Forms Authentication and Cookies

Discussion in 'ASP .Net Security' started by fcs, Feb 20, 2008.

  1. fcs

    fcs Guest

    Hi,
    we have an ASP application under C# talking to MS SQL 2000, it has no
    problem with windows authentication for almost 200 users who are registered
    in Active Directory. Application has several different folders though.

    Now we are going to use a copy wide open in the internet, for more users,
    under SSL and Forms Authentication.

    based on Microsoft best practice, we have users table having userId and
    hashed passwords.
    passwords are Hashed using forms salt and encryption. no problem with that,
    but cookies are not extended when client is sending posts. I tried to
    manually extend it in Global file under:
    Application_AuthenticateRequest by using let say myCookie.Expires =
    DateTime.Now.AddMinutes(1);

    but nothing!

    and something else, when cookies are expired, user is sometimes sent to Log
    On page, sometime not! and when not, there is a prompt for userid and PW
    which doesn't help at all.

    any note? or resources in the internet? (found some basic examples but
    nothing more)



    Thanks,

    Vaf
     
    fcs, Feb 20, 2008
    #1
    1. Advertising

  2. Which version of ASP.Net are you using?

    Did you look at the slidingexpiration attribute of the <form> element in the
    web.config? If set to true then it should be extending the timeout value
    whenever a new request is made.

    Hope this helps,
    Mark Fitzpatrick
    Microsoft MVP- Expression

    "fcs" <> wrote in message
    news:OX55%23K$...
    > Hi,
    > we have an ASP application under C# talking to MS SQL 2000, it has no
    > problem with windows authentication for almost 200 users who are
    > registered
    > in Active Directory. Application has several different folders though.
    >
    > Now we are going to use a copy wide open in the internet, for more users,
    > under SSL and Forms Authentication.
    >
    > based on Microsoft best practice, we have users table having userId and
    > hashed passwords.
    > passwords are Hashed using forms salt and encryption. no problem with
    > that,
    > but cookies are not extended when client is sending posts. I tried to
    > manually extend it in Global file under:
    > Application_AuthenticateRequest by using let say myCookie.Expires =
    > DateTime.Now.AddMinutes(1);
    >
    > but nothing!
    >
    > and something else, when cookies are expired, user is sometimes sent to
    > Log
    > On page, sometime not! and when not, there is a prompt for userid and PW
    > which doesn't help at all.
    >
    > any note? or resources in the internet? (found some basic examples but
    > nothing more)
    >
    >
    >
    > Thanks,
    >
    > Vaf
    >
    >
    >
    >
    >
     
    Mark Fitzpatrick, Feb 20, 2008
    #2
    1. Advertising

  3. fcs

    fcs Guest

    thanks Mark! timeout extention is in place now!
    Vaf
    "Mark Fitzpatrick" <> wrote in message
    news:%...
    > Which version of ASP.Net are you using?
    >
    > Did you look at the slidingexpiration attribute of the <form> element in
    > the web.config? If set to true then it should be extending the timeout
    > value whenever a new request is made.
    >
    > Hope this helps,
    > Mark Fitzpatrick
    > Microsoft MVP- Expression
    >
    > "fcs" <> wrote in message
    > news:OX55%23K$...
    >> Hi,
    >> we have an ASP application under C# talking to MS SQL 2000, it has no
    >> problem with windows authentication for almost 200 users who are
    >> registered
    >> in Active Directory. Application has several different folders though.
    >>
    >> Now we are going to use a copy wide open in the internet, for more users,
    >> under SSL and Forms Authentication.
    >>
    >> based on Microsoft best practice, we have users table having userId and
    >> hashed passwords.
    >> passwords are Hashed using forms salt and encryption. no problem with
    >> that,
    >> but cookies are not extended when client is sending posts. I tried to
    >> manually extend it in Global file under:
    >> Application_AuthenticateRequest by using let say myCookie.Expires =
    >> DateTime.Now.AddMinutes(1);
    >>
    >> but nothing!
    >>
    >> and something else, when cookies are expired, user is sometimes sent to
    >> Log
    >> On page, sometime not! and when not, there is a prompt for userid and PW
    >> which doesn't help at all.
    >>
    >> any note? or resources in the internet? (found some basic examples but
    >> nothing more)
    >>
    >>
    >>
    >> Thanks,
    >>
    >> Vaf
    >>
    >>
    >>
    >>
    >>

    >
     
    fcs, Feb 20, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,544
    Tommy
    Feb 13, 2004
  2. Jeff
    Replies:
    1
    Views:
    336
    Joe Fallon
    Apr 28, 2004
  3. Phil Townsend

    forms authentication and cookies

    Phil Townsend, Nov 3, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    382
    Scott Allen
    Nov 3, 2004
  4. _Who
    Replies:
    7
    Views:
    2,753
  5. Eric
    Replies:
    2
    Views:
    608
Loading...

Share This Page