Re: Forms Authentication

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 11/14/05


Date: Mon, 14 Nov 2005 07:08:25 -0800

Hello frpascal,

hidden input provides no security...

why do you get a windows pop up window? are the users not domain users? In
domains you get single sign on AND decent authentication for free

are there two different web apps involved?

if yes be sure to sync the following settings:

cookie name & path
machineKey

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> The Input is Hidden and my users are kind office workers who just want
> to logon automaticaly, i just use the logon name for their planning
> and worked hours reports. No real security matter in fact.
>
> I don't want to implement windows auth because of the pop up window.
>
> Luke, I checked my servers and I don't find the cookies default
> setting, in
> fact i changed nothing since I installed the new server.
> Before now I already have the problem because my dev/test machine has
> migrated to WinXP, from that time this "capture" didn't work any more
> on the
> dev/test machine but worked properly on the W2000 server.
> I checked other Forms Auth messages and I found a message about
> fiddler. I
> tried to use it :
> On the first page about Cookies :
> - Cookie: ASP.NET_SessionId=a4ly5ymfrnp315555ytsak55
> - Set-Cookie:
> .ASPXAUTH=F3667128E001B12F31C9C0D130BC4600483EC7F09C2EBB653367A99BEDCD
> D2DF59
> DB46986051F28B7A153E24C4737AFD8EDC95EC49927907EC81225A41684F9DBDE3604E
> 5CC3E1
> 73; path=/
> On the destination page :
> - Cookie: ASP.NET_SessionId=a4ly5ymfrnp315555ytsak55;
> .ASPXAUTH=F3667128E001B12F31C9C0D130BC4600483EC7F09C2EBB653367A99BEDCD
> D2DF59
> DB46986051F28B7A153E24C4737AFD8EDC95EC49927907EC81225A41684F9DBDE3604E
> 5CC3E1
> 73
> I hope this can help you to help me ;)
> Thanks a lot !
> Pascal
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> a écrit dans le message de
> news:4580be63139d548c7b738fd576d14@news.microsoft.com...
>
>> Hello frpascal,
>>
>> so a use can be whoever he wants to when he manually changes the
>> value
>>
> (filled
>
>> by your javascript) before the POST to the server??
>>
>> That's not a good solution.
>>
>> Why don't you provide a separate directory for windows users - with
>>
> windows
>
>> auth - then in AuthenticateRequest - construct a formsAuth ticket
>>
> manually,
>
>> set the cookie and redirect to your main page?
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi,
>>>
>>> For an Intranet, I try to capture the windows logon automaticaly to
>>> identify
>>> the user with a little javascript. I put this varaible in an Input
>>> object
>>> and use it with a
>>> "FormsAuthentication.RedirectFromLoginPage(LoginUserWindows.Value,
>>> False)"
>>> just before the Response.Redirect("\Planning\PagePrincipale.aspx").
>>> After that i recall the value with an "User.Identity.Name".
>>> The trace tells me that Auth-User and Remote-User values are correct
>>> but I can't get those values with the User.Identity.name after the
>>> redirection.
>>> It is working fine with W2000 but don't work anymore with Win XP
>>> neither Win 2003.
>>>
>>> Thanks for any help.
>>> Pascal



Relevant Pages

  • Re: Unable to logon through terminal services
    ... i add "Domain Users" to the permissions tab and now they can logon!!! ... Great Thanks.solution works for me for the server Windows 2003 in Workgroup ... Vinod Kumar ...
    (microsoft.public.windows.terminal_services)
  • Post-Win2k3 Upgrade rsync+ssh Permissions Problem
    ... Windows 2000 server boxes. ... now we upgraded the OS to Windows ... Domain Users ...
    (comp.security.ssh)
  • Re: Changing windows passwords remotely
    ... Find great Windows Forms articles in Windows Forms Tips and Tricks ... > //Create the ticket, and add the groups. ... > String encryptedTicket = FormsAuthentication.Encrypt; ... > //Create a cookie, and then add the encrypted ticket to the ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Chrome processes vs. threads
    ... No scripting management of any kind - you can't even turn ... Third-party cookie restrictions are feeble - blocks coming ... A beta test version of software is hardly *late* days, ... so now somehow Google produced Windows did they? ...
    (uk.comp.sys.mac)
  • Unable to add domain users
    ... I have a new SQL 2000 server with Windows Server 2003 OS. ... I have only been able to add two domain users ...
    (microsoft.public.sqlserver.security)