Our organization has a central solution for forms authentication. I am trying to implement an ASP.Net MVC app that uses this external URL - and it worked till RC! was released... Here's what's happening In an ActionAttribute Extension I check for s session var if not found check for a request data chuck if foun...
I've been experimenting with ASP.Net MVC, and have come across a problem that is probably not specifically MVC related. But I cannot get the authentication in the default MVC application (the one created by the wizard when you create a new MVC project) to work properly under IIS 7 on Windows 7. If I run under the Visual Studio environme...
How do you solve the infinite login loop problem when you are using cookieless sessions and cannot change the name of login.aspx to a httphandler ? i.e. When a user with admin rights hits the logout button and the return url to a restricted page is passed to login.aspx then another user without admin rights try's to login they get redir...
Here's the issue. I'm using ASP.NET Forms Authentication for an account balance type website. Once a user logs in, they are able to make a payment against their account by going to a 3rd party website (3pw). When the user clicks to make a payment, this is what happens: My website makes a request to the 3pw passing an id. The 3pw does a...
Scenario: In an e-commerce system, a helpdesk user should be able to "impersonate" or "log on as" a specific customer (from the web-based administration site) so that he can support the customer first-hand - eg. when the Customer is on the phone. Additional clarification: There is no need to keep track of the original authentication con...
Because form_authenticity_token is used to validate requests, is it redundant to use it when you're already checking whether a user is logged in? I.e., is form_authenticity_token really intended only for forms which are available to anyone, as opposed to forms exclusively for logged-in users? ...
I know the security risk associated and have brought it up with the business, but they want to have their 5 domains to share the login cookie. We are using and have no plan to stop using ASP.Net Membership and Profiles. Is this possible? A hack would even be greatly appreciated. ...
We are looking to secure a bunch of ASP.Net 2.0 .asmx web services. The which will host the web services is already forms authenticated. Is it possible to secure the web services using forms authentication? What are the pros and cons and other possible ways to achieve this. We certainly don't want to pass a username/pwd or token in each...
Hi, I have a main website here: www.blah.com Then a virtual directory www.blah.com/subApplication/ The main application uses .net forms authentication. If I make sure both web.config's share the same authentication keys, I can rest assured when someone browses to the virtual directory application the user will remained signed in righ...
I've have an asp.net web app, forms authentication, that's uses Hashed password type. Will I run across any problems if I change the password type to Encrypted? I see that, if I change to Encrypted, attempted password recovery for old hashed passwords fails gracefully, which is good. Are there any not so good things that might show up ...
My website uses ASP.NET's forms authentication and i am inserting user specific information into the UserData portion of the authentication ticket/cookie. Since the UserData is inside the authentication ticket it is encrypted like so authCookie.Value = FormsAuthentication.Encrypt(newTicket); Now I am not too worried about the data bei...
i am using asp.net forms authentication and the asp.net Login control. the login control has a "RememberMe" checkbox. after the user is authenticated it raises the LoggedIn(object sender, EventArgs e) method and inside this method i am viewing the authentication cookie created by using this HttpCookie authCookie = FormsAuthentication....
I'm having reports and complaints from my user that they will be using a screen and get kicked back to the login screen immediately on their next request. It doesn't happen all the time but randomly. After looking at the Web server the error that shows up in the application event log is: Event code: 4005 Event message: Forms authentic...
In my asp.net website. I am putting some data into the UserData portion of the forms authentication ticket. Later I am then able to access this data using (FormsIdentity)(HttpContext.Current.User.Identity).Ticket.UserData My question is - as long as the authentication ticket is valid, will this data ALWAYS be available in the FormsIde...
I am using the asp.net CreateUserWizard and I have LoginCreatedUser=true. I also have the "OnCreatedUser" property for the CreateUserWizard control to a method and thought the auth ticket would be created at that point but it is not. When exactly is the authentication ticket (Request.Cookies[".ASPXAUTH"]) populated? I need to know so t...
I have the following code: if (HttpContext.Current.Request.IsAuthenticated == false) { // this isn't reached so i know user is Authenticated return; } FormsIdentity fIdentity = HttpContext.Current.User.Identity as FormsIdentity; string[] delimitedUserData = fIdentity.Ticket.UserData.Split('|'); // but at this point delimitedUser...
I need to undo the following ASP.Net processes in PHP so I can get at the username and expiration date in a ticket. I've decrypted the 3DES encryption (step 3 below) but I'm not sure what I need to do next. Is the string that results from decryption a byte array? Should I be able to convert it to ascii? (Because it doesn't). What ASP.Ne...
I'm using FormsAuthentication for an ASP.NET site that has a master page that displays the current logged in user, Page.User.Identity.Name. They can change their username in their settings, and when the do so, I update their cookie for them so they wont have to sign out/sign back in with a postback. FormsAuthentication.SignOut(); Forms...
I am moving a legacy winform app to the web and would like some advice on forms authentication. Am I correct in assuming that forms authentication is better than rolling up my own user authentication functionality? It would be easy enough to roll my own since the this is what the winform application did and the table structure already...
When using aspnet_regsql to create the base tables for forms authentication, is it recommended that these tables be stored inside of the application database catalog or should a database catalog just for authentication be created. Thanks! ...