Re: Framework bug with Auth and Session state?
From: Joe Iano (jiano_at_no.amphioncom.spam.com)
Date: 07/08/03
- Next message: cct: "Folder Security"
- Previous message: andrew: "Re: Framework bug with Auth and Session state?"
- In reply to: DanR_at_REMOVETHISTOGETTOME-warshawgroup.com: "Framework bug with Auth and Session state?"
- Next in thread: Teemu Keiski: "Re: Framework bug with Auth and Session state?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Jul 2003 21:41:04 -0700
I don't think it's a bug. The user's authentication is maintained by a
cookie on the client's browser. So as long the browser stays open, the
cookie remains, and the user is authenticated. I am guessing that since the
user's credentials are stored in the cookie itself, and not on the server,
the authentication never times out.
Session info is stored on the server, using the session cookie only as an
id. So when an inactive session is dropped, the session information is lost.
Perhaps in your case, you would be better off checking for a valid session,
rather than "User.Identity.IsAuthenticated". If the use isn't authenticated,
they shouldn't show up at all in, so that's not really telling you much. But
if you find a user with no session (and also authenticated), then you will
need to re-establish their session status, whatever that entails for your
application.
<DanR@REMOVETHISTOGETTOME-warshawgroup.com> wrote in message
news:%23GjCNLJRDHA.3144@tk2msftngp13.phx.gbl...
I posted this under another thread but want to clearly articulate it to the
newsgroup.
At the point my user authenticates/logs in, I set up their session variables
and use Forms Auth to let them get around the site. I rely on a
"User.Identity.IsAuthenticated" to tell me if the user is good- by good I
mean that I assume that if the user is Authenticated that the the session is
still valid. The bug is that sometimes the session ends but
"User.Identity.IsAuthenticated" still returns true.
The problem is that sometimes the user at the browser is in this
inconsistant state state where the Session has been voided/invalidated (it's
empty) but the ASP framework still treats the user as authenticated. This is
bad. I'm not sure why the framework treats them as independently managed
cookies. (I mean I know why it is two different cookies, but not why they
are not tied together better/more correct/useful way. You can tell me this
behavior is a feature and not a bug, but I'll reply that it makes it
somewhat useless.
I specifically see this problem when I am working in the development
environment- the session gets killed by restarting the debugger, but the
client/web is still authenticated/signed in.
Obviously I want those things tied together. If I have to do a check on
every page to see if the session is valid and have them sent to a login page
to log in if it is not valid- well, guess what? I've just rebuilt the Forms
Auth functionality of the following config and having it available to me is
not useful.
<authorization>
<deny users ="?" />
<allow users ="*" />
</authorization>
- Next message: cct: "Folder Security"
- Previous message: andrew: "Re: Framework bug with Auth and Session state?"
- In reply to: DanR_at_REMOVETHISTOGETTOME-warshawgroup.com: "Framework bug with Auth and Session state?"
- Next in thread: Teemu Keiski: "Re: Framework bug with Auth and Session state?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
