I have a shopping cart asp.net application presently i manage login system by simply making a DB table with 2 field username and password and in my web.config file redirect all the user to login page by authentication and authorization tag
<authentication mode="Forms" >
<forms defaultUrl="default.aspx" loginUrl="login1.aspx" cookieless="AutoDetect" ></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
and on my login page simply compare username/pwd entered by user with database entry and if the user is correct calling the function
FormsAuthentication.RedirectFromLoginPage(username, true);
that redirect the user to home page it works very fine on my local system and i have no issue.But recently i hosted my application online and there is some issue with my login system.When i login into the site its ok but after some time user is automatically thrown out of site to the login page and he has to login again.
It sounds like your users are bumping up against a cookie expiry. Add the following attributes to your <forms> element:
<forms defaultUrl="default.aspx" loginUrl="login1.aspx" cookieless="AutoDetect" slidingExpiration="true" timeout="60" />
By default, sliding expiration SHOULD be set to true, but if it's not, 30 minutes after a user logs in, their authentication will expire no matter if they've visited other site pages since that time. By default, the timeout period is also supposed to be set to 30 minutes from last refresh, so if your user is idle for 30 minutes, they will have to renew the authentication cookie in order to access secured content. You can extend this to whatever value you like, such as "60" in the above example.
You can find out more about these attributes at the MSDN reference page.
Related
After login I enter into the Librarianform. Now when I copy the url and paste it in new tab it's showing the page without login. So I want to redirect the users to login page when they copy and paste the url. How to do that.Can you please explain it. Thank you.
ASP.NET has a login mechanism you can use. To enable it, add the below in your web.config file. Change the loginUrl attribute to the path of your own login page.
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/login.aspx" timeout="28800" name="webappname" />
</authentication>
</system.web>
</configuration>
To create the ASP.NET authentication cookie you need to call the FormsAuthentication.RedirectFromLoginPage as you can see below
string username = "";
bool rememberme = true;
// Implement your own login mechanism and if the user is authenticated
// set the username to the variable and make this call below
FormsAuthentication.RedirectFromLoginPage(username, rememberme);
Finally, to logout a user you can simply call
FormsAuthentication.SignOut();
You can also see this link, which describes a similar mechanism
NO. YOU CAN'T MAKE USER TO LOGIN EVERY TIME WHILE REQUESTING PAGE
That's the way Authentication works in asp.net or in any web application so that user no need to authenticate for every page once he has been authenticated.
Hope you're using Forms Authentication. By default Form Authentication uses Cookies to store SessionID ,
You can use cookieless authentication by setting below values in web.config file
<configuration>
<system.web>
<sessionState cookieless="true"
regenerateExpiredSessionId="true" />
</system.web>
</configuration>
ASP.NET maintains cookieless session state by automatically inserting
a unique session ID into the page's URL.
https://msdn.microsoft.com/en-us/library/ms178581%28v=vs.140%29.aspx.
http://www.codeproject.com/Articles/2796/Cookieless-ASP-NET-forms-authentication
I have a website that when the user registers, it creates the account, logs them in and then redirects them to Paypal to take a payment then Paypal returns them back to my site. However when the user returns to mysite, they are no longer authenticated. Can anyone tell me how I can make the authentication persist when returning from Paypal as I don't want the user to have to login straight after they have registered.
I am quite new to asp.net, so any help is really appreciated.
What kind of authentication do you use? Forms authentication, Windows etc. Show us your web.config. Also make sure that the cookieless setting is set to the right value for your authentication. If you use a cookie, then your users will remain logged in after coming back from PayPal. A sample forms authentication setting is attached below:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile" />
</authentication>
</system.web>
In ASP.NET web app, I have login.aspx.
I force that every user access through Login.aspx, setting that on web.config:
<authentication mode="Forms">
<forms name="coockie_aut" loginUrl="login.aspx" protection="All" path="/" timeout="60" slidingExpiration="true"/>
</authentication>
My question is:
Using form authentication and loginurl, would it prevent from trying to hack any web page without accessing first Login.aspx? Does it mean that allways allways there will be forced to access Login.aspx first?
That depends what you mean by "hack". Default Forms Authentication will redirect any request with no session authentication token to the login page. There are all kinds of session stealing, man-in-the-middle, brute-force, and other varieties of attacks that you may still be vulnerable to.
we're using ASP.NET Membership for authentication at the root domain (www.domain.com) and the redirecting the user to a subdomain (sub.domain.com). When the user logins in from www they are being redirected to the login page on the subdomain when they should be showing as logged in instead.
Both the machine key and the forms element in the web.config are identical.
In the event log we get
Forms authentication failed for the request. Reason: The ticket supplied was invalid.
turns out it was a MS Security update that did it.
UPDATE
security update available
What's worked for me is to set the domain attribute of the forms element to be .domain.com. This should allow the user to log in on at www.domain.com and then be logged in when accessing sub.domain.com. I've tested this having hacked my hosts file and it works okay.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" domain=".domain.com" />
</authentication>
I have a simple ASP.NET 4 site. I am using Forms Authentication. I have Session timeout set to 20 minutes. Also when the user authenticates I set the AuthenticationTicket to expire in 20 minutes. So normally everything works fine. If there is more than 20 minutes of inactivity and the user requests a page on the site they are redirected back to the Login page as I would expect.
However, let's say that the user is on a page that contains a form. Then they wait 25 minutes. Then they go to submit the form. Instead of being redirected back to the Login page, the site attempts the postback and I immediately get errors because there is code in the postback that attempts to get information out of Session.
It seems like ASP.NET does not redirect back to Login on postback if the AuthenticationTicket and Session has expired. How can I handle this? I hope I don't have to write special code on each page.
ADDED: web.config code
<location path="ForgotLogin.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Corey
I think you have different timeouts for your session and your authentication cookie. The situation you describe sounds like a session that is timed out with an authentication cookie that is still valid. Look at this article. Especially the section Do you have a dependency between the user's authentication token and his session? is for your situation.
You do need to check on each page if you are not explicitly timing the pages out when the session expires.
Make a base class each page inherits Page from. In the page load event in that class, check for Session.IsNew. There are a couple other things you can check to be totally sure the session has expired.
I don't think this is an authentication issue. You can be authenticated and have the session expire.
They behave independently from each other.
What kind of information are you storing in session?
If this information is for the page I would recomend keeping it in the ViewState or ControlState. If you are keeping information related to the user. I would create an IHttpModule so whenever an Authenticated user calls your website and your session values are null you recreate them before the user hits any page.