Hi,
I've come across this scenario in ASP.NET 1.1 with forms authentication
where the forms auth doesn't seem to timeout correctly, nor redirect to the
login page.
I have done some testing, and I believe I've found a solution, but I
would like some insight from Microsoft on whether the code I've implemented
is correct, and why it is even working.
Here is my scenario:
I initially implemented forms auth using the standard forms auth
declaration in web.config and it worked fine, and redirected alright. Then,
as I began going through my code during my security reviews I implemented
the encrypted auth ticket as described in the "Building Secure ASP.NET
Applications" on page 378 (document page number, not the PDF page number).
In this scenario, it describes how to build the login event from the login
page, as well as implementing the "Application_Au thenticateReque st" event in
the global.asax code.
Once I implemented that code, my forms auth stopped working. The ticket
was still valid after my timeout, and I was never redirected to the
specified login page. I was implementing SessionState with the same timeout
as the formsauth, and my session was timing out properly! I was also using
a non-persistent formsauth cookie. After going back over the documentation
several many times, and making sure I was implementing it as described, I
believe I found a problem with the code in the document. However, I don't
want to go as far as saying the code is wrong, but I've come up with a fix
that makes it work - but now I don't understand exactly why it fixes it.
Basically in Application_Aut henticateReques t, once the ticket is
decrypted from the cookie the code checks whether the ticket is null to
determine if there was one available. If it is, return. After that, it
extracts the roles, and sets up the HttpContext user identity information.
All fine and dandy. However, nobody checks whether the authTicket has
actually expired yet! So, immediately after the null=authTicket check, I
inserted a check whether the authTicket had expired, and it now works.
I understand sort-of why this works, but then I decided to go in with
Reflector and look at the FormsAuthentica tionModule class and look at it's
"OnAuthenticate " event. In there, the framework checks whether it is
expired, et. al., exactly like I made my code do in Global.asax.
After doing some further research on the ASP.NET HTTP Pipeline, I see
that the application gets the pipeline call first, and passes it on to it's
modules. Then I read that global.asax's Authenticate_Re quest is called by
the security module that is in place - which in this case is the
FormsAuthentica tionModule. Now if the FormsAuthentica tionModule is doing
it's check, and then passing it onto my global.asax Authenticate_Re quest
code - wouldn't FormsAuthModule already have figured out the ticket was
expired and done something about it?
Or is it the fact that since I have implemented
Application_Aut henticateReques t - that my code then has some sort of
precedence?
My guess is this: Since the COOKIE is actually a non-persistent cookie,
it is valid while the browser is open. Thus, this entire time the cookie is
actually there, just not expired. Then in the
Application_Aut henticateReques t code, the authTicket is always extracted
(because we have a browser cookie full of encrypted data). But at the
FormsAuthentica tion level, which we're really concerned about, the
authTicket has expired - which is a separate expiration from the actual
cookie expiration. But nobody is checking for that. Thus, I get the
authTicket out of the cookie every time, and then fill the Identity object
on the current HttpContext every time. Even if it has really expired. So
when I place the additional check for expiration in there, it works as it is
supposed to.
I am glad the code works - but I'm primarily confused as to the why.
Was there a reason that the "Building Secure ASP.NET Applications" article
presented the code as it did? Or did I really find a bug in that code? I
guess I'm fairly concerned if the code is incomplete - the document has been
out for some time? Am I the first to run across this?
Additional question: Do I also need to conditionally update my
slidingTimeout in this code as well to match the FormsAuthentica tionModule
"OnAuthenticate " code? Or will something else do this for me? From my
testing, it appears to be renewed for me, but I wanted to make sure this
wasn't some sort of fluke as well.
Here is my Application_Aut henticateReques t code:
protected void Application_Aut henticateReques t(Object sender, EventArgs e)
{
string cookieName = FormsAuthentica tion.FormsCooki eName;
HttpCookie authCookie = Context.Request .Cookies[ cookieName ];
if( null == authCookie ) {
return;
}
FormsAuthentica tionTicket authTicket = null;
try {
authTicket = FormsAuthentica tion.Decrypt( authCookie.Valu e );
}
catch( Exception ex ) {
AppHelper.LogEv ent( ex.ToString(), 3 );
return;
}
if( (null == authTicket) || authTicket.Expi red ) {
return;
}
string[] roles = authTicket.User Data.Split( new char[]{'|'} );
FormsIdentity id = new FormsIdentity( authTicket );
GenericPrincipa l principal = new GenericPrincipa l( id, roles );
Context.User = principal;
}
1  2194 
Am I supposed to be hearing back from a Microsoft person on this within 2
business days using the MSDN Universal newsgroup MSDN stuff?
"AVance" <Aa***@noemail. nospam> wrote in message
news:%2******** ********@TK2MSF TNGP11.phx.gbl. .. Hi,
I've come across this scenario in ASP.NET 1.1 with forms
authentication where the forms auth doesn't seem to timeout correctly, nor redirect to
the login page.
I have done some testing, and I believe I've found a solution, but I
would like some insight from Microsoft on whether the code I've
implemented is correct, and why it is even working.
Here is my scenario:
I initially implemented forms auth using the standard forms auth
declaration in web.config and it worked fine, and redirected alright.
Then, as I began going through my code during my security reviews I implemented
the encrypted auth ticket as described in the "Building Secure ASP.NET
Applications" on page 378 (document page number, not the PDF page number).
In this scenario, it describes how to build the login event from the login
page, as well as implementing the "Application_Au thenticateReque st" event
in the global.asax code.
Once I implemented that code, my forms auth stopped working. The
ticket was still valid after my timeout, and I was never redirected to the
specified login page. I was implementing SessionState with the same
timeout as the formsauth, and my session was timing out properly! I was also
using a non-persistent formsauth cookie. After going back over the
documentation several many times, and making sure I was implementing it as described, I
believe I found a problem with the code in the document. However, I don't
want to go as far as saying the code is wrong, but I've come up with a fix
that makes it work - but now I don't understand exactly why it fixes it.
Basically in Application_Aut henticateReques t, once the ticket is
decrypted from the cookie the code checks whether the ticket is null to
determine if there was one available. If it is, return. After that, it
extracts the roles, and sets up the HttpContext user identity information.
All fine and dandy. However, nobody checks whether the authTicket has
actually expired yet! So, immediately after the null=authTicket check, I
inserted a check whether the authTicket had expired, and it now works.
I understand sort-of why this works, but then I decided to go in with
Reflector and look at the FormsAuthentica tionModule class and look at it's
"OnAuthenticate " event. In there, the framework checks whether it is
expired, et. al., exactly like I made my code do in Global.asax.
After doing some further research on the ASP.NET HTTP Pipeline, I see
that the application gets the pipeline call first, and passes it on to
it's modules. Then I read that global.asax's Authenticate_Re quest is called by
the security module that is in place - which in this case is the
FormsAuthentica tionModule. Now if the FormsAuthentica tionModule is doing
it's check, and then passing it onto my global.asax Authenticate_Re quest
code - wouldn't FormsAuthModule already have figured out the ticket was
expired and done something about it?
Or is it the fact that since I have implemented
Application_Aut henticateReques t - that my code then has some sort of
precedence?
My guess is this: Since the COOKIE is actually a non-persistent
cookie, it is valid while the browser is open. Thus, this entire time the cookie
is actually there, just not expired. Then in the
Application_Aut henticateReques t code, the authTicket is always extracted
(because we have a browser cookie full of encrypted data). But at the
FormsAuthentica tion level, which we're really concerned about, the
authTicket has expired - which is a separate expiration from the actual
cookie expiration. But nobody is checking for that. Thus, I get the
authTicket out of the cookie every time, and then fill the Identity object
on the current HttpContext every time. Even if it has really expired. So
when I place the additional check for expiration in there, it works as it
is supposed to.
I am glad the code works - but I'm primarily confused as to the why.
Was there a reason that the "Building Secure ASP.NET Applications" article
presented the code as it did? Or did I really find a bug in that code? I
guess I'm fairly concerned if the code is incomplete - the document has
been out for some time? Am I the first to run across this?
Additional question: Do I also need to conditionally update my
slidingTimeout in this code as well to match the FormsAuthentica tionModule
"OnAuthenticate " code? Or will something else do this for me? From my
testing, it appears to be renewed for me, but I wanted to make sure this
wasn't some sort of fluke as well.
Here is my Application_Aut henticateReques t code:
protected void Application_Aut henticateReques t(Object sender, EventArgs e)
{
string cookieName = FormsAuthentica tion.FormsCooki eName;
HttpCookie authCookie = Context.Request .Cookies[ cookieName ];
if( null == authCookie ) {
return;
}
FormsAuthentica tionTicket authTicket = null;
try {
authTicket = FormsAuthentica tion.Decrypt( authCookie.Valu e );
}
catch( Exception ex ) {
AppHelper.LogEv ent( ex.ToString(), 3 );
return;
}
if( (null == authTicket) || authTicket.Expi red ) {
return;
}
string[] roles = authTicket.User Data.Split( new char[]{'|'} );
FormsIdentity id = new FormsIdentity( authTicket );
GenericPrincipa l principal = new GenericPrincipa l( id, roles );
Context.User = principal;
}
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Stu |
last post by:
Hi All,
I have an ASP.NET application to which I have implemented forms
authentication to handle security. It is a relatively straight forward
solution with all aspx pages residing in the root folder.
The issue I am experiencing is that when the authentication time out is
activated and the user is hence unauthenticated, the browser window is on
sometimes redirecting back to the login page. When the browser does or
doesn't redirect to...
|
by: ElmoWatson |
last post by:
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.
I'm trying to get Forms Authentication working.....I can get any requested
page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get
it, once the user is authenticated, to redirect to the new page. It ALWAYS
refreshes the...
|
by: VR |
last post by:
Hi,
I am using Forms type of authentication, but having
problems redirecting users to default page after they get
authenticated.
My default page is default.aspx, but it's in 'public'
directory in realtion to my virtual directory:
"/public/default.aspx". In IIS I set the default document
to be "/public/default.aspx".
|
by: Ed Henn |
last post by:
I'm having a problem with .NET Forms Authentication in a particular
application. It's not redirecting properly when my session is timed
out, seemingly only when I POST the page (i.e. click a form submit
button). If I try to GET a page after timeout (i.e. just picking a page
to visit from a menu), I am redirected to the login screen properly.
The browser error I'm getting in the POST example is "403.1 Execute
Access Forbidden". I...
|
by: Steve - DND |
last post by:
I have the following information set in my web.config file:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="formAuthCookie" timeout="60" path="/"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*" />
</authorization>
| | |
by: Anonieko Ramos |
last post by:
ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004
Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET Applications and
owner of Access Microsystems. Doug can be reached at
doug@accessmicrosystems.com.
--------------------------------------------------------------------------------
|
by: Pradeep Pise |
last post by:
Hello All,
I have a problem in my project. I have used forms authentication and code is embedded in web.config.
<authentication mode="Forms">
<forms name="AuthCookie" path="/" loginUrl="login.aspx" protection="All? timeout="120? >
</forms>
</authentication>
|
by: Rob |
last post by:
I'm not sure if I'm missing something but my forms authentication
doesn't work. I'm trying to access my page and I should be redirected to
login.aspx but it just let's me access the page.
Here's my web.config code:
<authentication mode="Forms">
<forms name="login" loginUrl="login.aspx" protection="All"
timeout="15" />
</authentication>
|
by: Jeremy |
last post by:
I have a web app that contains forms authentication to protect
subdirectory called "admin" by denying anonymous users. When I request
a protected resource in the admin directory I am presented with a
Windows logon dialog prompt instead of being redirected to the logon
page. In the web.config it is setup as follows:
<configuration>
<system.web>
....
<authentication mode="Forms">
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| | |
