Hi guys,
how can i use of sessions to authenticate users ?
before, i used of cookies and i store users profile in the cookies but now i
need to do same work with sessions.
Thanx
5  1452 
A session creates a short term cookie, which refers to the session variables
in memory. The session only lasts 20 mins by default, so you would not use
the session itself for authentication. You can store the authentication info
in a long term cookie so the user don't have to keep logging in. But be sure
not to use this method for access to highly secure info like credit cards,
etc. Other people could be using the computer and gain access.
-Max
"SOS" <fa******@hotma il.com> wrote in message
news:%2******** **********@TK2M SFTNGP10.phx.gb l... Hi guys,
how can i use of sessions to authenticate users ?
before, i used of cookies and i store users profile in the cookies but now
i need to do same work with sessions.
Thanx
hi,
basically in login code
we store userid in session
and then check on each page
if that Sesssion[userid] exists
there is a method of using Identity and Pricipal objects for
authentication. .. http://msdn.microsoft.com/library/de...SecNetHT04.asp
any doubts further plz reply....
--
Thanks and Regards,
Amit Agarwal
Software Programmer(.NET )
"SOS" <fa******@hotma il.com> wrote in message
news:%2******** **********@TK2M SFTNGP10.phx.gb l... Hi guys,
how can i use of sessions to authenticate users ?
before, i used of cookies and i store users profile in the cookies but now
i need to do same work with sessions.
Thanx
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system ( http://www.grisoft.com).
Version: 6.0.593 / Virus Database: 376 - Release Date: 2/20/2004
In article <#Y************ **@TK2MSFTNGP09 .phx.gbl>, .NET Follower
<am************ *@SoftHome.net> writes hi,
basically in login code
we store userid in session
and then check on each page
if that Sesssion[userid] exists
Yeah, I can do that.... but..... we use Windows authentication on our
Intranet so if we detect that the cookie doesn't exist (say, due to 20
mins inactivity) then we re-direct to a login page, but of course
windows thinks that the user is still logged on so immedaitely
re-authenticates (even if they logged on to the PC using a generic acct
and logged on to the web app thro' IE)
How can we cancel or revoke that (IE set) authentication to make the
user have to re-authenticate to the web app. I have seen a quite
complex method of using forms authentication to authenticate against an
active directory, but this seems to require passords being sent in plain
text (or the setting up of SSL to protect them.)
One final Q. Session variables relate to that user session (that is the
local browser session)... yes?
1. How do they cope with opening new windows from the original one?
2. can a session variable (which is essentially a cookie) that has been
set by http://intranetserver1/webapp1 be read by http://intranetserver2/someotherwebapp ? (assuming both apps know the
name of the session var.)
--
Paul
I'll take a stab at the final Q(s)...
A new window opened from the original one will have the same session
ID. If this is not desired, you will need to handle this.
Security is in place to disallow access to cookies from another
server, or even another virtual web on the same server. You can,
however place a cookie at the root of a web and access it from
different sub-webs. For instance, you could place a cookie while in www.domain.com/first/page.aspx and tell it to reside at www.domain.com. Now, another page, lets call www.domain.com/second/page.aspx could get access to that cookie. It is
assumed that if you place the cookie at the root, you have the rights
to do so and that you will want this information from another level of
the same web.
On Sat, 28 Feb 2004 15:06:05 +0000, Paul <pa**@hotmail.c om.invalid>
wrote: In article <#Y************ **@TK2MSFTNGP09 .phx.gbl>, .NET Follower
<am*********** **@SoftHome.net > writeshi,
basically in login code
we store userid in session
and then check on each page
if that Sesssion[userid] exists
Yeah, I can do that.... but..... we use Windows authentication on our
Intranet so if we detect that the cookie doesn't exist (say, due to 20
mins inactivity) then we re-direct to a login page, but of course
windows thinks that the user is still logged on so immedaitely
re-authenticates (even if they logged on to the PC using a generic acct
and logged on to the web app thro' IE)
How can we cancel or revoke that (IE set) authentication to make the
user have to re-authenticate to the web app. I have seen a quite
complex method of using forms authentication to authenticate against an
active directory, but this seems to require passords being sent in plain
text (or the setting up of SSL to protect them.)
One final Q. Session variables relate to that user session (that is the
local browser session)... yes?
1. How do they cope with opening new windows from the original one?
2. can a session variable (which is essentially a cookie) that has been
set by http://intranetserver1/webapp1 be read by
http://intranetserver2/someotherwebapp ? (assuming both apps know the
name of the session var.)
In article <h3************ *************** *****@4ax.com>, Dan Brussee
<db******@nc.rr .com> writes
Security is in place to disallow access to cookies from another
server, or even another virtual web on the same server.
Yes... That's so obvious now that you say it.... The other server may
well know the name of the variable, but it won't know the sessionID set
by server 1.
--
Paul This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: The Plankmeister |
last post by:
Hi...
I'm writing a website builder. There are two 'halves' of it, codewise: The
admin pages and the public pages. I intend to use sessions to hold
information about validated users (to modify page content you'll have to
provide a valid user/pass) to control access to certain files. Or possibly
functions....
I'm writing a class for each different 'type' of page. (article, journal,
gallery etc etc) However... there are two parts for...
|
by: paul brown |
last post by:
Is there a way to authenticate using Apache's basic authentication
without having the pop-up? For instance, can a person use a form that
authenticates using the built-in authentication? Does that make
sense?
|
by: Mark H |
last post by:
Hey all--
I'm building a database and I basically need to keep out people who
aren't authorized, but it's not like I need top security here. I'm just
doing basic user/pass of a SQL database, and when a user authenticates
I start a session for him.
My question is, is there any way for a hacker to easily start a session
without having logged in? For instance, if I save the user name and IP
address in the session will it be relatively...
|
by: Rob |
last post by:
I have an ASP.NET application that uses forms-based
authentication. A user wishes to be able to run multiple
sessions of this application simultaneously from the
user's client machine.
The web.config file is configured as such:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All"
name="myApplication"/>
</authentication>
|
by: Martin |
last post by:
Dear fellow ASP.NET programmer,
I stared using forms authentication and temporarily used a <credentials> tag
in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentication.Authenticate() method's documentations claims the
following:
"Attempts to validate the credentials against those contained...
| | |
by: David Krussow |
last post by:
I have implemented ASP.NET Forms authentication in a test app. The app has a
number of forms - only one of which requires authentication in order to be
viewed (the "secured form"). Everything works as the documentation says it
should - with the exception that on subsequent browser sessions, the single
form that should require authentication in order to be viewed does, in fact,
display without the login form first appearing. In other words,...
|
by: Raghuram |
last post by:
I have a problem related to the page authentication. . . i am trying to
implement the Windows authentication in the project,
I am using the LDAP services to fetch the details from the widows directory.
.. .
I mainly use the User.Identity.Name to fetch the user name and keep the
details in the session and passthrough where ever required
First Problem:
Even though the sessions are not expired the user is displayed with the
|
by: mircu |
last post by:
Hi,
I noticed weird behaviour with the site that is using forms
authentication. I am logged to the site from the same machine from two
browsers (opened separately, not ctrl-N) as different users so two
sessions are created. Then from the one window I logoff but I'm
automatically logouted also from the other browser window. Why?
It is strange that it is working OK if I'm doing it on the same machine
where the web server is located.
|
by: Notgiven |
last post by:
I am considering a large project and they currently use LDAP on MS platform.
It would be moved to a LAMP platform. OpenLDAP is an option though I have
not used it before. I do feel fairly confortable with my ability to use
SESSIONS for authentication and access control.
Would it better to learn and use LDAP or can you REALLY have just as secure
authentication and access control using Sessions?
Thanks for your thoughts and experience.
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
