D
David Krussow
I have implemented ASP.NET Forms authentication in a test app. The app has a
number of forms - only one of which requires authentication in order to be
viewed (the "secured form"). Everything works as the documentation says it
should - with the exception that on subsequent browser sessions, the single
form that should require authentication in order to be viewed does, in fact,
display without the login form first appearing. In other words, it can be
viewed without the user first being authenticated.
I understand the 2nd parameter of the
[System.Web.Security.FormsAuthentication.RedirectFromLoginPage(string,bool)]
method controls whether a persistent cookie is created - so that ASP.NET can
"know" if the current user has been previously authenticated (during
previous browser sessions). However, in my testing, I have set that 2nd
parameter to both 'true' and 'false' and get the same result every time
(meaning that the secured form will appear on subsequent browser sessions
*without* the user first being redirected to the login form).
In my testing I have observed the value of Request.IsAuthenticated. The
value it contains (true or false) reflects whether the user has actually
been authenticated (as expected) - and accurately reflects the state of the
2nd parameter of the RedirectFromLoginPage() method as it was executed
during the previous browser session. However, the value of
Request.IsAuthenticated does not correlate with the login form appearing
when the user goes to view the secured form (the user can view the "secured
form" on subsequent browser sessions without having to first authenticate).
I find it odd and unexpected and problematic that on browser sessions after
the one in which the user was authenticated, Request.IsAuthenticated can be
'false' and yet ASP.NET still shows a page that should require
authentication in order to be viewed.
The only way I can get it to behave as expected is to go into IE6 | Tools |
Internet Options | and delete both cookies and Files in the Temporary
Internet files section of the General tab. This is how I get back to the
"baseline" normal state - the state in which the user is redirected to the
login form prior to being allowed to view the secured form.
FWIW:
I'm running IIS5, VS.NET 2003 - both on a stable WinXP Pro/SP1 development
machine. IE6/SP2 is the only browser I'm testing with for now.
Here are the relevant entries form Web.config:
<system.web>
....
<authentication mode="Forms">
<forms name="TestAppAuth" loginUrl="login.aspx" protection="All"
path="/" />
</authentication>
....
</system.web>
<location path="testform3.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Any ideas? What am I missing?
Thanks.
number of forms - only one of which requires authentication in order to be
viewed (the "secured form"). Everything works as the documentation says it
should - with the exception that on subsequent browser sessions, the single
form that should require authentication in order to be viewed does, in fact,
display without the login form first appearing. In other words, it can be
viewed without the user first being authenticated.
I understand the 2nd parameter of the
[System.Web.Security.FormsAuthentication.RedirectFromLoginPage(string,bool)]
method controls whether a persistent cookie is created - so that ASP.NET can
"know" if the current user has been previously authenticated (during
previous browser sessions). However, in my testing, I have set that 2nd
parameter to both 'true' and 'false' and get the same result every time
(meaning that the secured form will appear on subsequent browser sessions
*without* the user first being redirected to the login form).
In my testing I have observed the value of Request.IsAuthenticated. The
value it contains (true or false) reflects whether the user has actually
been authenticated (as expected) - and accurately reflects the state of the
2nd parameter of the RedirectFromLoginPage() method as it was executed
during the previous browser session. However, the value of
Request.IsAuthenticated does not correlate with the login form appearing
when the user goes to view the secured form (the user can view the "secured
form" on subsequent browser sessions without having to first authenticate).
I find it odd and unexpected and problematic that on browser sessions after
the one in which the user was authenticated, Request.IsAuthenticated can be
'false' and yet ASP.NET still shows a page that should require
authentication in order to be viewed.
The only way I can get it to behave as expected is to go into IE6 | Tools |
Internet Options | and delete both cookies and Files in the Temporary
Internet files section of the General tab. This is how I get back to the
"baseline" normal state - the state in which the user is redirected to the
login form prior to being allowed to view the secured form.
FWIW:
I'm running IIS5, VS.NET 2003 - both on a stable WinXP Pro/SP1 development
machine. IE6/SP2 is the only browser I'm testing with for now.
Here are the relevant entries form Web.config:
<system.web>
....
<authentication mode="Forms">
<forms name="TestAppAuth" loginUrl="login.aspx" protection="All"
path="/" />
</authentication>
....
</system.web>
<location path="testform3.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Any ideas? What am I missing?
Thanks.