Re: Forms based security without cookies?

From: Aaron Margosis [MS] (aaronmaronline@microsoft.com)
Date: 07/25/02 

From: "Aaron Margosis [MS]" <aaronmaronline@microsoft.com>
Date: Wed, 24 Jul 2002 23:19:22 -0500

You are correct -- the current implementation of ASP.NET Forms
authentication requires that session cookies be enabled.

Is user education possible? By that I mean -- can you convince your users
to enable just session cookies? Persistent cookies are the only ones that
can cause issues.

"Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in message
news:uxQnq#0MCHA.2524@tkmsftngp10...
> Excuse my ignorance, but I reread the article again. The example they
give
> uses cookies. For instance, once they validate the user/password combo
they
> call FormsAuthentication.RedirectFromLoginPage(username.Text, false);.
> This creates a cookie that is used to validate the person going forward.
> The "false" argument that is passed simply states that the cookie isn't
> persisten between sessions. In reality, setting it to true doesn't make
it
> permanent. It will time out in 50 years according to documentation.
>
> I don't see anything or any examples not using the basic forms
> authentication which uses cookies. Am I blind? If so, what exact page of
> the article are you talking about? Please forgive my ignorance.
>
>
> "Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
> news:uMo#Vx0MCHA.1120@tkmsftngp10...
> > Read the article more carefully.
> > It goes into some theory, but then gives working example of how to set
> > Form-based authentication WITHOUT cookies.
> >
> > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in message
> > news:#xPGjr0MCHA.488@tkmsftngp10...
> > > Thanks for the link, but it just simply talks about normal Forms Based
> > > authentication. This still requires a cookie. I have read since my
> > > original post that FormsBased authentication as written by MS HAS TO
> HAVE
> > > cookies to work. If you can't use cookies, you have to write your
own.
> > > Where would I start to write my own authentication to work like Forms
> but
> > > without the cookie?
> > >
> > > I would think the following steps would need to be done:
> > > 1. Trap every request and somehow determine if the user is
authenticated
> > > 2. If not authenticated, redirect to login keeping track of original
URL
> > > they were wanting
> > > 3. Check uer/password and if valid, set *something* to know they are
> > > authenticated
> > > 4. redirect to original page they were requesting
> > >
> > > I was going to try something simple like a value in session object var
> > with
> > > values of 0 for NOT autheticated and 1 for authenticated. So, in step
> 1,
> > I
> > > would check Session["Authenticated"] for a value of 1. If it is a 1,
> then
> > > let things go as normal. If it is a 0, perform steps number 2 and 3.
> In
> > > step 3, if they pass user/password check, then set
> > Session["Authenticated"]
> > > = 1. When the loser finally logs out, then I would simply set
> > > Session["Authenticated"] = 0.
> > >
> > > Is this secure? What would be the problems?
> > >
> > > Anyone have any other ideas?
> > >
> > >
> > >
> > > "Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
> > > news:OKgMcvzMCHA.1624@tkmsftngp10...
> > > > Read this article:
> > > > http://www.fawcette.com/vsm/2002_08/online/chester/default.asp
> > > >
> > > > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in
> message
> > > > news:eSAszryMCHA.2420@tkmsftngp11...
> > > > > Is it possible to do forms based security without actually storing
> > > cookies
> > > > > on the client machine? Forms based security looks like a perfect
> fit
> > > for
> > > > > our application except we have hundreds of users who have cookies
> > > disabled
> > > > > for one reason or another. We authenticate the users using
> > information
> > > in
> > > > a
> > > > > database, but on machines that have cookies disabled, the site
> doesn't
> > > > work.
> > > > > We aren't using permanent cookies, just temporary ones with a
> 20minute
> > > > > timeout.
> > > > >
> > > > > Is there a way to do what forms based security is doing without
the
> > > > cookie?
> > > > > If not, what would you recommend my next step be?
> > > > >
> > > > > TIA
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Newbie question-- Perl pw authentication without pop-up prompt
    ... forgive me if this is the worng group ... This newsgroup does not exist. ... content but want to hook in to the authentication phase. ... After all this is precisely why cookies exist. ...
    (comp.lang.perl)
  • Re: Forms based security without cookies?
    ... Forms authentication still uses and ... >> authentication requires that session cookies be enabled. ... Please forgive my ignorance. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: how to pass authorization to another application
    ... The host application will authenticate the user, ... Your browser will not send authentication information from one server to another. ... Cookies are the same way - the browser will not under normal conditions pass a cookie meant for one host on to another. ...
    (comp.lang.php)
  • [.NET 1.1] Authentication and cookies clarifications
    ... I'm testing ASP.NET 1.1 authentications and cookies features, and I've red tons of tutorials and articles about this, but not all is clear for me. ... My goal is to create a basic site with authentication process, like my other ASP 3.0 sites that I developed with classical session variables to follow each user with some personal data. ... In .NET 1.1 I understand the basic web.config settings with <authentication> node and and so on... ... I've tested the global.asax "onauthenticationrequest" to cast an identities to principal for use "isInRole" properties, but this hint not solve the problem of save in temporary memory some other data for not access to database everytime, also I want to use a database table for storing my users data, also their role in this application. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Accessing cookies returned in error responses with httpwebrequest (.net CF)
    ... authentication using the NetworkCredential class, ... The problem is that the site uses cookies to track the user attempting ... HttpWebResponse object to poach them from. ...
    (microsoft.public.dotnet.framework.compactframework)