Re: Framework bug with Auth and Session state?
From: Jim Johnson (zoot2004_at_hushmail.com)
Date: 07/08/03
- Next message: debop: "Re: ASP.net error message"
- Previous message: Heang: "Re: DirectoryEntry - enum users/groups..."
- In reply to: DanR_at_REMOVETHISTOGETTOME-warshawgroup.com: "Framework bug with Auth and Session state?"
- Next in thread: andrew: "Re: Framework bug with Auth and Session state?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Jul 2003 21:40:30 -0400
Dan,
I don't know if it is a bug or not, but I experience the same problems.
Like you say, it is a duplication of effort and annoying when using Visual
Studio.Net.
In my particular case, I was storing a password in a session variable so
that it could be passed each time a connection was made to the database. My
question (which I posted, but received no response) was whether
authenticating using Forms Auth and using a trusted db connection was
sufficient security. In other words: is restricting access to .aspx pages
which access the database sufficient security, or should I use a combination
of Forms Auth and password in the connection string (stored in a session
var)?
If the latter, well, either I put up with the duplication and mismatched
expiration, or I return to my old methods under classic ASP.
Any thoughts?
Josh
<DanR@REMOVETHISTOGETTOME-warshawgroup.com> wrote in message
news:%23GjCNLJRDHA.3144@tk2msftngp13.phx.gbl...
> I posted this under another thread but want to clearly articulate it to
the
> newsgroup.
>
> At the point my user authenticates/logs in, I set up their session
variables
> and use Forms Auth to let them get around the site. I rely on a
> "User.Identity.IsAuthenticated" to tell me if the user is good- by good I
> mean that I assume that if the user is Authenticated that the the session
is
> still valid. The bug is that sometimes the session ends but
> "User.Identity.IsAuthenticated" still returns true.
>
> The problem is that sometimes the user at the browser is in this
> inconsistant state state where the Session has been voided/invalidated
(it's
> empty) but the ASP framework still treats the user as authenticated. This
is
> bad. I'm not sure why the framework treats them as independently managed
> cookies. (I mean I know why it is two different cookies, but not why they
> are not tied together better/more correct/useful way. You can tell me this
> behavior is a feature and not a bug, but I'll reply that it makes it
> somewhat useless.
>
> I specifically see this problem when I am working in the development
> environment- the session gets killed by restarting the debugger, but the
> client/web is still authenticated/signed in.
>
> Obviously I want those things tied together. If I have to do a check on
> every page to see if the session is valid and have them sent to a login
page
> to log in if it is not valid- well, guess what? I've just rebuilt the
Forms
> Auth functionality of the following config and having it available to me
is
> not useful.
>
> <authorization>
> <deny users ="?" />
> <allow users ="*" />
> </authorization>
>
>
- Next message: debop: "Re: ASP.net error message"
- Previous message: Heang: "Re: DirectoryEntry - enum users/groups..."
- In reply to: DanR_at_REMOVETHISTOGETTOME-warshawgroup.com: "Framework bug with Auth and Session state?"
- Next in thread: andrew: "Re: Framework bug with Auth and Session state?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
