Hello, A) Why, when using templates with CreateUserWizard control, does including Textbox with ID=Email depend on whether CreateUserWizard.RequireEmail property is set to true, but TextBox with ID=Question is required only if underlying membership provider requires password question? In other words, why wouldn’t it also be up to und...
Hello, This is probably a stupid question, but still.. A Wizard control is made up of a collection of WizardStep objects that represent single steps of a wizard. But why are these W*izardStep* object represented as controls ( thus they require runat=Server attribute )?Couldn’t they be handled similarly to ListItem objects, which don’...
Hi, I have MVC 1.0 app with VS2008. I have added configuration to web.config but the app crashes in the Default.aspx page code behind. Dont know why its loading that page. I am just uing all the default setup for MVC 1.0. This is my webconfig. Shouldn't it show my login page with this config???? Malcolm <?xml version="1.0"?> <confi...
Here's my situation. I have a DotNetNuke application. I want to link to an existing ASP.net website from within the DNN website, and have decided to use DNN's IFrame for that. The existing ASP.net application uses Forms Authentication for security - only authorized users can access the pages. This asp.net application also requires...
Hello, (?) wildcard represents unauthenticated users while (*) represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization: <authorization> <deny users="?" /> <allow users="dan,matthew" /> <deny users="*" /> </authorization> But doesn’t the above code...
Hello, A) We can also control access to specific files using <location> tags. Why aren’t <location> elements contained inside <system.web> tag, but are instead nested directly inside <configuration> element? B) I realize <system.web> element is used for Asp.Net settings, but why does <location> also contain <system.web>? Is it so...
Hello, Q1 - I’m not sure I understand why we should prefer to use PrincipalPermission.Union() ( or PrincipalPermission.Intersect() ) instead of IsInRole()? If anything, calling IsInRole() several times requires less code than creating multiple PrincipalPermission objects and merging them into one via Union() ( or Intersect() )? Q2...
Hello, I assume MembershipUser object and object implementing IPrincipal interface are “connected” in a sense that when certain information in one of the objects changes, the other object is also changed appropriately? thanx for helping ...
Hello, URL authorization only applies to Asp.Net related file types?1 But why couldn’t it also be applied to non-Asp.Net file types? Thanx ...
Can anyone hijack (via js) the asp.net forms cookie and change the expire date? What can stop them from grabbing it and changing the expire date? i.e. effectively letting the user stay logged in? Update Does the .net framework forms auth. cookie rely on the cookie's expiration date or does it encypt that? ...
Hello, According to my book, if role management is enabled, then RoleManagerModule creates the security context of the user by assigning RolePrincipal object to the HttpRequest.User. But isn’t security context already created ( thus principal object being assigned to HttpContext.User ) by FormsAuthenticationModule, which is called pr...
Hello All, We are running a .NET 2.0 Web Application. One of our clients is experiencing an issue where, when two different users are logged into out application on two different machines and one logs out the other user seems to lose its AuthTicket (none of the content is displayed and the page just looks broken). They must log out an...
Hello, FormsAuthenticationModule is used for tracking user and role information using encrypted cookie. But does this module also contain code that actually detects whether user requesting web page has forms authentication ticket and if not, redirects user to login page, or is it actually UrlAuthorizationModule that tells FormsAuthe...
I have configured WSS with OpenID to enable FBA authentication. I have added a custom login page. Im able to authenticate using the OpenID account, however when i return back to the default.aspx page i get the 'Access Denied' page. The Question is how can i tell WSS to allow OpenID authentication into the web application? I have used ...
I have an application that requires the user to reenter their password between 15 and 30 minutes of inactivity to allow them to carry on with what they were doing. My current idea is to have a piece of javascript that calls a popup after 15 minutes, asking the user to log in again. The site as a whole has a 15 minute forms authenticati...
We have a SharePoint application where we want the user to be able to modify the web.config by activating a feature. The application is extended, so we have an AD based web application and another that uses Forms Based authentication (FBA), with the FBA application being the "main" user application. We use the SPWebConfigModification cl...
Hello, According to my book, if role management is enabled, then RoleManagerModule creates the security context of the user by assigning RolePrincipal object to the HttpRequest.User. But isn’t security context already created ( thus principal object being assigned to HttpContext.User ) by FormsAuthenticationModule, which is called pr...
Hello, Q1 - To my understanding FormsAuthenticationModule is subscribed to AuthenticateReuqest event, and thus only after this event is fired, is FormsAuthenticationModule called. But the following quotes got me a bit confused: A) The AuthenticateRequest event signals that the configured authentication mechanism has authenticat...
Hello, Q1 FormsAuthentication.CookieDomain property specifies the domain for which this cookie is valid. Overriding this property is useful if you want to enable the cookie to be used for more applications on your web server A) I assume the quote is suggesting that if same browser is used to log onto two web applications, then...
Hello, Q1 I’ve read that when setting the timeout of an authentication cookie, we should keep in mind that the longer the cookie persists, the greater the chance of a cookie being stolen and misused. A) But assuming we secure our application against replay attacks by enabling SSL for the entire application, and since forms authent...