Cookieless Authentication and Relative HTML References

Discussion in 'ASP .Net' started by Mark Olbert, Jan 15, 2006.

  1. Mark Olbert

    Mark Olbert Guest

    I have a website (ASPNET2) which uses cookieless authentication.

    <img> tags on restricted-access aspx pages appear to need the URL credential fragment (i.e., the long string that encodes the user's
    credentials) to be found...which is contrary to my understanding (under 1.1, at least) as to how resources are controlled. Example:

    This tag on a restricted-access aspx page:

    <img src="/data/somefile.gif">

    Shows up as "not found" (i.e., the image contains a red x). So I tried to surf to:

    http://localhost:<port>/site/data/somefile.gif

    and got a resource not found error.

    But this URL:

    http://localhost<port>/<long user credential fragment>/data/somefile.gif"

    displays the expected image.

    Did something change between 1.1 and 2.0 in this arena?

    - Mark
     
    Mark Olbert, Jan 15, 2006
    #1
    1. Advertising

  2. Hi Mark,

    Welcome.
    As for the image file displaying in Cookieless forms authentication
    protected website (asp.net 2.0), are you developing and testing the
    application in buildin test server rather than IIS? If so, this is the
    expected behavior because IIS server can handle both static file resources
    directly or forward the request to ASP.NET runtime, however when using
    buildin test server, all the requests are handled by the test
    server(asp.net isapi...) ,then when we using
    FormsAuthenticaiotn(cookieless), the related httpmodule will always handle
    the request and try authenticate the user (through the embeded user token
    string....) so when using a url string without the authenticated uesr's
    credential(embeded string), it will occur some problems. In IIS, the
    static non-embeded token image url will be used to request the static
    resources, you can check the IIS log to see whether web requests....

    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)



    --------------------
    | NNTP-Posting-Date: Sat, 14 Jan 2006 21:07:57 -0600
    | From: Mark Olbert <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Subject: Cookieless Authentication and Relative HTML References
    | Date: Sat, 14 Jan 2006 19:07:56 -0800
    | Organization: Olbert & McHugh, LLC
    | Reply-To:
    | Message-ID: <>
    | X-Newsreader: Forte Agent 3.1/32.783
    | MIME-Version: 1.0
    | Content-Type: text/plain; charset=us-ascii
    | Content-Transfer-Encoding: 7bit
    | Lines: 24
    | X-Trace:
    sv3-8NDckWorfOtUsObhbKeueGZpPZkCsgytWyBEu72Ja2xP3s0IS0HzH0K5o7PAQiFurPZkUG+9
    0sR1J2k!YlouEOpLb0hSDH+DCkoga94MJLchy1Uy8zgyE62ofl1jiI6d+cYITXHAHv1TKwpV3p03
    gQ==
    | X-Complaints-To:
    | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    complaint properly
    | X-Postfilter: 1.3.32
    | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
    ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet:370903
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | I have a website (ASPNET2) which uses cookieless authentication.
    |
    | <img> tags on restricted-access aspx pages appear to need the URL
    credential fragment (i.e., the long string that encodes the user's
    | credentials) to be found...which is contrary to my understanding (under
    1.1, at least) as to how resources are controlled. Example:
    |
    | This tag on a restricted-access aspx page:
    |
    | <img src="/data/somefile.gif">
    |
    | Shows up as "not found" (i.e., the image contains a red x). So I tried to
    surf to:
    |
    | http://localhost:<port>/site/data/somefile.gif
    |
    | and got a resource not found error.
    |
    | But this URL:
    |
    | http://localhost<port>/<long user credential fragment>/data/somefile.gif"
    |
    | displays the expected image.
    |
    | Did something change between 1.1 and 2.0 in this arena?
    |
    | - Mark
    |
     
    Steven Cheng[MSFT], Jan 16, 2006
    #2
    1. Advertising

  3. Mark Olbert

    Mark Olbert Guest

    Ouch! That's an annoying limitation of the "builtin" http server. Thanx for the info.

    - Mark
     
    Mark Olbert, Jan 16, 2006
    #3
  4. You're welcome Mark,

    I think the dev guys really omit such a scenario that use cookieless
    authentication in testserver and directly requesting image through normal
    url... I suggest you also submit it to the MSDN feedback center for their
    reference:

    http://lab.msdn.microsoft.com/productfeedback/default.aspx

    Thanks & Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    --------------------
    | NNTP-Posting-Date: Mon, 16 Jan 2006 10:15:17 -0600
    | From: Mark Olbert <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Subject: Re: Cookieless Authentication and Relative HTML References
    | Date: Mon, 16 Jan 2006 08:15:18 -0800
    | Organization: Olbert & McHugh, LLC
    | Reply-To:
    | Message-ID: <>
    | References: <>
    <>
    | X-Newsreader: Forte Agent 3.1/32.783
    | MIME-Version: 1.0
    | Content-Type: text/plain; charset=us-ascii
    | Content-Transfer-Encoding: 7bit
    | Lines: 3
    | X-Trace:
    sv3-M2778cOofvv+7pUouc91nYf8amNi1MIP1TrvhT7vCSEChTreHr8ihFA6wrhX9uMtZIzF80Dh
    UvABJDm!rXz2Kd8S61nBVIeGz2LeRDM4s8pTceLWMXkb8LUz0wIvk8HzLW1x1oeaFRL5bemj1PDc
    IA==
    | X-Complaints-To:
    | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    complaint properly
    | X-Postfilter: 1.3.32
    | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
    ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet:371159
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Ouch! That's an annoying limitation of the "builtin" http server. Thanx
    for the info.
    |
    | - Mark
    |
     
    Steven Cheng[MSFT], Jan 17, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Marcus
    Replies:
    0
    Views:
    389
    Marcus
    Nov 29, 2005
  2. Mark Olbert

    Cookieless Forms Authentication and Roles

    Mark Olbert, Dec 24, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    3,783
    Steven Cheng[MSFT]
    Dec 26, 2005
  3. Replies:
    2
    Views:
    3,308
    Ravi Singh (UCSD)
    May 10, 2006
  4. Peter Rilling
    Replies:
    1
    Views:
    864
    bruce barker \(sqlwork.com\)
    Aug 3, 2006
  5. Lauchlan M
    Replies:
    0
    Views:
    248
    Lauchlan M
    Oct 1, 2003
Loading...

Share This Page