Re: Forms based security without cookies?
From: Vladimir Maysuradze (mvv@ewebcoding.com)
Date: 07/24/02
- Next message: Stephen Barrett: "Re: Forms based security without cookies?"
- Previous message: Stephen Barrett: "Re: Forms based security without cookies?"
- In reply to: Stephen Barrett: "Re: Forms based security without cookies?"
- Next in thread: Stephen Barrett: "Re: Forms based security without cookies?"
- Reply: Stephen Barrett: "Re: Forms based security without cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Vladimir Maysuradze" <mvv@ewebcoding.com> Date: Wed, 24 Jul 2002 16:00:57 -0400
Read the article more carefully.
It goes into some theory, but then gives working example of how to set
Form-based authentication WITHOUT cookies.
"Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in message
news:#xPGjr0MCHA.488@tkmsftngp10...
> Thanks for the link, but it just simply talks about normal Forms Based
> authentication. This still requires a cookie. I have read since my
> original post that FormsBased authentication as written by MS HAS TO HAVE
> cookies to work. If you can't use cookies, you have to write your own.
> Where would I start to write my own authentication to work like Forms but
> without the cookie?
>
> I would think the following steps would need to be done:
> 1. Trap every request and somehow determine if the user is authenticated
> 2. If not authenticated, redirect to login keeping track of original URL
> they were wanting
> 3. Check uer/password and if valid, set *something* to know they are
> authenticated
> 4. redirect to original page they were requesting
>
> I was going to try something simple like a value in session object var
with
> values of 0 for NOT autheticated and 1 for authenticated. So, in step 1,
I
> would check Session["Authenticated"] for a value of 1. If it is a 1, then
> let things go as normal. If it is a 0, perform steps number 2 and 3. In
> step 3, if they pass user/password check, then set
Session["Authenticated"]
> = 1. When the loser finally logs out, then I would simply set
> Session["Authenticated"] = 0.
>
> Is this secure? What would be the problems?
>
> Anyone have any other ideas?
>
>
>
> "Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
> news:OKgMcvzMCHA.1624@tkmsftngp10...
> > Read this article:
> > http://www.fawcette.com/vsm/2002_08/online/chester/default.asp
> >
> > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in message
> > news:eSAszryMCHA.2420@tkmsftngp11...
> > > Is it possible to do forms based security without actually storing
> cookies
> > > on the client machine? Forms based security looks like a perfect fit
> for
> > > our application except we have hundreds of users who have cookies
> disabled
> > > for one reason or another. We authenticate the users using
information
> in
> > a
> > > database, but on machines that have cookies disabled, the site doesn't
> > work.
> > > We aren't using permanent cookies, just temporary ones with a 20minute
> > > timeout.
> > >
> > > Is there a way to do what forms based security is doing without the
> > cookie?
> > > If not, what would you recommend my next step be?
> > >
> > > TIA
> > >
> > >
> >
> >
>
>
- Next message: Stephen Barrett: "Re: Forms based security without cookies?"
- Previous message: Stephen Barrett: "Re: Forms based security without cookies?"
- In reply to: Stephen Barrett: "Re: Forms based security without cookies?"
- Next in thread: Stephen Barrett: "Re: Forms based security without cookies?"
- Reply: Stephen Barrett: "Re: Forms based security without cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
