forms-authentication

I have a problem with an ASP.NET application that is driving me nuts. When a user leaves a page inactive for a period of time the session was timing out and error were being thrown due to session variables not being resolvable (I will error trap this anyway but this is not the problem). I coded a 'defribulator' which will perform an invisible postback after half of the session timeout has expired and this seemed to work fine - leaving the application for 30 mins did not cause an error even though the session timeout was set for 20 mins. However, this morning one of the other Devs experienced a

The default Project template of ASP.NET MVC comes with a class named Microst.AspNet.Identity.Owin.SignInManager. This class is used to authenticate users I dont understand why should i use SignInManager instead of using simple FormsAuthentication in an ASP.NET MVC Project. What are the benefits of SignInManager? Does it authenticate in a different way according to FormsAuthentication? Is it more secure then FormsAuthentication? What can i do else with SignInManager except authentication? What is the relation between SignInManager and the code below? Does The SignInManager use the settings

When a user logs in based on default Forms Authentication method, the server creates a cookie containing encrypted data (using Machine Key as key for encryption). It means that if someone find/guess/access Machine Key for the server, he will be logged in to the web application. I've developed some applications which are on 4 servers. So, I hard-coded the same Machine Key for all the servers in machine.config and I can't use Auto Generate mode. Is it possible to brute force the Machine Key? Is there any other methods? (I don't want to use Windows and Passport) And is Forms Authentication Ticket

I have a domain http://abc.com and a subdomain http://sub.abc.com . I'm implementing single sign-on between the two sites by sharing the forms authentication cookie. This is implemented by having both sites share the validationKey and decryptionKey in the machineKey. When the user hits a page in the subdomain I want the user authenticated in the root domain and redirected back to the subdomain. The user is redirected to the login page currently but the ReturnUrl wants to redirect to the root site. Eg. Currently: http://abc.com/login.aspx?ReturnUrl=%2fsecure%2fdefault.aspx but I want: http:/

I want to use authentication on my site in order to login to the Admin section. I already have my database schema, I don't want to use the ASP.NET membership tables for SQL Server. I have three tables: Employees, Roles, and EmployeesInRoles. I'd really like to keep this as simple as possible, but I'm having trouble finding a solution. I just want to use forms authentication with my tables so employees can log in, log out, change their password, etc. If anyone could direct me to a blog post or tutorial about this, that would be great. Steven, check out my series of tutorials on website security

Last night a customer called, frantic, because Google had cached versions of private employee information. The information is not available unless you login. They had done a Google search for their domain, e.g.: site:example.com and noticed that Googled had crawled, and cached, some internal pages. Looking at the cached versions of the pages myself: This is Google's cache of https://example.com/(F(NSvQJ0SS3gYRJB4UUcDa1z7JWp7Qy7Kb76XGu8riAA1idys-nfR1mid8Qw7sZH0DYcL64GGiB6FK_TLBy3yr0KnARauyjjDL3Wdf1QcS-ivVwWrq-htW_qIeViQlz6CHtm0faD8qVOmAzdArbgngDfMMSg_N4u45UysZxTnL3d6mCX7pe2Ezj0F21g4w9VP57ZlXQ

I am attempting to secure a website I am currently developing using ASP.NET MVC 2.0 and forms authentication. In order to secure the forms authentication cookie I want to set the requiresSSL property to true so the cookie is only send by browsers when the connection is under SSL, and obviously ensure that all resources which require authorization are under SSL. My problem is that we are using Application Request Routing to fulfil a number of functions, one being SSL offloading, therefore by the time a request hits any web server in our farm the request is no longer under SSL and the

I have two websites with self written membership providers that are hostet on the same server in the same Web in different web-applications and different application pools. Formerly I had the problem, that I could not log on on both sites together. Thanks to Remy's post , this works now, I had to add the name -attribute to the forms element. But now I have the problem that the remember-me option of the asp login-control stopped to work. The user is logged off after the normal session-timeout. The authentication-attributes in the web.config file look as follows: <authentication mode="Forms" >