Re: When exactly are you logged in? (Forms authentication)
From: Lauchlan M (LMackinnon_at_Hotmail.com)
Date: 10/02/03
- Previous message: Jacob Yang [MSFT]: "RE: Windows Authentication"
- In reply to: Fredrik Normén NSQUARED2: "When exactly are you logged in? (Forms authentication)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Oct 2003 22:03:16 +1000
Hi,
thanks for the response.
> You can't use FormsAuthentication without cookie.
Well, how feeble is that?
Actually, I think you can, eg using the mobile internet stuff
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mwsdk/html/mwconauthenticationoptionsformobiledevices.asp
and
http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;Q311568
It's just that it's not easy, convenient, or a path I want to spend time
pursuing. For example, using the MobileFormsAuthentication instead of
FormsAuthentication doesn't let you just redirect with the authentication
ticket cookie taken care of (passed in the url query string), this is only
done when using RedirectFromLoginPage.
> What you can do is to create your own Authentication
> module, read this site:
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B318786
Thanks for this. I've looked over it and it looks like too much overhead
getitng my head around another overly-complicated MS approach as a hack for
getting around their poorly thought out (in this regard) framework. But if
you have a link on the philosophy/idea behind this so I can make more sense
of this, I'll put it back in the list of options . . .
It's reached the point where I've spent too much time trying to fit in to
MS's authorisation schema, and just need to move ahead.
So I figure I'll try:
<<
(i) blowing away the web.config authorisation and authentication elements
(ii) In my login.aspx page, creating an "authenticated" session variable,
and checking for it in the global.asax "Global_AcquireRequestState" handler
and bouncing people back to Login.aspx if it's not there or not valid
(iii) when logging in in login.aspx, create another session variable for
userrole, and in the Global_AcquireRequestState handler, check the path
explicitly for secure directory names (eg "private", "admin" or whatever I
call them and check these manually against the relevant permissions defined
by the roles and bounce them if they dont meet the criteria.
At least I'll then implement the security I want, even if I can't manage to
do it Microsoft's way. The 'cost' would be two session variables per user -
"authenticated" and "role".
>>
If you see any problems with this approach, please let me know . . .
Lauchlan M
- Previous message: Jacob Yang [MSFT]: "RE: Windows Authentication"
- In reply to: Fredrik Normén NSQUARED2: "When exactly are you logged in? (Forms authentication)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
