Re: Forms authentication - clean cookie when close browser
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Feb 2007 09:46:54 +0000 (UTC)
How do you set the ticket?
using FormsAuthentication.RedirectFromLoginPage or SetAuthCookie -
they both have a boolean paramter - usePersistentCookie (or similar) - if set to true - the cookie will be saved on the user's harddrive and re-used.
Oh an btw - don't set protection="None" !!! This is very dangerous - leave it to the default value (which is 'all')
Also disable 'enableCrossAppRedirects' if you don't need it (and you will only need that in special cases with cookieless auth).
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Hello. I use forms authentication and it's work except one thing. I
want push users make relogin (insert login and pass) when they close
browser.
I have those settings in Web.config :
<authentication mode="Forms">
<forms loginUrl="login.aspx" cookieless="UseCookies"
name="LoginUserCookie" slidingExpiration="true"
enableCrossAppRedirects="true" requireSSL="false" timeout="1"
protection="None" defaultUrl="simple.aspx">
<credentials passwordFormat="Clear">
<user name="test1" password="test2" />
<user name="root" password="admin" />
</credentials>
</forms>
</authentication>
<authorization >
<deny users="?" />
</authorization>
It works like this:
1. Open site and login
2. redirect defaultUrl
3 close browser
4. open browser and get defaultUrl (not login page!!)
The question is why it doesn't ask reinsert login if somebody close
browser and how to do this work?
.
- Prev by Date: Re: Question about cookie protection and FormsAuthentication.Encry
- Next by Date: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Previous by thread: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Next by thread: Re: Basic password security question
- Index(es):
Relevant Pages
|
|
