Re: Forms based security without cookies?

From: Stephen Barrett (stephen_barrett@nospam.aoncons.com)
Date: 07/24/02 

From: "Stephen Barrett" <stephen_barrett@nospam.aoncons.com>
Date: Wed, 24 Jul 2002 16:21:38 -0400

Excuse my ignorance, but I reread the article again. The example they give
uses cookies. For instance, once they validate the user/password combo they
call FormsAuthentication.RedirectFromLoginPage(username.Text, false);.
This creates a cookie that is used to validate the person going forward.
The "false" argument that is passed simply states that the cookie isn't
persisten between sessions. In reality, setting it to true doesn't make it
permanent. It will time out in 50 years according to documentation.

I don't see anything or any examples not using the basic forms
authentication which uses cookies. Am I blind? If so, what exact page of
the article are you talking about? Please forgive my ignorance.

"Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
news:uMo#Vx0MCHA.1120@tkmsftngp10...
> Read the article more carefully.
> It goes into some theory, but then gives working example of how to set
> Form-based authentication WITHOUT cookies.
>
> "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in message
> news:#xPGjr0MCHA.488@tkmsftngp10...
> > Thanks for the link, but it just simply talks about normal Forms Based
> > authentication. This still requires a cookie. I have read since my
> > original post that FormsBased authentication as written by MS HAS TO
HAVE
> > cookies to work. If you can't use cookies, you have to write your own.
> > Where would I start to write my own authentication to work like Forms
but
> > without the cookie?
> >
> > I would think the following steps would need to be done:
> > 1. Trap every request and somehow determine if the user is authenticated
> > 2. If not authenticated, redirect to login keeping track of original URL
> > they were wanting
> > 3. Check uer/password and if valid, set *something* to know they are
> > authenticated
> > 4. redirect to original page they were requesting
> >
> > I was going to try something simple like a value in session object var
> with
> > values of 0 for NOT autheticated and 1 for authenticated. So, in step
1,
> I
> > would check Session["Authenticated"] for a value of 1. If it is a 1,
then
> > let things go as normal. If it is a 0, perform steps number 2 and 3.
In
> > step 3, if they pass user/password check, then set
> Session["Authenticated"]
> > = 1. When the loser finally logs out, then I would simply set
> > Session["Authenticated"] = 0.
> >
> > Is this secure? What would be the problems?
> >
> > Anyone have any other ideas?
> >
> >
> >
> > "Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
> > news:OKgMcvzMCHA.1624@tkmsftngp10...
> > > Read this article:
> > > http://www.fawcette.com/vsm/2002_08/online/chester/default.asp
> > >
> > > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in
message
> > > news:eSAszryMCHA.2420@tkmsftngp11...
> > > > Is it possible to do forms based security without actually storing
> > cookies
> > > > on the client machine? Forms based security looks like a perfect
fit
> > for
> > > > our application except we have hundreds of users who have cookies
> > disabled
> > > > for one reason or another. We authenticate the users using
> information
> > in
> > > a
> > > > database, but on machines that have cookies disabled, the site
doesn't
> > > work.
> > > > We aren't using permanent cookies, just temporary ones with a
20minute
> > > > timeout.
> > > >
> > > > Is there a way to do what forms based security is doing without the
> > > cookie?
> > > > If not, what would you recommend my next step be?
> > > >
> > > > TIA
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Newbie question-- Perl pw authentication without pop-up prompt
    ... forgive me if this is the worng group ... This newsgroup does not exist. ... content but want to hook in to the authentication phase. ... After all this is precisely why cookies exist. ...
    (comp.lang.perl)
  • Re: how to pass authorization to another application
    ... The host application will authenticate the user, ... Your browser will not send authentication information from one server to another. ... Cookies are the same way - the browser will not under normal conditions pass a cookie meant for one host on to another. ...
    (comp.lang.php)
  • [.NET 1.1] Authentication and cookies clarifications
    ... I'm testing ASP.NET 1.1 authentications and cookies features, and I've red tons of tutorials and articles about this, but not all is clear for me. ... My goal is to create a basic site with authentication process, like my other ASP 3.0 sites that I developed with classical session variables to follow each user with some personal data. ... In .NET 1.1 I understand the basic web.config settings with <authentication> node and and so on... ... I've tested the global.asax "onauthenticationrequest" to cast an identities to principal for use "isInRole" properties, but this hint not solve the problem of save in temporary memory some other data for not access to database everytime, also I want to use a database table for storing my users data, also their role in this application. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Accessing cookies returned in error responses with httpwebrequest (.net CF)
    ... authentication using the NetworkCredential class, ... The problem is that the site uses cookies to track the user attempting ... HttpWebResponse object to poach them from. ...
    (microsoft.public.dotnet.framework.compactframework)
  • Re: Forms based security without cookies?
    ... original post that FormsBased authentication as written by MS HAS TO HAVE ... If you can't use cookies, you have to write your own. ... >> on the client machine? ... Forms based security looks like a perfect fit ...
    (microsoft.public.dotnet.framework.aspnet.security)