forms authentication -- expired forms cookie vs. not provided forms cookie

Discussion in 'ASP .Net Security' started by Eric, Jan 27, 2006.

  1. Eric

    Eric Guest

    I want my users to get a login page if they forms cookie is not present, but
    if the forms cookie is present and expired, I want them to get a timeout
    page. Is this possible with forms authentication?
     
    Eric, Jan 27, 2006
    #1
    1. Advertising

  2. Hi,

    i don't know any programmatic way to distinguish between these two states.
    no.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I want my users to get a login page if they forms cookie is not
    > present, but if the forms cookie is present and expired, I want them
    > to get a timeout page. Is this possible with forms authentication?
    >
     
    Dominick Baier [DevelopMentor], Jan 27, 2006
    #2
    1. Advertising

  3. Eric

    Eric Guest

    Re: forms authentication -- expired forms cookie vs. not provided

    Thank you for a quick reply. I was able to kind of "fake" forms
    authentication based on existence of ReturnUrl in the query string. I put
    code in the Application_AuthenticateRequest() event where if request is not
    authenticated but the ReturnUrl is present in the query string, I attempt to
    decrypt the forms cookie. If cookie exists and I'm able to decrypt it, I then
    check if it's expired. If it's expired, I redirect to the timeout page. If
    I'm already logged in and after letting forms cookie to expire I attempt to
    load the page that requires non-authenticated user, forms authentication will
    redirect me to the login page with ReturnUrl, which is what I look for in the
    Application_AuthenticateRequest. Looks like it's working, but I'm not sure if
    it's the best solution.

    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > i don't know any programmatic way to distinguish between these two states.
    > no.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I want my users to get a login page if they forms cookie is not
    > > present, but if the forms cookie is present and expired, I want them
    > > to get a timeout page. Is this possible with forms authentication?
    > >

    >
    >
    >
     
    Eric, Jan 27, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gibble
    Replies:
    6
    Views:
    1,694
    =?Utf-8?B?VmlqYXk=?=
    May 15, 2007
  2. Les Caudle
    Replies:
    7
    Views:
    1,224
    Walter Wang [MSFT]
    Jul 31, 2007
  3. gnewsgroup
    Replies:
    1
    Views:
    398
    bruce barker
    Nov 13, 2007
  4. Replies:
    5
    Views:
    1,243
    Steven Cheng [MSFT]
    Aug 29, 2008
  5. rgouge

    Forms Authentication and Authentication Cookie

    rgouge, Jun 20, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    253
    Dominick Baier [DevelopMentor]
    Jun 20, 2005
Loading...

Share This Page