I'm having a problem where my application forces the user to log on
intially, but then never forces them to reauthenticate. Following is the
login code currently but I've tried several different things. I can walk
away from the app for an hour and come back and it will still not force them
to log back in. Where can i look?
Here's current login code :
Private Sub btnLogon_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles btnLogon.Click
Dim passwordVerified As Boolean = False
Try
'passwordVerified = VerifyPassword(txtUserName.Text,
txtPassword.Text)
'currently commented out until I get this working
passwordVerified = True
Catch ex As Exception
lblMessage.Text = ex.Message
Return
End Try
If passwordVerified = True Then
Dim intReset As Boolean
'intReset = Session("Reset") 'once again forcing value until
i get reauthenticate working
intReset = False
If intReset = True Then
Me.btnLogon.Visible = False
Me.btnReset.Visible = True
lblMessage.Text = "YOU MUST RESET YOUR PASSWORD TO CONTINUE!
Please enter a NEW password in the box above and click the Reset Password
button. You will then have to log in again."
Else
'Dim roles As String = GetCustomers(txtUserName.Text) '
'Trying to force it to timeout right away to test to make
sure it reauthenticates
Dim authTicket As New
System.Web.Security.FormsAuthenticationTicket(1, txtUserName.Text,
DateTime.Now, DateTime.Now.AddSeconds(10), False, "blah")
Dim encryptedTicket As String =
System.Web.Security.FormsAuthentication.Encrypt(au thTicket)
Dim authCookie As New
HttpCookie(System.Web.Security.FormsAuthentication .FormsCookieName,
encryptedTicket)
Response.Cookies.Add(authCookie)
Response.Redirect(Request("ReturnURL"))
'other things i've tried...
'System.Web.Security.FormsAuthentication.GetRedire ctUrl(txtUserName.Text,
False))
'FormsAuthentication.RedirectFromLoginPage(txtUser Name.Text,
False)
End If
Else
lblMessage.Text = "Invalid username or password"
End If
End Sub 'btnLogon_Click
Here's current web.config settings for authentication and authorization:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="sqlAuthCookie" timeout="1" path="/"
slidingExpiration="false"></forms>
</authentication>
<!-- AUTHORIZATION
This section sets the authorization policies of the application.
You can allow or deny access
to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
(unauthenticated) users.
-->
<authorization>
<deny users="?" />
<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>
Any help appreciated,
Travis
