I have an web application programmed in classic asp/vb. It is running on windows server 2008 r2. iis7
I want the user of the application once logged in not be logged out automatically..ever!
is this possible if so how?
Yes, there are 2 ways and none are secure:
1.
Save Login Credentials in either a cookie or in memory.
On page load you need to force the browser to refresh every 1 hour.
During web browser refresh send stored credentials to
login class/function. This will refresh the session timeout.
2.
You can also extend the session timeout using a browser refresh without storing credentials.
Related
I have a web application built using asp.net mvc. I'm using the standard build in authentication - asp.net Identity (SignInManager & application cookie), although I've hooked this to MySQL back end.
As expected, when the user leaves my web application but returns to it in time before their session expires they can access the authorized pages on the site and when the session expires they are redirected to the log in page.
My question is, is it possible to force them to log in every time they return to the site after leaving it? The scenario being, they closed their browser or navigated away from the site all together.
Appreciate the help guys!
You need to "issue" the authentication cookie as "session" cookie. Session cookies disappear when all instances of the same-brand/same-mode browser is closed. By "same-mode" I mean incognito and non-incognito.
Keeping in mind your scenario, you can use following method.
FormsAuthentication.SetAuthCookie("YourCookieValue", false); //second aurgument is persistent
you can set the persistent value to false so whenever a user closes his/her browser he/she will be logged out.
On my Intranet Web Application, I have enabled Windows Authentication. For the first time when I take the App, it asks for Windows Authentication. From there it will never ask. How can I know whether the authentication is happening on each refresh of my page after first attempt?
For example, if I tried to change my Windows password while the app is running, will the app prompt for password again on refresh?
The authentication happens when you first connect. The server knows who the user is and is able to keep them logged in. If the user changes the password it will not ask them to re-authenticate until they close out the browser. This is due to the fact they already have an authentication and that will stay there until their session is done, usually by closing all instances of a browser (multiple windows of the same browser can share the same memory for things like cookies and authentication)
Think of it this way. You go into your home after you unlock the front door. You don't have to do this again until you leave your home. You can change your lock while you are home and still be in your home without having to unlock it again until you come back.
This is probably a duplicate question, but since I can't find the answer in the questions from the past I am going to ask again.
In my ASP.NET application, when I authorize the user, I set the custom FormsAuthenticationTicket. The persistance variable is false, so the authentication cookie should only be valid for current session.
My question is when would this session end? I restart my IIS Express development server, I shut down the dev machine, etc, and the session seems to be still active and the user is authenticated with that cookie.
How come in my VS 2012 + IIS Express environment sessions are immortal?
That's not an issue. You can restart the server and as long as the authentication cookie is still valid, the user is considered logged in. Remember, HTTP is a disconnected protocol.
The cookie will be removed the moment the user logs out and you programmatically remove the cookie or when the user closes his browser.
I am working on an application that uses windows authentication. Within this application, we give the user the ability to change their password.
The user can change the password just fine. However, after they change their password, that is when things get weird.
Sometimes they can navigate through the application just fine.
Other times, they click on a link and are immediately prompted to supply credentials.
Occasionly they can click on a link but upon a second click they are prompted to supply credentials.
Does the browser keep a token to the original credentials and use this when they request the next page? If this is the case, why can i continue using the site sometimes? Can I change the password and then assign that token to the request?
Does anyone have suggestions?
It's a caching issue. If the user connects to an ASP.NET app using Windows auth, the connection will linger for a while for performance reasons (you really don't want to do a complete re-auth on every page request!) - even then the password change has to travel from the PC, to the domain controller and then to the ASP.NET server, so there is often a small delay. My recommendation would be to drop the browser and wait 30secs before reconnecting.
Suppose I have logged into an web application. I'm on the page Default.aspx. If iis restarts then I need to re-login to use the application.
Is it possible to go back to the same page if IIS restarts?
How are you authenticating your users? Using forms authentication stores a client side cookie which can survive IIS resetting. Are you storing any authentication information in session state perhaps?
Edit
Just to add you can also redirect a user to a different page from the login page. Take the following url http://example.com/Login.aspx?ReturnUrl=%2fDefault.aspx.
This URL can be used to redirect the user to the Default.aspx page after they login. Assuming your using Forms authentication you can then redirect them using FormsAuthentication.RedirectFromLoginPage(userName, false); The false parameter prevents a persistant cookie from being created.
If you mean the ASP.Net application domain recycles, you're issue is that you're losing session state data, right? If that's the case, then how about storing session data in the StateServer or inside SQL Server? The default is "in process", so it's wiped clean when the app domain recycles.
If you set a cookie on each page the user vists stating which page they were on, then in your OnLoggedIn event you can check for the existance of this cookie, and redirect the user to the page - we use a similar mechanism for round-robin logins to multiple domains at once.