tags:

views:

189

answers:

2
Q: 

Asp.net forms authentication

In my web.config I have this:

<system.web>
    <authentication mode="Forms">
  <forms loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>
    </authentication>
    <sessionState timeout="20" />
</system.web>

<location path="admin">
    <system.web>
        <authorization>
             <deny users="*"/>
             <allow users="admin"/>
        </authorization>
    </system.web>
</location>

I have two problems:

  1. In my admin path I want only the admin user to have access but I can't find a way to do this. How can I make only the admin user have access?

  2. The user always gets logged out even if I try to use cookies so he shouldn't be logged out. In my login.aspx I have the folloing code when the user is valid:

    FormsAuthentication.RedirectFromLoginPage(user, CheckBoxPersistCookie.Checked);

How can I make the user to stay logged in?

+1  A: 

try putting the <allow> line over the <deny> line.

<system.web>
    <authentication mode="Forms">
                <forms loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>
    </authentication>
    <sessionState timeout="20" />
</system.web>

<location path="admin">
    <system.web>
        <authorization>
             <allow users="admin"/>
             <deny users="*"/>
        </authorization>
    </system.web>
</location>
Nick Spiers  2009-11-30 13:41:59
Ah it was that easy, but I just thought it would be more logic that you first deny all then overwrite this by adding the admin after? :-)
Martin  2009-11-30 13:48:17
In ASP.NET, authorizations rules are placed in order of priority.
richeym  2009-11-30 13:49:42
Yeah, that one had me fooled for a little while one time too. .NET sees the deny * and kicks everyone before getting to the next line.
Nick Spiers  2009-11-30 14:25:38
A: 

As I understand you have 30 mins timeout in your authentication cookie and 20 minutes in your session cookie. It seems that as session will expire in 20 minutes then it will be impossible to use authentication cookie too.
It is a little tricky if you want to leave user logged in. I know that it is possible to implement it using javascript and invisible iframe. You need to reload iframe every 5 minutes for example. Your session will be live and local cookies updated.

Danil  2009-11-30 13:44:55
But if I want the user to be logged in the next time he opens the website? If he login today and then closes without logging out. Then if he open up the website from the same computer tomorrow I still want him to be logged in. thats why I tried to use cookies, but how do I implement it?
Martin  2009-11-30 13:50:50
Hmm, In this case you need to implement some autologin code. But I'm wondering how secure is it.
Danil  2009-11-30 13:59:04
I mean that cookies are not secure. You can save some hash in cookie and then try to autologin using this hash if your client code detects that auth cookie exist and user isn't loged in.
Danil  2009-11-30 14:02:57
I thought the auto-login already was built-in in the asp.net authentication? Isn't it?
Martin  2009-11-30 15:44:39

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps