forms authentication not making users reauthenticate

Discussion in 'ASP .Net' started by Travis Parrent, Feb 10, 2004.

  1. I'm having a problem where my application forces the user to log on
    intially, but then never forces them to reauthenticate. Following is the
    login code currently but I've tried several different things. I can walk
    away from the app for an hour and come back and it will still not force them
    to log back in. Where can i look?

    Here's current login code :
    Private Sub btnLogon_Click(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles btnLogon.Click
    Dim passwordVerified As Boolean = False
    Try
    'passwordVerified = VerifyPassword(txtUserName.Text,
    txtPassword.Text)
    'currently commented out until I get this working
    passwordVerified = True
    Catch ex As Exception
    lblMessage.Text = ex.Message
    Return
    End Try
    If passwordVerified = True Then

    Dim intReset As Boolean
    'intReset = Session("Reset") 'once again forcing value until
    i get reauthenticate working
    intReset = False
    If intReset = True Then
    Me.btnLogon.Visible = False
    Me.btnReset.Visible = True
    lblMessage.Text = "YOU MUST RESET YOUR PASSWORD TO CONTINUE!
    Please enter a NEW password in the box above and click the Reset Password
    button. You will then have to log in again."
    Else
    'Dim roles As String = GetCustomers(txtUserName.Text) '
    'Trying to force it to timeout right away to test to make
    sure it reauthenticates
    Dim authTicket As New
    System.Web.Security.FormsAuthenticationTicket(1, txtUserName.Text,
    DateTime.Now, DateTime.Now.AddSeconds(10), False, "blah")
    Dim encryptedTicket As String =
    System.Web.Security.FormsAuthentication.Encrypt(authTicket)
    Dim authCookie As New
    HttpCookie(System.Web.Security.FormsAuthentication.FormsCookieName,
    encryptedTicket)
    Response.Cookies.Add(authCookie)
    Response.Redirect(Request("ReturnURL"))
    'other things i've tried...

    'System.Web.Security.FormsAuthentication.GetRedirectUrl(txtUserName.Text,
    False))
    'FormsAuthentication.RedirectFromLoginPage(txtUserName.Text,
    False)
    End If

    Else
    lblMessage.Text = "Invalid username or password"
    End If
    End Sub 'btnLogon_Click

    Here's current web.config settings for authentication and authorization:

    <authentication mode="Forms">
    <forms loginUrl="login.aspx" name="sqlAuthCookie" timeout="1" path="/"
    slidingExpiration="false"></forms>
    </authentication>
    <!-- AUTHORIZATION
    This section sets the authorization policies of the application.
    You can allow or deny access
    to application resources by user or role. Wildcards: "*" mean
    everyone, "?" means anonymous
    (unauthenticated) users.
    -->
    <authorization>
    <deny users="?" />
    <allow users="*" /> <!-- Allow all users -->
    <!-- <allow users="[comma separated list of users]"
    roles="[comma separated list of roles]"/>
    <deny users="[comma separated list of users]"
    roles="[comma separated list of roles]"/>
    -->
    </authorization>

    Any help appreciated,
    Travis
    Travis Parrent, Feb 10, 2004
    #1
    1. Advertising

  2. I may have answered my own question. I found this code in global.asax.vb:

    Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
    EventArgs)
    ' Fires upon attempting to authenticate the use
    Dim cookieName As String = FormsAuthentication.FormsCookieName
    Dim authCookie As HttpCookie = Context.Request.Cookies(cookieName)
    If authCookie Is Nothing Then
    Return
    End If
    Dim authTicket As FormsAuthenticationTicket = Nothing
    Try
    authTicket = FormsAuthentication.Decrypt(authCookie.Value)
    Catch ex As Exception
    Return
    End Try
    If authTicket Is Nothing Then
    Return
    End If
    Dim role As String() = authTicket.UserData.Split(New Char() {"|"c})
    Dim id As New FormsIdentity(authTicket)
    Dim principal As New GenericPrincipal(id, role)
    Context.User = principal
    End Sub

    I didn't write this app, and I'm pretty new to asp.net, but can someone
    quickly explain what this code it doing.

    It must somehow be re-authenticating the user automatically. I want to
    remove it but not sure what effects that will have overall and not sure why
    it was put here to begin with??

    Thanks,
    Travis


    "Travis Parrent" <> wrote in message
    news:%232mMnO$...
    > I'm having a problem where my application forces the user to log on
    > intially, but then never forces them to reauthenticate. Following is the
    > login code currently but I've tried several different things. I can walk
    > away from the app for an hour and come back and it will still not force

    them
    > to log back in. Where can i look?
    Travis Parrent, Feb 10, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,401
    Tommy
    Feb 13, 2004
  2. Philip Tepedino
    Replies:
    1
    Views:
    418
    bruce barker
    Aug 3, 2004
  3. Sara rafiee
    Replies:
    3
    Views:
    1,041
    Scott Allen
    Oct 4, 2004
  4. Eric
    Replies:
    2
    Views:
    466
  5. Sara rafiee

    Help me in making users/deleting users in active directory

    Sara rafiee, Oct 3, 2004, in forum: ASP .Net Web Controls
    Replies:
    1
    Views:
    373
    Robert Koritnik
    Oct 4, 2004
Loading...

Share This Page