Re: Forms based security without cookies?

From: Stephen Barrett (stephen_barrett@nospam.aoncons.com)
Date: 07/24/02 

From: "Stephen Barrett" <stephen_barrett@nospam.aoncons.com>
Date: Wed, 24 Jul 2002 15:47:26 -0400

Thanks for the link, but it just simply talks about normal Forms Based
authentication. This still requires a cookie. I have read since my
original post that FormsBased authentication as written by MS HAS TO HAVE
cookies to work. If you can't use cookies, you have to write your own.
Where would I start to write my own authentication to work like Forms but
without the cookie?

I would think the following steps would need to be done:
1. Trap every request and somehow determine if the user is authenticated
2. If not authenticated, redirect to login keeping track of original URL
they were wanting
3. Check uer/password and if valid, set *something* to know they are
authenticated
4. redirect to original page they were requesting

I was going to try something simple like a value in session object var with
values of 0 for NOT autheticated and 1 for authenticated. So, in step 1, I
would check Session["Authenticated"] for a value of 1. If it is a 1, then
let things go as normal. If it is a 0, perform steps number 2 and 3. In
step 3, if they pass user/password check, then set Session["Authenticated"]
= 1. When the loser finally logs out, then I would simply set
Session["Authenticated"] = 0.

Is this secure? What would be the problems?

Anyone have any other ideas?

"Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
news:OKgMcvzMCHA.1624@tkmsftngp10...
> Read this article:
> http://www.fawcette.com/vsm/2002_08/online/chester/default.asp
>
> "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in message
> news:eSAszryMCHA.2420@tkmsftngp11...
> > Is it possible to do forms based security without actually storing
cookies
> > on the client machine? Forms based security looks like a perfect fit
for
> > our application except we have hundreds of users who have cookies
disabled
> > for one reason or another. We authenticate the users using information
in
> a
> > database, but on machines that have cookies disabled, the site doesn't
> work.
> > We aren't using permanent cookies, just temporary ones with a 20minute
> > timeout.
> >
> > Is there a way to do what forms based security is doing without the
> cookie?
> > If not, what would you recommend my next step be?
> >
> > TIA
> >
> >
>
>

Relevant Pages

  • Re: Newbie question-- Perl pw authentication without pop-up prompt
    ... forgive me if this is the worng group ... This newsgroup does not exist. ... content but want to hook in to the authentication phase. ... After all this is precisely why cookies exist. ...
    (comp.lang.perl)
  • Re: how to pass authorization to another application
    ... The host application will authenticate the user, ... Your browser will not send authentication information from one server to another. ... Cookies are the same way - the browser will not under normal conditions pass a cookie meant for one host on to another. ...
    (comp.lang.php)
  • [.NET 1.1] Authentication and cookies clarifications
    ... I'm testing ASP.NET 1.1 authentications and cookies features, and I've red tons of tutorials and articles about this, but not all is clear for me. ... My goal is to create a basic site with authentication process, like my other ASP 3.0 sites that I developed with classical session variables to follow each user with some personal data. ... In .NET 1.1 I understand the basic web.config settings with <authentication> node and and so on... ... I've tested the global.asax "onauthenticationrequest" to cast an identities to principal for use "isInRole" properties, but this hint not solve the problem of save in temporary memory some other data for not access to database everytime, also I want to use a database table for storing my users data, also their role in this application. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Accessing cookies returned in error responses with httpwebrequest (.net CF)
    ... authentication using the NetworkCredential class, ... The problem is that the site uses cookies to track the user attempting ... HttpWebResponse object to poach them from. ...
    (microsoft.public.dotnet.framework.compactframework)
  • Re: Forms based security without cookies?
    ... Form-based authentication WITHOUT cookies. ... >>> on the client machine? ... Forms based security looks like a perfect fit ...
    (microsoft.public.dotnet.framework.aspnet.security)