forms-authentication | 易学教程

Why are my forms authentication tickets expiring so fast?

阅读更多关于 Why are my forms authentication tickets expiring so fast?

问题 I'm using forms authentication in an ASP.NET application. I configure the FormsAuthenticationTicket to expire in 1 year but it actually expires after 1 hour or so. I can't figure out why. Here is all the code involved in the login process: public static bool Login(int id) { try { string securityToken = UserHelper.AuthenticateUser(id); DateTime expiryDate = DateTime.Now.AddYears(1); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, id.ToString(), DateTime.Now, expiryDate,

Windows Authentication and Forms Authentication together for ASP.NET

阅读更多关于 Windows Authentication and Forms Authentication together for ASP.NET

I am developing an internally-facing application that needs to automatically authenticate users via Windows Authentication and fall back to Forms authentication. The fall back would occur in situations where the user on a computer logged in as a group account (such as an operations center). I'm concerned about security where a user could "spoof" the Windows Authentication account. Do any of you all know of a design pattern and pragmatic idea that would fit this specific scenario? Technical Constraints: .NET 3.5 on IIS 6 (IIS 7 is currently a non-starter in our environment) Thanks! There's an

ASP Website does not seem to use machineKey in Web.Config for FormsAuthentication.Decrypt

阅读更多关于 ASP Website does not seem to use machineKey in Web.Config for FormsAuthentication.Decrypt

I want to pass the authentication cookie from my ASP.Net MVC 5 (.Net 4.5.1, hosted locally on iisexpress, run from Visual Studio) to my WCF Service (.Net 4.5.1, hosted locally on WcfSvcHost, run from same Visual Studio Solution) and decrypt it there. I have configured both to use the same machinekey (Web.config for ASP, App.config for WCF): <machineKey validationKey="930681CA8CDC1BC09118D6B37E4A1B7712CEDBBD9FA1E35407EA1CD440C7E6F2DB9E93DADAC4098F90ACC7417DBE57C196722FC67F313A6AAE0F946E2FF731B6" decryptionKey="714C9581DA522C636B2D97D80276D5ACC02C274A11ABF117C76181B0480D4AEA" validation="SHA1"

Problem creating persistent authentication cookie: ASP.NET MVC

阅读更多关于 Problem creating persistent authentication cookie: ASP.NET MVC

问题 OK, here's my code to create an authentication cookie: // get user's role List<UserType> roles = rc.rolesRepository.GetUserRoles(rc.userLoginRepository.GetUserID(userName)); List<string> rolesList = (from r in roles select r.ToString()).ToList(); string[] rolesArr = rolesList.ToArray(); // create encryption cookie FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket( 1, userName, DateTime.Now, DateTime.Now.AddDays(90), createPersistentCookie, String.Join(";",rolesArr) //user's

How secure is basic forms authentication in asp.net?

阅读更多关于 How secure is basic forms authentication in asp.net?

问题 Imagine that you have a simple site with only 2 pages: login.aspx and secret.aspx. Your site is secured using nothing but ASP.net forms authentication and an ASP.net Login server control on login.aspx. The details are as follows: The site is configured to use the SqlMembershipProvider The site denies all anonymous users Cookies are disabled The are obviously many things to consider regarding security but I am more interested in the zero code out of box experience that comes with the .net

Best practice to maintain a user id (MVC)

阅读更多关于 Best practice to maintain a user id (MVC)

I use FormsAuthentication, but I've added a custom MemberShipProvider to validate against a custom User Table. All tables containing "user data" have a idUser column, so I need to maintain the user id in order to present the user with his data. Previously I've used a session variable (ASP.NET Webform), but as I am rewriting the webapplication to MVC, I'd like to ask what is generally considered as the best approach for this. Is session variable still the best place to hold the idUser, or should I add a custom "Current.User.Identity" which in addition to username also holds a public userId ??

ASP.NET site auto-login during development

阅读更多关于 ASP.NET site auto-login during development

While developing an ASP.NET site, is the a way to setup automatic login? For example, each time I build the site and run it, I have to login again. I don't want to disable security entirely, but I would like to automate the process of logging in while I'm working on the site. Just keep your browser open and Ctrl+F5 after you modify and/or recompile in Visual Studio. This will keep the authentication cookie. Another possibility is to setup an automatic login page in which you would test whether you are in Debug mode and force a Login by using FormsAuthentication.RedirectFromLoginPage(

Forms Authentication timing out when it shouldn't?

阅读更多关于 Forms Authentication timing out when it shouldn't?

问题 I have a problem with an ASP.NET application that is driving me nuts. When a user leaves a page inactive for a period of time the session was timing out and error were being thrown due to session variables not being resolvable (I will error trap this anyway but this is not the problem). I coded a 'defribulator' which will perform an invisible postback after half of the session timeout has expired and this seemed to work fine - leaving the application for 30 mins did not cause an error even

Setting up Forms Authentication for multiple Web Apps in MVC 5 based on OWIN

阅读更多关于 Setting up Forms Authentication for multiple Web Apps in MVC 5 based on OWIN

问题 I am in process of setting up my 1st MVC Web App. I know I need to provide a Forms Based Authentication model as well as I know I will be reusing it for multiple other internal web apps as well. All the documentation for MVC 5 Authentication, which I believe is all based on OWIN stuff, have it "baked" into a single web app using EF Code First no less. What I am trying is to have an another Web App that I strip everything out of except for the Account stuff and then try to "point" my web apps

Forms Authentication ReturnUrl and subdomain for single sign-on

阅读更多关于 Forms Authentication ReturnUrl and subdomain for single sign-on

问题 I have a domain http://abc.com and a subdomain http://sub.abc.com . I'm implementing single sign-on between the two sites by sharing the forms authentication cookie. This is implemented by having both sites share the validationKey and decryptionKey in the machineKey. When the user hits a page in the subdomain I want the user authenticated in the root domain and redirected back to the subdomain. The user is redirected to the login page currently but the ReturnUrl wants to redirect to the root