Re: Forms based security without cookies?
From: David Li (david.li@yourcall.com)
Date: 07/25/02
- Next message: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Previous message: Derek Hamilton: "Re: Network Impersonation Question"
- In reply to: Aaron Margosis [MS]: "Re: Forms based security without cookies?"
- Next in thread: Aaron Margosis [MS]: "Re: Forms based security without cookies?"
- Reply: Aaron Margosis [MS]: "Re: Forms based security without cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Li" <david.li@yourcall.com> Date: Thu, 25 Jul 2002 15:42:11 -0500
To disable Session cookie too, go to modify your web.config.. find the
<sessionState> section. and change it
so it says cookieless=true. So you got pure cookieless form authentication.
David
"Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
news:#RJnJK5MCHA.944@tkmsftngp10...
> You are correct -- the current implementation of ASP.NET Forms
> authentication requires that session cookies be enabled.
>
> Is user education possible? By that I mean -- can you convince your users
> to enable just session cookies? Persistent cookies are the only ones that
> can cause issues.
>
>
>
> "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in message
> news:uxQnq#0MCHA.2524@tkmsftngp10...
> > Excuse my ignorance, but I reread the article again. The example they
> give
> > uses cookies. For instance, once they validate the user/password combo
> they
> > call FormsAuthentication.RedirectFromLoginPage(username.Text, false);.
> > This creates a cookie that is used to validate the person going forward.
> > The "false" argument that is passed simply states that the cookie isn't
> > persisten between sessions. In reality, setting it to true doesn't make
> it
> > permanent. It will time out in 50 years according to documentation.
> >
> > I don't see anything or any examples not using the basic forms
> > authentication which uses cookies. Am I blind? If so, what exact page
of
> > the article are you talking about? Please forgive my ignorance.
> >
> >
> > "Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
> > news:uMo#Vx0MCHA.1120@tkmsftngp10...
> > > Read the article more carefully.
> > > It goes into some theory, but then gives working example of how to set
> > > Form-based authentication WITHOUT cookies.
> > >
> > > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in
message
> > > news:#xPGjr0MCHA.488@tkmsftngp10...
> > > > Thanks for the link, but it just simply talks about normal Forms
Based
> > > > authentication. This still requires a cookie. I have read since my
> > > > original post that FormsBased authentication as written by MS HAS TO
> > HAVE
> > > > cookies to work. If you can't use cookies, you have to write your
> own.
> > > > Where would I start to write my own authentication to work like
Forms
> > but
> > > > without the cookie?
> > > >
> > > > I would think the following steps would need to be done:
> > > > 1. Trap every request and somehow determine if the user is
> authenticated
> > > > 2. If not authenticated, redirect to login keeping track of original
> URL
> > > > they were wanting
> > > > 3. Check uer/password and if valid, set *something* to know they are
> > > > authenticated
> > > > 4. redirect to original page they were requesting
> > > >
> > > > I was going to try something simple like a value in session object
var
> > > with
> > > > values of 0 for NOT autheticated and 1 for authenticated. So, in
step
> > 1,
> > > I
> > > > would check Session["Authenticated"] for a value of 1. If it is a
1,
> > then
> > > > let things go as normal. If it is a 0, perform steps number 2 and
3.
> > In
> > > > step 3, if they pass user/password check, then set
> > > Session["Authenticated"]
> > > > = 1. When the loser finally logs out, then I would simply set
> > > > Session["Authenticated"] = 0.
> > > >
> > > > Is this secure? What would be the problems?
> > > >
> > > > Anyone have any other ideas?
> > > >
> > > >
> > > >
> > > > "Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
> > > > news:OKgMcvzMCHA.1624@tkmsftngp10...
> > > > > Read this article:
> > > > > http://www.fawcette.com/vsm/2002_08/online/chester/default.asp
> > > > >
> > > > > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in
> > message
> > > > > news:eSAszryMCHA.2420@tkmsftngp11...
> > > > > > Is it possible to do forms based security without actually
storing
> > > > cookies
> > > > > > on the client machine? Forms based security looks like a
perfect
> > fit
> > > > for
> > > > > > our application except we have hundreds of users who have
cookies
> > > > disabled
> > > > > > for one reason or another. We authenticate the users using
> > > information
> > > > in
> > > > > a
> > > > > > database, but on machines that have cookies disabled, the site
> > doesn't
> > > > > work.
> > > > > > We aren't using permanent cookies, just temporary ones with a
> > 20minute
> > > > > > timeout.
> > > > > >
> > > > > > Is there a way to do what forms based security is doing without
> the
> > > > > cookie?
> > > > > > If not, what would you recommend my next step be?
> > > > > >
> > > > > > TIA
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Previous message: Derek Hamilton: "Re: Network Impersonation Question"
- In reply to: Aaron Margosis [MS]: "Re: Forms based security without cookies?"
- Next in thread: Aaron Margosis [MS]: "Re: Forms based security without cookies?"
- Reply: Aaron Margosis [MS]: "Re: Forms based security without cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
