Forms authentication - clean cookie when close browser

Discussion in 'ASP .Net Security' started by SushiSean, Feb 23, 2007.

  1. SushiSean

    SushiSean Guest

    Hello. I use forms authentication and it's work except one thing.
    I want push users make relogin (insert login and pass) when they
    close browser.

    I have those settings in Web.config :

    <authentication mode="Forms">
    <forms loginUrl="login.aspx" cookieless="UseCookies"
    name="LoginUserCookie" slidingExpiration="true"
    enableCrossAppRedirects="true" requireSSL="false" timeout="1"
    protection="None" defaultUrl="simple.aspx">
    <credentials passwordFormat="Clear">
    <user name="test1" password="test2" />
    <user name="root" password="admin" />
    </credentials>
    </forms>

    </authentication>

    <authorization >
    <deny users="?" />
    </authorization>


    It works like this:
    1. Open site and login
    2. redirect defaultUrl
    3 close browser
    4. open browser and get defaultUrl (not login page!!)

    The question is why it doesn't ask reinsert login if somebody close browser
    and how to do this work?
    SushiSean, Feb 23, 2007
    #1
    1. Advertising

  2. How do you set the ticket?

    using FormsAuthentication.RedirectFromLoginPage or SetAuthCookie -

    they both have a boolean paramter - usePersistentCookie (or similar) - if
    set to true - the cookie will be saved on the user's harddrive and re-used.

    Oh an btw - don't set protection="None" !!! This is very dangerous - leave
    it to the default value (which is 'all')

    Also disable 'enableCrossAppRedirects' if you don't need it (and you will
    only need that in special cases with cookieless auth).


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hello. I use forms authentication and it's work except one thing. I
    > want push users make relogin (insert login and pass) when they close
    > browser.
    >
    > I have those settings in Web.config :
    >
    > <authentication mode="Forms">
    > <forms loginUrl="login.aspx" cookieless="UseCookies"
    > name="LoginUserCookie" slidingExpiration="true"
    > enableCrossAppRedirects="true" requireSSL="false" timeout="1"
    > protection="None" defaultUrl="simple.aspx">
    > <credentials passwordFormat="Clear">
    > <user name="test1" password="test2" />
    > <user name="root" password="admin" />
    > </credentials>
    > </forms>
    > </authentication>
    >
    > <authorization >
    > <deny users="?" />
    > </authorization>
    > It works like this:
    > 1. Open site and login
    > 2. redirect defaultUrl
    > 3 close browser
    > 4. open browser and get defaultUrl (not login page!!)
    > The question is why it doesn't ask reinsert login if somebody close
    > browser and how to do this work?
    >
    Dominick Baier, Feb 23, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    8
    Views:
    507
  2. rgouge

    Forms Authentication and Authentication Cookie

    rgouge, Jun 20, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    225
    Dominick Baier [DevelopMentor]
    Jun 20, 2005
  3. Eric
    Replies:
    2
    Views:
    480
  4. Iñaki Baz Castillo
    Replies:
    7
    Views:
    839
    Iñaki Baz Castillo
    Jan 12, 2010
  5. Replies:
    0
    Views:
    490
Loading...

Share This Page