When are the FormsAuthentication class' configuration settings read?

Discussion in 'ASP .Net Security' started by matt, Sep 25, 2006.

  1. matt

    matt Guest

    Hi,

    I'm writing a HttpModule which is going to require certain settings in
    the FormsAuthentication configuration (for example, I need to ensure
    enableCrossAppRedirects = true).

    Now my best effort so far has been to run through the configuration
    settings I require and raise exceptions if the web.config hasn't been
    set up correctly. Ideally though, I'd like the sites this module will
    go into not to have to paste boilerplate settings into web.config, and
    instead just fix the settings from within my HttpModule's code at
    Init().

    Is this possible?

    Obviously just changing the FormsAuthentication class' properties
    doesn't work as they're read only (though I guess using a reflection
    hack might be an option..?).

    I've tried opening the config file using WebConfigurationManager,
    changing settings and doing Save(), but these new values don't seem to
    be reflected on the FormsAuthentication class' properties

    Can anyone with some inside / in-depth knowledge of the
    FormsAuthentication class give me some clues as to how this hangs
    together?

    thanks,
    Matt
    matt, Sep 25, 2006
    #1
    1. Advertising

  2. Hi,

    when you Save the changed config file - the appdomain will recycle and has
    the changed settings on the next restart.

    But you will need a) write access to web.config and b) the add files ACL
    for the web root for the worker process account - nothing i would recommend
    from a security perspective.

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > I'm writing a HttpModule which is going to require certain settings in
    > the FormsAuthentication configuration (for example, I need to ensure
    > enableCrossAppRedirects = true).
    >
    > Now my best effort so far has been to run through the configuration
    > settings I require and raise exceptions if the web.config hasn't been
    > set up correctly. Ideally though, I'd like the sites this module will
    > go into not to have to paste boilerplate settings into web.config, and
    > instead just fix the settings from within my HttpModule's code at
    > Init().
    >
    > Is this possible?
    >
    > Obviously just changing the FormsAuthentication class' properties
    > doesn't work as they're read only (though I guess using a reflection
    > hack might be an option..?).
    >
    > I've tried opening the config file using WebConfigurationManager,
    > changing settings and doing Save(), but these new values don't seem to
    > be reflected on the FormsAuthentication class' properties
    >
    > Can anyone with some inside / in-depth knowledge of the
    > FormsAuthentication class give me some clues as to how this hangs
    > together?
    >
    > thanks,
    > Mat
    Dominick Baier, Sep 25, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Maellic
    Replies:
    4
    Views:
    434
    Maellic
    Dec 15, 2003
  2. Siegfried Heintze
    Replies:
    0
    Views:
    2,259
    Siegfried Heintze
    Oct 24, 2005
  3. matt
    Replies:
    1
    Views:
    408
  4. leeanne
    Replies:
    0
    Views:
    1,844
    leeanne
    Sep 24, 2008
  5. donet programmer
    Replies:
    3
    Views:
    1,519
    Gregory A. Beamer
    Nov 20, 2009
Loading...

Share This Page