Re: Forms Based Authentication Issue (VIEWSTATE) Login Form On Non Protected Page

I can and that is probably what I will do.. but I didnt really want to make
a custom deal just for that.

Though the basics of .NET forms authentication are being used I have an
custom authentication deal going on where I do all my checks against a
database.. part of it gets called from an asp.net dll I created. Code
Behind.. I really want everything to work with "login.aspx" as part of the
main authentication logic if hidden from the customer .. Basically there is
licensing code they are not supposed to easily see as I sell this
authentication system to various corporations (its a special add-on to a web
based mailing system made by a major player) and licensing it via domains as
well as other means. They need a license key in the web.config to run the
system.

I really didnt want to create a special scenario just for doing a login box
on the home page and probably another dll just used when doing that. That is
the answer. Without showing you all my code I can't really make you
understand but I have my reasons.

I was trying to do everything all at once and was doing pretty good until
this issue popped up.

In the end it seems I will have to make a special page just for this and set
the authentication ticket info there as well after doing the checks..
Seems stupid though for this one purpose but I dont see another way at the
moment.




"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:51eb3048464a8c8f99588969d10@xxxxxxxxxxxxxxxxxxxxx
How do you set the cookie?

Why can't you grab the values from Page.Form["..."] and do a
FormsAuthentication.SetAuthCookie - and afterwards a Response.Redirect??

I don't see a problem.

Is one of the books from MS Press? ;)

-----
Dominick Baier (http://www.leastprivilege.com)

well, what happens is this..

you have you login page by itself whether using the javascript idea or
a PostBackUrl scenario .. you enter the login info and it tries to
post to the login.aspx?ReturnURL=blahblah (pseudo code)

anyway, it goes to that page but just doesn't log you in,, once there
you see a blank form and can enter the username/password and log in
fine.. but the remote post to it just never does anything...

Like I said, I tried the concept with some basic forms posting to
other pages and form values can be response.written so the post is
working..

Either you can't do something like this when dealing with forms
authentication or maybe there are some hidden variables I need to send
along with the post.. but I dont think so..especially with PostBackUrl
which still keeps the viewstate stuff in check... I been messing
around with all of this for days now.. there is just no info anywhere
that I can find where anyone has specifically done this relating to
forms authentication.

The ?ReturnURL may be causing a problem too as far as the posting
process goes.. not sure.. I tried not using and having a DefaultURL
set in the web.config which didn't work either.. I tried a lot of
things I haven't even mentioned.

I got 3 new books coming this week and I am praying one of them has
something usefull in it. Two of them are very specific to asp.net
authentication.

"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:51eb304845ee8c8f93b17b930d0@xxxxxxxxxxxxxxxxxxxxx

what's the problem?

-----
Dominick Baier (http://www.leastprivilege.com)
I tried to PostBackUrl and the javascript posting idea.. I can get
them both to work on simple forms posting data to a 2nd page... but
they just wont work under a "forms authentication scenario"

argg... something so simple yet .NET makes it so complicated.. I
guess I'll keep searching for answers

"Kyle Peterson" <kyle342@xxxxxxxxxxx> wrote in message
news:uzYFqxqKHHA.3936@xxxxxxxxxxxxxxxxxxxxxxx

that could be a solution.. looking into it now...
got to try it out... hopefully you can specify the ReturnURL via
querystring as well in the page your posting to..
if so it may work
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:51eb3048457c8c8f8c82c50d020@xxxxxxxxxxxxxxxxxxxxx

have you tried Button.PostBackUrl?

-----
Dominick Baier (http://www.leastprivilege.com)
I have actually looked for javascript that can do a form post on
it's
own.
Couldn't find anything.
Not sure I am searching for the right terms.
Still, that solution to me seems like a total cobb.. however I
would
be willing to try it if I could find some javascript code to do
that.
CLient side code ain't my thing.
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:51eb304845038c8f87271e7de40@xxxxxxxxxxxxxxxxxxxxx
well - you could have some java script that takes the form
values and posts them to an SSL protected page - or use the use
the PostBackUrl property on the button/linkbutton etc...

-----
Dominick Baier (http://www.leastprivilege.com)
Hi,

I am doing Forms Based Authentication using the built in tools
of
.NET.
Authenticating off a database with some code a wrote and using
login.aspx,
web.config, etc etc... the usual deal..
I have it all working fine and pages I want to protect show a
login
page
before being logged in to.
The problem lies that I have a few clients that want to have a
tiny
login form on an area of their homepage. So basically we are
talking
about a login form on a non protected page that submits to a
protected
page. A lot of sites do this as I am sure you know.
Now, because of VIEWSTATE and the fact that forms need to post
to
themselves I cant just put appropriate form code on the
homepage
posting to some protected page. (LIKE YOU COULD EASILY DO IN A
CLASSIC ASP SCENARIO)
I turning off VIEWSTATE isn;t really an option.
So, what is the solution... is there no way to do something
like this using the built in forms authentication structure of
.NET.

Any ideas or articles someone can point me to would be most
appretiated. I have searched for weeks before asking this here.
I just can't come up with a good solution other there writing
something totally custom just to handle this scenario that
doesn't use the built in Forms Authentication Fetaures but
checks the user credentials, sets the authentication ticket..
all via basic inline code..etc etc

Is that my only solution ? Is this something Microsoft left out
of the forms authentication scenarios ? Seems like it is
something a lot of people want to do.

Thanks





.