Re: Forms based security without cookies?
From: Aaron Margosis [MS] (aaronmaronline@microsoft.com)
Date: 07/27/02
- Next message: Troy Busot: "Authentication from another Application on server"
- Previous message: Vladimir Maysuradze: "How to do Forms based authentication without cookies"
- In reply to: David Li: "Re: Forms based security without cookies?"
- Next in thread: Eric: "Re: Forms based security without cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> Date: Fri, 26 Jul 2002 19:14:33 -0500
That's only for the session identifier. Forms authentication still uses and
requires cookies.
"David Li" <david.li@yourcall.com> wrote in message
news:OTBuquBNCHA.2280@tkmsftngp13...
> To disable Session cookie too, go to modify your web.config.. find the
> <sessionState> section. and change it
> so it says cookieless=true. So you got pure cookieless form
authentication.
>
>
> David
>
>
> "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
> news:#RJnJK5MCHA.944@tkmsftngp10...
> > You are correct -- the current implementation of ASP.NET Forms
> > authentication requires that session cookies be enabled.
> >
> > Is user education possible? By that I mean -- can you convince your
users
> > to enable just session cookies? Persistent cookies are the only ones
that
> > can cause issues.
> >
> >
> >
> > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in message
> > news:uxQnq#0MCHA.2524@tkmsftngp10...
> > > Excuse my ignorance, but I reread the article again. The example they
> > give
> > > uses cookies. For instance, once they validate the user/password
combo
> > they
> > > call FormsAuthentication.RedirectFromLoginPage(username.Text,
false);.
> > > This creates a cookie that is used to validate the person going
forward.
> > > The "false" argument that is passed simply states that the cookie
isn't
> > > persisten between sessions. In reality, setting it to true doesn't
make
> > it
> > > permanent. It will time out in 50 years according to documentation.
> > >
> > > I don't see anything or any examples not using the basic forms
> > > authentication which uses cookies. Am I blind? If so, what exact
page
> of
> > > the article are you talking about? Please forgive my ignorance.
> > >
> > >
> > > "Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
> > > news:uMo#Vx0MCHA.1120@tkmsftngp10...
> > > > Read the article more carefully.
> > > > It goes into some theory, but then gives working example of how to
set
> > > > Form-based authentication WITHOUT cookies.
> > > >
> > > > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in
> message
> > > > news:#xPGjr0MCHA.488@tkmsftngp10...
> > > > > Thanks for the link, but it just simply talks about normal Forms
> Based
> > > > > authentication. This still requires a cookie. I have read since
my
> > > > > original post that FormsBased authentication as written by MS HAS
TO
> > > HAVE
> > > > > cookies to work. If you can't use cookies, you have to write your
> > own.
> > > > > Where would I start to write my own authentication to work like
> Forms
> > > but
> > > > > without the cookie?
> > > > >
> > > > > I would think the following steps would need to be done:
> > > > > 1. Trap every request and somehow determine if the user is
> > authenticated
> > > > > 2. If not authenticated, redirect to login keeping track of
original
> > URL
> > > > > they were wanting
> > > > > 3. Check uer/password and if valid, set *something* to know they
are
> > > > > authenticated
> > > > > 4. redirect to original page they were requesting
> > > > >
> > > > > I was going to try something simple like a value in session object
> var
> > > > with
> > > > > values of 0 for NOT autheticated and 1 for authenticated. So, in
> step
> > > 1,
> > > > I
> > > > > would check Session["Authenticated"] for a value of 1. If it is a
> 1,
> > > then
> > > > > let things go as normal. If it is a 0, perform steps number 2 and
> 3.
> > > In
> > > > > step 3, if they pass user/password check, then set
> > > > Session["Authenticated"]
> > > > > = 1. When the loser finally logs out, then I would simply set
> > > > > Session["Authenticated"] = 0.
> > > > >
> > > > > Is this secure? What would be the problems?
> > > > >
> > > > > Anyone have any other ideas?
> > > > >
> > > > >
> > > > >
> > > > > "Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in message
> > > > > news:OKgMcvzMCHA.1624@tkmsftngp10...
> > > > > > Read this article:
> > > > > > http://www.fawcette.com/vsm/2002_08/online/chester/default.asp
> > > > > >
> > > > > > "Stephen Barrett" <stephen_barrett@nospam.aoncons.com> wrote in
> > > message
> > > > > > news:eSAszryMCHA.2420@tkmsftngp11...
> > > > > > > Is it possible to do forms based security without actually
> storing
> > > > > cookies
> > > > > > > on the client machine? Forms based security looks like a
> perfect
> > > fit
> > > > > for
> > > > > > > our application except we have hundreds of users who have
> cookies
> > > > > disabled
> > > > > > > for one reason or another. We authenticate the users using
> > > > information
> > > > > in
> > > > > > a
> > > > > > > database, but on machines that have cookies disabled, the site
> > > doesn't
> > > > > > work.
> > > > > > > We aren't using permanent cookies, just temporary ones with a
> > > 20minute
> > > > > > > timeout.
> > > > > > >
> > > > > > > Is there a way to do what forms based security is doing
without
> > the
> > > > > > cookie?
> > > > > > > If not, what would you recommend my next step be?
> > > > > > >
> > > > > > > TIA
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Troy Busot: "Authentication from another Application on server"
- Previous message: Vladimir Maysuradze: "How to do Forms based authentication without cookies"
- In reply to: David Li: "Re: Forms based security without cookies?"
- Next in thread: Eric: "Re: Forms based security without cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
