvider would need to be created, where is there any benefit left to use ASP.Net Auth/Membership? The other alternative would seem to be to create

Forms Authentication cookie not expiring

阅读更多关于 Forms Authentication cookie not expiring

I am trying to implement a very basic Asp.net forms authentication mechanism for a MVC site. The problem I am getting is that my authentication cookie is being set to expire after one year whereas I don't want it to expire after such a long time. Here is some of my code: web.config <authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="2" /> </authentication> controller ... FormsAuthentication.SetAuthCookie(username, false); ... I have found this answer (this question is similar but in my case timeout never occurs) but is this the only way to make the cookie expire or am I

Secure Flag for ASPXAUTH Cookie

阅读更多关于 Secure Flag for ASPXAUTH Cookie

问题 We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows 2012 Server. One of the vulnerabilities reported was ASPXAUTH is not secure. When I checked on the cookie inspector, there are some cookies with Secure flag. But ASPXAUTH was not one of them. I did a bit of research, and set these flags below on the web.config <forms loginUrl="~/Account/Login" timeout="2880"