Re: Forms based security without cookies?

From: Beth Breidenbach (bbreidenbach@mindspring.com)
Date: 08/27/02 

From: "Beth Breidenbach" <bbreidenbach@mindspring.com>
Date: Mon, 26 Aug 2002 22:15:03 -0700

There are two flaws in the article's discussion of cookieless
authentication. I can say that without offending the author since she's me.
:-)

First, as Eric points out, you need to remember to programatically append
the authentication parameter to each call to the secured forms. The
FormsAuthenticationModule will pick up the URL parameter and handle it as it
would a cookie-provided authentication ticket.

Second, just to clarify: cookieless authentication doesn't mean that
ASP.NET won't attempt to write a cookie to the browser. It'll try, and if
the client's browser accepts it then you're in a "cookied" authentication
mode. It's only if the client browser didn't accept the cookie that the URL
parameter comes into play. This can create some confusion when you're
testing... :-) Andy Wigley posted some code to
microsoft.public.dotnet.framework.aspnet.mobile on 5/12/02 that you can put
into your secured pages to force the URL check for your development testing
purposes. (Note that while Andy mentions putting the code in page_login it
should actually be placed in page_load.)

Hope this helps,

Beth Breidenbach

"Eric" <fish11@earthling.net> wrote in message
news:#bVMm6cSCHA.1776@tkmsftngp12...
> Hi, I think I can help you.
>
> Formbased security without cookies is tricky.
> Read first this:
> http://www.aspnetpro.com/features/2002/08/asp200208bb_f/asp200208bb_f.asp
> There are some hints, but not all.
>
> For ex. this function "FormsAuthentication.RedirectFromLoginPage(sUser,
> False)" , you can't use.
> It will always try to store a cookie.
> The trick is, to send for every page your authentication ticket not as
> cookie but as parameter for the URL. (read the article).
> Also important is, to add this special parameter to the url for every page
> and with the same name like the cookie name. I think the
FormsAuthentication
> Module will look for this parameter in the url automatically.
>
> I don't understand, why Microsoft haven't add a chapter to the
documentation
> about this point.
>
> I hope this helps
> Eric
>
>
>
>

Relevant Pages

  • Re: LOGON_USER lifetime using NTLM
    ... In your case, since you are issuing the forms auth cookie back to the user, ... you control how authentication is going to work. ... Once the user logins using NTLM, ... ASP.NET to issue 401 back to browser manually. ...
    (microsoft.public.inetserver.iis)
  • RE: forms authentication cookie problem
    ... 324488 Forms Authentication and View State Fail Intermittently Under Heavy ... 279186 Internet Explorer Drops Site Server Cookie for Intranet Site IP ... Another possibility is the cookie path. ... characters, the browser will still request the page, but the browser will ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Forms authentication cookie handling question (C#)
    ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Forms Authentication Name property
    ... you specify the name to be used for the authentication ... login page, then this can work. ... A cookie is saved by the BROWSER and ... The BROWSER chooses ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Forms Authentication
    ... The DNS entry for my domain was not set corrretly, ... This should have overcome the cookie ... authentication ticketis not correctly set to the domain your ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)