473,695 Members | 2,511 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

ASP.NET Forms Authentication Best Practices

ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004

Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET Applications and
owner of Access Microsystems. Doug can be reached at
do**@accessmicr osystems.com.
--------------------------------------------------------------------------------

For most ASP.NET web sites that need to be secured, the only
reasonable option for authenticating users is ASP.NET Forms
Authentication. While Windows and Passport authentication are
available, they are not nearly as popular. For Windows Authentication,
you need to have all users in a Windows domain, which is impractical
for many applications—es pecially Internet applications. Passport
Authentication is attractive, although not necessarily developer
friendly, both financially and tool-wise.

A major issue for all developers is security, particularly when it
comes to storing and safeguarding user's personal information—and
among the most sensitive stored information is the user's password.
Unlike credit-card information that many sites store only until
credit-card authorization is received, passwords must be used to
authenticate users for every visit to a restricted web page.

I can hear you saying, "My site does not really contain any really
secret information. We use Forms Authentication primarily to let users
personalize the content they receive, and save information they have
entered for future visits." While that can be the case, it misses the
point. Recently I did an informal survey of my nonprogrammer friends
and relatives and asked how many passwords they use. Virtually all of
the Internet users used either a single password or a couple of
passwords for all sites. Generally, they used one password when there
are no special character requirements and another for sites that
demand a greater variety of character types (numbers and punctuation).
Of the two users who said they specify a different password for every
site, one indicated it was a burden and planned to change since it
caused no end of confusion.

Does Your Site Require High Security?
So even if your site does not contain top-secret information, it is
likely it does contain passwords that guard much more sensitive sites.
Knowing this, what can you do? Is encrypting the user passwords
sufficient? What happens if your user database is compromised? Will
your encryption survive attacks where there's unlimited time to
process the passwords? And what about a rogue administrator who has
access to the site, database, passwords, and algorithms used to
encrypt the passwords?

The solution is to use a one-way hash, a cryptographic technique that
encrypts in a way that it is impossible to derive the original value
from the hashed value. Using this technique, even you don't know the
password of users (unless the login page is modified to capture the
clear text of the password as it is entered).

When I suggest using a one-way hash for passwords on various
newsgroups, the objection is that users will not be able to recover
passwords when they're lost. True, but alternate arrangements can be
made; for instance, e-mailing new passwords (perhaps made from
combining two random words with a punctuation mark between them) or a
link that brings users to a page where they can directly enter the
password they wish to use. If the real user requests the password be
reset, the e-mail about the new password shortly arrives. If someone
else requests that the password be reset using a different user's
e-mail, when the e-mail message is sent to real users, it alerts them
that someone has been tinkering with their user account.

ASP.NET Forms Authentication Basics
To use Forms Authentication in ASP.NET, you need to modify settings in
the Web.Config file in the application folder. The Authentication
section of Web.Config needs to be changed to look something like
Listing One(a), where you want to use login.aspx to log users in.
protection="All " means that you want data validation and encryption on
the authentication cookie. There is a 30-minute timeout on the cookie,
and the cookie is saved in the root path. In addition, the
Authorization element must also be changed to look like Listing
One(b).

If you do not deny unauthenticated users (signified by the "?"), then
Forms Authentication won't work, and all users will be able to get to
all pages. In this example, you also have a Registration page, and
users need to get to this page even though they are not logged in. To
allow this, add the location element in Listing One(c) to Web.Config,
inside the configuration element. This section is used as a location
override for the Register.aspx page. In this example, I explicitly
allow unauthenticated users to reach the register page.

Listings Two and Three validate users against one-way hashed
passwords. (The complete source code and SQL Database Create Script
are available electronically; see "Resource Center," page 5.) Listing
Two is the UserDB utility class that calls the underlying database,
and would likely be something you might change if it is implemented on
your site. In the example, the SqlClient namespace is used and stored
procedures are called using SqlParameters. (Using parameters, rather
than building up SQL strings to execute, is critical to building
secure systems. Stored Procedures are not essential since you can also
use parameters on ad hoc SELECT, UPDATE, and INSERT SQL Statements.)

A User Database Class
The UserDB class contains three public static methods.

The first is SelectUserInfo. Given a UserName (passed as a parameter),
this method returns a DataSet with the information for the requested
user, or a null if the user is not found. In this example, the fields
returned in Tables[0] are:
int PersonID
string LastName
string FirstName
string UserName
DateTime LastLogin
string EMail
Bool MustChangePassw ord
String PasswordHash
string Salt
DateTime DatePasswordCha nge

MustChangePassw ord is a Boolean value that indicates if users should
be forced to change their password. Commonly, you might set this to
True if the user's password is reset.
The second method in the UserDB class is ChangePassword, with the
signature:
public static bool ChangePassword( int UserID,
string NewPasswordHash ,
string Salt,bool MustChangePassw ord)

This method does exactly what you would expect, allowing the password
for the specified user (by the UserID parameter) to be changed. Since
you are not storing a plaintext password in the database, what is sent
is not the password but rather the hashed password and the string used
as salt for the hashing.
The final method in UserDB is SaveNewUser, with the signature:
public static bool SaveNewUser(str ing UserName,
string LastName,string FirstName,strin g email,
string PasswordHash,st ring Salt,
bool MustChangePassw ord)

This method is used to create new users and simply passes the
information sent into a stored procedure. Each of these methods calls
a stored procedure and you can replace this code with whatever
database code you like.
User Class
The User class (Listing Three), where the real work of securing user
passwords takes place, has a number of private variables and two
private methods. One possible way to compromise a password database is
to use a dictionary attack. For example, assume a common password is
"password." Using one-way encryption, if two users have set their
password to "password," once one password is compromised, all other
users who have the same hashed password are also compromised.

This is where the previously mentioned Salt comes into use. Salt is
just a string of characters, for instance LGk2dcw=, used in
combination with the clear text password, so that when hashed, each
hashed password is different even if the original password is the
same. There is the private method CreateSalt in the User class; see
Listing Four(a). The RNGCryptoServic eProvider class referenced in
CreateSalt is a class that provides a random-number generator using
the implementation provided by the Cryptographic Service Provider.
GetBytes returns a cryptographical ly strong sequence of values,
meaning the values are random in a precise way. There is an additional
private method in the User class that is used to create the password
and hash; see Listing Four(b). This method concatenates the password
and salt, then creates a hashed password by calling the somewhat
unfortunately named HashPasswordFor StoringInConfig File method of the
FormsAuthentica tion class. This method does exactly what it says,
creating a hash suitable for storing in a configuration file (that is,
nonbinary). For instance, a hash might look like this string:

4EF1EED06A845CE 5385FC7DA2E848C 4F93401D58

This is a representation of the hash where each byte is represented by
two hex characters. The class is used in several places, first in the
Login.aspx.cs page, the code-behind page for the Login page. When
users enter a username/password and click the Login button, the click
handler (Listing Five) is called. The btnLogin_Click method
instantiates a new User object and fills in the required properties
for authentication (UserName and Password). With the required
properties set, btnLogin_Click calls the VerifyPassword instance
method on the newly instantiated User object.

After declaring variables and validating that required properties are
set correctly, the VerifyPassword method calls the static
SelectUserInfo in the UserDB class. Recall that this method returns a
DataSet with a single table and a single row—presuming that there is
some data returned in the DataSet, determined by checking the Count
property of the Tables collection of the DataSet; see Listing Six.

Once you've confirmed that there is some data in the table, gather the
Salt from the returned DataSet with the Password the user has entered,
and create a hashed password. Given that newly hashed password, you
compare it with the value stored in the database as PasswordHash. If
the new hashed password and the one from the database are the same,
you know the users are who they say they are (or at least that they
know the correct password).

Looking back at btnLogin_Click, if users appear to be who they say
they are, call RedirectFromLog inPage from the FormsAuthentica tion
class. This method sets a cookie used to track who users are, and
redirects users back to the page they were sent from. So in this
application, you might set Default.aspx as the homepage, and when
users try to access that page, they are redirected to the Login.aspx
page.

Of course, there are a couple of other requirements when you are
creating an application secured with forms authentication. The
standard way to change a password is to enter the current password,
then enter the new password twice. On this screen, I use standard
ASP.NET validators to verify that the fields are filled in, and that
the new password is entered identically twice. One thing to be
especially careful about is exposing information you do not intend to
in the validator code. If, in fact, your system lets you know the
user's current password, it would be a terrible idea to use the
Compare validator to ensure that the Old Password field is filled with
the correct password. The Compare validator has a ValueToCompare
property that could be used to hold this value; however, doing so
sends the current password to the browser as clear text.

Figure 1 is the Change Password screen with the new password not
entered correctly in both fields. Once all fields pass the validators
and the user clicks the Submit button, Listing Seven in the
Button1_Click method is executed. Once again, the User object is
created and the properties are set. In this example, you use the
User.Identity.N ame property to get the UserName that was saved when
FormsAuthentica tion.RedirectFr omLoginPage was called on the Login
screen if the current password entered is correct (as confirmed by a
true return from VerifyPassword) .

There is one quirk in how RedirectFromLog inPage works. If you go
directly to the login page instead of going to a secured page and then
redirecting to the login page, there is no ReturnUrl passed in the
query string to the login page. In that case, ASP.NET redirects to a
page named Default.aspx (and displays a 404 error if you do not have a
Default.aspx). My solution is to always have a Default.aspx, even if
that is not in fact the real homepage, and redirect from that page to
whatever the real homepage is.

To make this system something that you can just use (and not what you
should be doing in a real application), this system lets you register
if you like from the main page. Clicking on the Register link from the
login page brings you to a form like in Figure 2. This screen also
uses ASP.NET validators to ensure required fields are entered and that
the password is entered identically in both password fields (using
logic just like the ChangePassword screen). When you click the Save
button, Listing Eight is executed. In this case, I also instantiate a
User object, but rather than use it, I just call the SaveNewUser
method on that object. In the end, this code calls simply down into
the UserDB method of the same name, after doing the same one-way
hashing on the password and salt.

Possible Enhancements
There are a number of improvements that could be made to this code in
a production environment. First, you might want to implement a Group
system, so that in addition to allowing/disallowing unauthenticated
users, you can use a full role-based system. By storing user roles in
the authentication cookie, you can restore them into a
GenericPrincipa l object whenever Application_Aut henticateReques t is
called. Also, to avoid another roundtrip to the database, I do not
have a method in place to seed the LastLogin DateTime field when users
log in. If this is important, you could implement this. And finally,
the logic to reset the password is not present, although the same
logic used to create new users can be used to reset passwords. From
there, you could use whatever logic you want to send new passwords to
users.

One other improvement (most useful if the database server was on a
different machine than the web server) would be to store an additional
string to act as salt somewhere in the actual web application. This
way, compromising the database alone will not allow even a user by
user dictionary attack.

DDJ

Listing One
(a)
<authenticati on mode="Forms" >
<forms
loginUrl="login .aspx"
protection="All "
timeout="30"
path="/" />
</authentication>

(b)
<authorizatio n>
<deny users="?" />
</authorization>

(c)
<location path="Register. aspx">
<system.web>
<authorizatio n>
<allow users="?"/>
</authorization>
</system.web>
</location>

Back to Article

Listing Two
using System;
using System.Configur ation;
using System.Data;
using System.Data.Sql Client;
using System.Web.Secu rity;

namespace FormsAuth
{
/// <summary>
/// Summary description for UserDB.
/// </summary>
public class UserDB
{
public static DataSet SelectUserInfo( string UserName)
{
string strCn;
DataSet ds=null;
if ( UserName==strin g.Empty || UserName==null )
{
throw new NullReferenceEx ception("User Name Must Be
Specified!");
}
strCn=System.Co nfiguration.Con figurationSetti ngs.

AppSettings["DSN"].ToString();
SqlConnection cn=new SqlConnection(s trCn);
cn.Open();
try
{
SqlCommand cmd=new SqlCommand("spS electUserInfo", cn);
cmd.CommandType =CommandType.St oredProcedure;
cmd.Parameters. Add("@UserName" ,UserName);
SqlDataAdapter da=new SqlDataAdapter( cmd);
ds=new DataSet();
da.Fill(ds,"Use r");
}
catch ( Exception )
{
// Do something...
}
finally
{
cn.Close();
}
return ds;
}
public static bool ChangePassword( int UserID, string
NewPasswordHash ,
string Salt,bool
MustChangePassw ord)
{
bool ret=false;
if ( NewPasswordHash ==string.Empty || UserID==0 )
{
throw new Exception("Not all required variables set in
UserDB");
}
string strCn;
strCn=System.Co nfiguration.Con figurationSetti ngs.

AppSettings["DSN"].ToString();
SqlConnection cn=new SqlConnection(s trCn);
cn.Open();
try
{
SqlCommand cmd=new
SqlCommand("spS aveChangedPassw ord",cn);
cmd.CommandType =CommandType.St oredProcedure;
cmd.Parameters. Add("@UserID",U serID);
cmd.Parameters. Add("@PasswordH ash",NewPasswor dHash);
cmd.Parameters. Add("@Salt",Sal t);
cmd.Parameters. Add("@MustChang ePassword",Must ChangePassword) ;
SqlParameter prm=new SqlParameter();
prm.Direction=P arameterDirecti on.ReturnValue;
prm.ParameterNa me="ReturnValue ";
cmd.Parameters. Add(prm);
cmd.ExecuteNonQ uery();
if ( (int)cmd.Parame ters["ReturnValu e"].Value!=0 )
{
ret=true;
}
}
finally
{
cn.Close();
}
return ret;
}
public static bool SaveNewUser(str ing UserName, string
LastName,
string FirstName,strin g email,string PasswordHash,st ring
Salt,
bool MustChangePassw ord)
{
bool ret=false;
string strCn;
strCn=System.Co nfiguration.Con figurationSetti ngs.

AppSettings["DSN"].ToString();
SqlConnection cn=new SqlConnection(s trCn);
cn.Open();
try
{
SqlCommand cmd=new SqlCommand("spS aveNewUser",cn) ;
cmd.CommandType =CommandType.St oredProcedure;
cmd.Parameters. Add("@UserID",0 );
cmd.Parameters. Add("@UserName" ,UserName);
cmd.Parameters. Add("@LastName" ,LastName);
cmd.Parameters. Add("@FirstName ",FirstName );
cmd.Parameters. Add("@email",em ail);
cmd.Parameters. Add("@PasswordH ash",PasswordHa sh);
cmd.Parameters. Add("@Salt",Sal t);
cmd.Parameters. Add("@MustChang ePassword",Must ChangePassword) ;
SqlParameter prm=new SqlParameter();
prm.Direction=P arameterDirecti on.ReturnValue;
prm.ParameterNa me="ReturnValue ";
cmd.Parameters. Add(prm);
cmd.ExecuteNonQ uery();
if ( (int)cmd.Parame ters["ReturnValu e"].Value!=0 )
{
ret=true;
}
}
finally
{
cn.Close();
}
return ret;
}
}
}

Back to Article

Listing Three
using System;
using System.Data;
using System.Security ;
using System.Security .Cryptography;
using System.Web.Secu rity;

namespace FormsAuth
{
/// <summary>
/// Summary description for User.
/// </summary>
public class User
{
private string m_LastName;
private string m_FirstName;
private string m_UserName;
private string m_Email;
private string m_Password;
private bool m_MustChangePas sword;
private int m_UserID;

#region Properties
public string LastName
{
get { return m_LastName; }
set { m_LastName=valu e; }
}
public string FirstName
{
get { return m_FirstName; }
set { m_FirstName=val ue; }
}
public string UserName
{
get { return m_UserName; }
set { m_UserName=valu e; }
}
public string Email
{
get { return m_Email; }
set { m_Email=value; }
}
public string Password
{
get { return m_Password; }
set { m_Password=valu e.ToLower(); }
}
public bool MustChangePassw ord
{
get { return m_MustChangePas sword; }
set { m_MustChangePas sword=value; }
}
public int UserID
{
get { return m_UserID; }
set { m_UserID=value; }
}
#endregion
#region Private Methods
private string CreateSalt(int size)
{
RNGCryptoServic eProvider rng=new
RNGCryptoServic eProvider();
byte[] buff=new byte[size];
rng.GetBytes(bu ff);
return Convert.ToBase6 4String(buff);
}
private string CreatePasswordH ash(string pwd,string salt)
{
string saltAndPassword =string.Concat( pwd,salt);
string hashedPassword=
FormsAuthentica tion.HashPasswo rdForStoringInC onfigFile(
saltAndPassword ,"SHA1");
return hashedPassword;
}
#endregion
public User()
{
m_LastName=stri ng.Empty;
m_FirstName=str ing.Empty;
m_UserName=stri ng.Empty;
m_Email=string. Empty;
m_Password=stri ng.Empty;
m_UserID=0;
}
public bool VerifyPassword( )
{
string PasswordHashFro mDB;
string strSalt;
bool ret=false;
if ( m_UserName==str ing.Empty || m_Password==str ing.Empty
)
{
throw new NullReferenceEx ception("Not all required
properties
set!");
}
try
{
DataSet ds=UserDB.Selec tUserInfo(m_Use rName);
if ( ds.Tables.Count !=0 )
{
strSalt=ds.Tabl es[0].Rows[0]["Salt"].ToString();
string hashedPasswordA ndSalt =
this.CreatePass wordHash(m_Pass word,strSalt);
PasswordHashFro mDB=

ds.Tables[0].Rows[0]["PasswordHa sh"].ToString();
if ( PasswordHashFro mDB!=string.Emp ty &&

PasswordHashFro mDB.Equals(hash edPasswordAndSa lt) )
{
m_UserID=int.Pa rse(ds.Tables[0].

Rows[0]["PersonID"].ToString());
m_FirstName=ds. Tables[0].

Rows[0]["FirstName"].ToString();
m_LastName=ds.T ables[0].

Rows[0]["LastName"].ToString();
m_MustChangePas sword=bool.Pars e(ds.Tables[0].

Rows[0]["MustChangePass word"].ToString());

m_Email=ds.Tabl es[0].Rows[0]["Email"].ToString();
ret=true;
}
}
}
catch ( Exception exc )
{
// rethrow, or you could do something useful...
throw exc;
}
finally
{
}
return ret;
}
public bool ChangePassword( string NewPassword)
{
return ChangePassword( NewPassword,fal se);
}
public bool ChangePassword( string NewPassword,boo l
MustChangePassw ord)
{
bool ret=false;
if ( this.UserID==0 )
{
throw new Exception("User Not Initialized.
Can't change
password.");
}
if ( NewPassword==st ring.Empty )
{
throw new NullReferenceEx ception("Not all required
arguments set!");
}
try
{
string salt=CreateSalt (5);
string
PasswordHash=Cr eatePasswordHas h(NewPassword,s alt);
UserDB.ChangePa ssword(this.m_U serID,NewPasswo rd,salt,

MustChangePassw ord);
ret=true;
}
catch ( Exception )
{
}
return ret;
}
public bool SaveNewUser(str ing UserName,string LastName,
string FirstName,strin g email,string Password,bool
MustChangePassw ord)
{
bool ret=false;
string salt=CreateSalt (5);
string PasswordHash=Cr eatePasswordHas h(Password,salt );
return UserDB.SaveNewU ser(UserName,La stName,FirstNam e,

email,PasswordH ash,salt,MustCh angePassword);
}

}
}

Back to Article

Listing Four
(a)
private string CreateSalt(int size)
{
RNGCryptoServic eProvider rng=new RNGCryptoServic eProvider();
byte[] buff=new byte[size];
rng.GetBytes(bu ff);
return Convert.ToBase6 4String(buff);
}

(b)
private string CreatePasswordH ash(string pwd,string salt)
{
string saltAndPassword =string.Concat( pwd,salt);
string hashedPassword= FormsAuthentica tion.HashPasswo rdForStoringInC onfigFile(
saltAndPassword ,"SHA1");
return hashedPassword;
}

Back to Article

Listing Five
private void btnLogin_Click( object sender, System.EventArg s e)
{
FormsAuth.User u=new FormsAuth.User( );
u.UserName=this .edUserName.Tex t;
u.Password=this .edPassword.Tex t;
if ( u.VerifyPasswor d()==true )
{
// Redirect, don't bother with persistent cookie.
FormsAuthentica tion.RedirectFr omLoginPage(u.U serName,false);
}
else
{
this.lblError.T ext="Sorry - Could not log you in...";
}
}

Back to Article

Listing Six
DataSet ds=UserDB.Selec tUserInfo(m_Use rName);
if ( ds.Tables.Count !=0 )
{
strSalt=ds.Tabl es[0].Rows[0]["Salt"].ToString();
string hashedPasswordA ndSalt =
this.CreatePass wordHash(m_Pass word,strSalt);
PasswordHashFro mDB=ds.Tables[0].Rows[0]["PasswordHa sh"].ToString();
if ( PasswordHashFro mDB!=string.Emp ty &&
PasswordHashFro mDB.Equals(hash edPasswordAndSa lt) )
{
m_UserID=int.Pa rse(ds.Tables[0].Rows[0]["PersonID"].ToString());
m_FirstName=ds. Tables[0].Rows[0]["FirstName"].ToString();
m_LastName=ds.T ables[0].Rows[0]["LastName"].ToString();
m_MustChangePas sword=bool.Pars e(
ds.Tables[0].Rows[0]["MustChangePass word"].ToString());
m_Email=ds.Tabl es[0].Rows[0]["Email"].ToString();
ret=true;
}
}

Back to Article

Listing Seven
private void Button1_Click(o bject sender, System.EventArg s e)
{
if ( Page.IsValid )
{
FormsAuth.User u=new FormsAuth.User( );
u.UserName=User .Identity.Name;
u.Password=this .edOldPassword. Text;
if ( u.VerifyPasswor d() )
{
if ( u.ChangePasswor d(edPassword1.T ext) )
{
lblMessage.Text ="Password Changed!";
}
else
{
lblMessage.Text ="Password NOT Changed!";
}
}
}
}

Back to Article

Listing Eight
private void Button1_Click(o bject sender, System.EventArg s e)
{
if ( Page.IsValid )
{
FormsAuth.User u=new FormsAuth.User( );
if ( u.SaveNewUser(e dUserName.Text, edLastName.Text ,
edFirstName.Tex t,edEmail.Text, edPassword1.Tex t,true) )
{
Response.Redire ct("Login.aspx" );
}
else
{
lblMessage.Text ="Can't register that name. Please try
again.";
}
}
}
Nov 18 '05 #1
0 4231

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
1563
by: john | last post by:
I have 2 questions: 1. I am trying to use forms authentication. When the user logs out, I make these function calls: Session.Abandon(); FormsAuthentication.SignOut(); But after they log out, the user can (e.g. through the web history) go and look at any pages that were already viewed when the session was going on because of the cache. I don't want them to be able to do
0
574
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET Applications and owner of Access Microsystems. Doug can be reached at doug@accessmicrosystems.com. --------------------------------------------------------------------------------
2
1636
by: Brett Smith | last post by:
I currently I am using integrated windows authentication, (anonymous access disabled), with impersonation on my asp.net app. I would like to implement forms authentication against AD, but I have not found a way to then have the proper AD user authenticated on the SQL server. If I enable anonymous access and then specify a user that had rights to the SQL server I can make the calls but I loose any audit trail or SQL server level rights...
0
2070
by: William F. Zachmann | last post by:
A web site that will run on Windows Server 2003 and IIS 6.0 needs to provide three levels of access, one for the public and two others for two levels of subscribers. This is a port of a prior site that runs on an old version of the Netscape Web server (which manages user authentication and access). The three levels of access are currently served up by three different versions of an ISAPI DLL, written in C++, also managed by the Netscape...
18
6872
by: Rippo | last post by:
Hi I am using role base forms authentication in asp.net and have come across a problem that I would like advice on. On a successful login a session variable is set to identify a user. This is all good as this session variable is used to retrieve data for that user etc. However if I restart the webserver then the users session is lost but the ticket is still active. Therefore the user is not redirected back to the login page.
6
2863
by: William F. Zachmann | last post by:
We've got a project going that involves moving an old web site with a massive dll written in C++ that produces most of the output from a SQL 7.0 data base on NT4 onto IIS on Windows 2003 Server with SQL 2000. All new code is being written in C# using ASP.NET and we are using forms authentication to control access to particular directories/applications. We are having a hard time figuring out how to configure the thing so that existing...
5
5127
by: djhexx | last post by:
Hi. We have an asp.net intranet application written in VB that uses forms authentication for all it's pages. I have a C# asp.net application that I just wrote. The company would like the C# application to authenticate using the same mechanism as the intranet app. Therefore...if I try to login to the c# app, it should redirect me to the intranet login. Once I pass authentication, I should be able to access the c# app. Now. Here is...
4
424
by: =?Utf-8?B?R3V1czEyMw==?= | last post by:
Hi, I created a web site on a remote server. To logon the user must enter a user id and password. The site is uses Forms Authentication. The web config file looks as follows: <configuration> <system.web> <customErrors mode="Off"/>
5
3553
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the creation of content which adjusts based on the user. I have several pages which require a user to be logged on and several which do not. Prior to this point in time I have used 2 different master pages. one with a control which checks a session...
0
8635
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8574
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
8990
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8850
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8829
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6493
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5839
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4580
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3007
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.