Re: Security based on session, what's wrong?
From: Matt (none_at_none.com)
Date: 04/27/05
- Next message: Divya: "Impersonate not working from command line"
- Previous message: Joe Gilkey: "Re: IsInRole Performance Issue"
- In reply to: Brock Allen: "Re: Security based on session, what's wrong?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Apr 2005 21:09:27 +0200
Ok, then if I just create my authorization mechanism, and just rely
from page to page to the Session["IDUser"] to create my page, is not
less safe than using the Forms authentication mechanism?
Sometimes I have the feeling that Session (I use InProc) expires
earlier than the specified n minutes of the web.config (my app found
Session["IDUser"] empty and resets to the login page)
I use a sWindows2003 server with IIS6, with multiple asp.net portals
with the same codebase running on it.
I know that with forms auth you have to specify different form name
instead of the default ASPAUTH, is the same for session cookie?
Thanks,
Mattia
>You can always go and build your own authentication and authorization mechanism.
>The intent of Forms is that much of the routine checks and identity management
>is done for you. Of course there are pieces you have to fill in, such as
>the login page and the database of usernames/passwords, but the check on
>every page is done for you to see if the user is logged in and if they're
>allowed to access the pages. The cool thing is that this is declarative with
>the <authorization> elements in web.config, and there's typically little
>or no access checks you have to write in your own code.
>
>-Brock
>DevelopMentor
>http://staff.develop.com/ballen
>
>
- Next message: Divya: "Impersonate not working from command line"
- Previous message: Joe Gilkey: "Re: IsInRole Performance Issue"
- In reply to: Brock Allen: "Re: Security based on session, what's wrong?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
