By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,458 Members | 1,278 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,458 IT Pros & Developers. It's quick & easy.

Authentication Not Required When it Should Be?

P: n/a
I have implemented ASP.NET Forms authentication in a test app. The app has a
number of forms - only one of which requires authentication in order to be
viewed (the "secured form"). Everything works as the documentation says it
should - with the exception that on subsequent browser sessions, the single
form that should require authentication in order to be viewed does, in fact,
display without the login form first appearing. In other words, it can be
viewed without the user first being authenticated.

I understand the 2nd parameter of the
[System.Web.Security.FormsAuthentication.RedirectFr omLoginPage(string,bool)]
method controls whether a persistent cookie is created - so that ASP.NET can
"know" if the current user has been previously authenticated (during
previous browser sessions). However, in my testing, I have set that 2nd
parameter to both 'true' and 'false' and get the same result every time
(meaning that the secured form will appear on subsequent browser sessions
*without* the user first being redirected to the login form).

In my testing I have observed the value of Request.IsAuthenticated. The
value it contains (true or false) reflects whether the user has actually
been authenticated (as expected) - and accurately reflects the state of the
2nd parameter of the RedirectFromLoginPage() method as it was executed
during the previous browser session. However, the value of
Request.IsAuthenticated does not correlate with the login form appearing
when the user goes to view the secured form (the user can view the "secured
form" on subsequent browser sessions without having to first authenticate).

I find it odd and unexpected and problematic that on browser sessions after
the one in which the user was authenticated, Request.IsAuthenticated can be
'false' and yet ASP.NET still shows a page that should require
authentication in order to be viewed.

The only way I can get it to behave as expected is to go into IE6 | Tools |
Internet Options | and delete both cookies and Files in the Temporary
Internet files section of the General tab. This is how I get back to the
"baseline" normal state - the state in which the user is redirected to the
login form prior to being allowed to view the secured form.

FWIW:
I'm running IIS5, VS.NET 2003 - both on a stable WinXP Pro/SP1 development
machine. IE6/SP2 is the only browser I'm testing with for now.

Here are the relevant entries form Web.config:
<system.web>
....
<authentication mode="Forms">
<forms name="TestAppAuth" loginUrl="login.aspx" protection="All"
path="/" />
</authentication>
....
</system.web>

<location path="testform3.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

Any ideas? What am I missing?

Thanks.
Nov 18 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
I had this problem too... It's because the pages are still cached, which is
evident by the expected behavior appearing after clearing the temp files. I
played around with setting the pages to expire, and it worked. I don't
think I'm doing it exactly the right way, but I'm using the following:

http://support.microsoft.com/default...b;EN-US;222064
http://www.htmlgoodies.com/beyond/nocache.html

Response.Cache.SetCacheability(HttpCacheability.Pr ivate, "Community=DEV")
Brian

"David Krussow" <sc******@schmuks-r-us.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
I have implemented ASP.NET Forms authentication in a test app. The app has a number of forms - only one of which requires authentication in order to be
viewed (the "secured form"). Everything works as the documentation says it
should - with the exception that on subsequent browser sessions, the single form that should require authentication in order to be viewed does, in fact, display without the login form first appearing. In other words, it can be
viewed without the user first being authenticated.

I understand the 2nd parameter of the
[System.Web.Security.FormsAuthentication.RedirectFr omLoginPage(string,bool)] method controls whether a persistent cookie is created - so that ASP.NET can "know" if the current user has been previously authenticated (during
previous browser sessions). However, in my testing, I have set that 2nd
parameter to both 'true' and 'false' and get the same result every time
(meaning that the secured form will appear on subsequent browser sessions
*without* the user first being redirected to the login form).

In my testing I have observed the value of Request.IsAuthenticated. The
value it contains (true or false) reflects whether the user has actually
been authenticated (as expected) - and accurately reflects the state of the 2nd parameter of the RedirectFromLoginPage() method as it was executed
during the previous browser session. However, the value of
Request.IsAuthenticated does not correlate with the login form appearing
when the user goes to view the secured form (the user can view the "secured form" on subsequent browser sessions without having to first authenticate).
I find it odd and unexpected and problematic that on browser sessions after the one in which the user was authenticated, Request.IsAuthenticated can be 'false' and yet ASP.NET still shows a page that should require
authentication in order to be viewed.

The only way I can get it to behave as expected is to go into IE6 | Tools | Internet Options | and delete both cookies and Files in the Temporary
Internet files section of the General tab. This is how I get back to the
"baseline" normal state - the state in which the user is redirected to the
login form prior to being allowed to view the secured form.

FWIW:
I'm running IIS5, VS.NET 2003 - both on a stable WinXP Pro/SP1 development
machine. IE6/SP2 is the only browser I'm testing with for now.

Here are the relevant entries form Web.config:
<system.web>
...
<authentication mode="Forms">
<forms name="TestAppAuth" loginUrl="login.aspx" protection="All"
path="/" />
</authentication>
...
</system.web>

<location path="testform3.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

Any ideas? What am I missing?

Thanks.

Nov 18 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.