A
Alex Nitulescu
Hi. I just began reading on security (Forms authentication). I have the
following two questions:
1. Is there a way to specify the expiration date for a cookie set with
FormsAuthentication.RedirectFromLoginPage ? In "C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet Files" I see that
Administrator@localhost is set to expire exactly 50 years from now !
2. In Web.config I have the following:
<authentication mode="Forms">
<forms
name=".MyCookie"
loginUrl="Login.aspx"
protection="All"
timeout="1"
path="/"
/>
</authentication>
Before I go any further (XML/db saving), I harcoded my users as so:
If IsValid Then
If txtUserName.Text.ToLower = "alex" And txtPassword.Text.ToLower =
"pass" Then
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text,
chkRemember.Checked)
ElseIf txtUserName.Text.ToLower = "dana" And txtPassword.Text.ToLower =
"pass" Then
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text,
chkRemember.Checked)
Else
lblResults.Text = "Bad username and/or password"
End If
End If
So I do the following test: I run the project from within vsnet, I enter
Alex/Pass and I select "Remember Me" = True. I look in "C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet Files" and I see
Administrator@localhost being created. I open it and I see "MyCookie". Good.
Now I can go to http://localhost/aspnetprojects/vsnet/FormAuth/Default.aspx,
my "main" page.
Next, I open a separate instance of IE (planning to login as "dana"), I
type in http://localhost/aspnetprojects/vsnet/FormAuth/Default.aspx - I
expected NOT to see it, but to be redirected to Login instead. However, I go
directly to Default.aspx - as if if a single user is logged in correctly,
everybody else can go and see the "Default" page.
Now if the "first user" (the one which created the cookie, Alex) logs out
(FormsAuthentication.SignOut), then the cookie is deleted. If at this point
in IE (where for some obscure reason the second user, "Dana", was already IN
"Default.aspx") I hit F5, "Dana" is sent to the LOGIN page - now that's
correct - it was to be expected.
So... I am really confused. Why does this happen ? What am I missing here ?
Thanks a lot for spending time reading my post.
Alex.
following two questions:
1. Is there a way to specify the expiration date for a cookie set with
FormsAuthentication.RedirectFromLoginPage ? In "C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet Files" I see that
Administrator@localhost is set to expire exactly 50 years from now !
2. In Web.config I have the following:
<authentication mode="Forms">
<forms
name=".MyCookie"
loginUrl="Login.aspx"
protection="All"
timeout="1"
path="/"
/>
</authentication>
Before I go any further (XML/db saving), I harcoded my users as so:
If IsValid Then
If txtUserName.Text.ToLower = "alex" And txtPassword.Text.ToLower =
"pass" Then
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text,
chkRemember.Checked)
ElseIf txtUserName.Text.ToLower = "dana" And txtPassword.Text.ToLower =
"pass" Then
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text,
chkRemember.Checked)
Else
lblResults.Text = "Bad username and/or password"
End If
End If
So I do the following test: I run the project from within vsnet, I enter
Alex/Pass and I select "Remember Me" = True. I look in "C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet Files" and I see
Administrator@localhost being created. I open it and I see "MyCookie". Good.
Now I can go to http://localhost/aspnetprojects/vsnet/FormAuth/Default.aspx,
my "main" page.
Next, I open a separate instance of IE (planning to login as "dana"), I
type in http://localhost/aspnetprojects/vsnet/FormAuth/Default.aspx - I
expected NOT to see it, but to be redirected to Login instead. However, I go
directly to Default.aspx - as if if a single user is logged in correctly,
everybody else can go and see the "Default" page.
Now if the "first user" (the one which created the cookie, Alex) logs out
(FormsAuthentication.SignOut), then the cookie is deleted. If at this point
in IE (where for some obscure reason the second user, "Dana", was already IN
"Default.aspx") I hit F5, "Dana" is sent to the LOGIN page - now that's
correct - it was to be expected.
So... I am really confused. Why does this happen ? What am I missing here ?
Thanks a lot for spending time reading my post.
Alex.