Forms authentication - clean cookie when close browser

Discussion in 'ASP .Net Security' started by SushiSean, Feb 23, 2007.

  1. SushiSean

    SushiSean Guest

    Hello. I use forms authentication and it's work except one thing.
    I want push users make relogin (insert login and pass) when they
    close browser.

    I have those settings in Web.config :

    <authentication mode="Forms">
    <forms loginUrl="login.aspx" cookieless="UseCookies"
    name="LoginUserCookie" slidingExpiration="true"
    enableCrossAppRedirects="true" requireSSL="false" timeout="1"
    protection="None" defaultUrl="simple.aspx">
    <credentials passwordFormat="Clear">
    <user name="test1" password="test2" />
    <user name="root" password="admin" />
    </credentials>
    </forms>

    </authentication>

    <authorization >
    <deny users="?" />
    </authorization>


    It works like this:
    1. Open site and login
    2. redirect defaultUrl
    3 close browser
    4. open browser and get defaultUrl (not login page!!)

    The question is why it doesn't ask reinsert login if somebody close browser
    and how to do this work?
     
    SushiSean, Feb 23, 2007
    #1
    1. Advertisements

  2. How do you set the ticket?

    using FormsAuthentication.RedirectFromLoginPage or SetAuthCookie -

    they both have a boolean paramter - usePersistentCookie (or similar) - if
    set to true - the cookie will be saved on the user's harddrive and re-used.

    Oh an btw - don't set protection="None" !!! This is very dangerous - leave
    it to the default value (which is 'all')

    Also disable 'enableCrossAppRedirects' if you don't need it (and you will
    only need that in special cases with cookieless auth).
     
    Dominick Baier, Feb 23, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.