RE: authentication cookie vs session cookie
From: Yan-Hong Huang[MSFT] (yhhuang_at_online.microsoft.com)
Date: 08/11/03
- Next message: Jos: "Re: Security tab doesn't appear in folder property dialogbox"
- Previous message: John Virgolino: "Forms authentication for HTML files"
- In reply to: Joseph: "authentication cookie vs session cookie"
- Next in thread: Joseph: "Re: authentication cookie vs session cookie"
- Reply: Joseph: "Re: authentication cookie vs session cookie"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Aug 2003 07:19:05 GMT
Hello Joseph,
Thanks for posting here.
Indeed. Forms authentication is a flexible, scalable and secure system for
doing 'cookie' authentication (effectively what you are doing when you use
session variables as it relies on the session cookie that ASP.NET sends to
the client). A big advantage is that it allows you to persist information
by storing it in an encrypted authentication cookie - this is much better
in terms of scalability than using a session variable for each user (you
can use it across a webfarm without significant changes).
Another big advantage of using Forms authentication is that it slots into
the rest of the ASP.NET Security framework. This means that code for
authentication and authorization works together is a logical way and new
code can be slotted in really easily.
In general, Session Cookie and Forms Auth cookie are independant and you
have to find the logic to achieve what you want.
Rather than trying to sync. these 2 timeouts, try logging out the user if
the session times out.
1. You can handle one of the events after the sessionState is hooked up and
check to see if the session is new and if the user is authenticated. If so,
call the logout method and redirect to loging page.
2. Another way is to set a session variable and check on every page to see
if the session variable exists and also the user is authenticated. If not,
redirect the user to the login page by calling the LogOut method.
Please post here if you have any more concerns.
Best regards,
Yanhong Huang
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
!From: "Joseph" <joseph@bluefield.com.hk>
!Subject: authentication cookie vs session cookie
!Date: Fri, 8 Aug 2003 15:52:50 +0800
!Lines: 17
!X-Priority: 3
!X-MSMail-Priority: Normal
!X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
!X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
!Message-ID: <eCgSSIYXDHA.384@TK2MSFTNGP12.phx.gbl>
!Newsgroups: microsoft.public.dotnet.framework.aspnet.security
!NNTP-Posting-Host: 210.176.53.73
!Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
!Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:6178
!X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
!
!Hi,
!
!What are the differences between authentication and session cookies? In my
!web.config file, I set the cookieless attribute for the sessionState
element
!to false. Why do we need 2 different types of cookies? Is the session
!cookie enough for authentication purpose?
!
!I do feel uncomfortable to maintain 2 different timeouts (form
!authentication cookie and session) in the web.config file. Is it possible
to
!keep both in sync (i.e. make authentication cookie expires at the same time
!the session expires)?
!
!Thanks.
!
!Joseph
!
!
!
- Next message: Jos: "Re: Security tab doesn't appear in folder property dialogbox"
- Previous message: John Virgolino: "Forms authentication for HTML files"
- In reply to: Joseph: "authentication cookie vs session cookie"
- Next in thread: Joseph: "Re: authentication cookie vs session cookie"
- Reply: Joseph: "Re: authentication cookie vs session cookie"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
