I use FormsAuthentication.RedirectFromLoginPage(userName.Trim(), false); to set the User.Identity.Name field that I reference later. When I execute this line, the User.Identity object does not update at all; it contains whatever it was previously set to. All the documentation I see online says this should update my User.Identity object with the correct name, but I don't see that happening.
I have the web config set up properly with the following lines:
<authentication mode="Forms">
<forms name="formsauth" loginUrl="Login.aspx" protection="All" timeout="60">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I am relatively new to this stuff, so any help is appreciated. Thanks!
It will be updated on the next request but not on the next line following it. RedirectFromLoginPage sets an authentication cookie in the client browser that will be read upon the next client request and you will see the User.Identity.Name property updated. Updating this property in the same HTTP request is meaningless as you already know that the user passed authentication as you called the method.
Related
I'm using "Forms" authentication in asp.net 4, with a fixed time before make the session expire.
I need to call a method that use some variables in Session just before logging out, but I am not able to handle the case when the user's session is expired (it just redirect me to the login page). For example, I would like to log something like "User session is expired!". Moreover, I need some info stored in Session.
I tried to use the Session_end method, but it seems that session expiration "event" does not trigger this function.
The configuration in web.config is:
<sessionState
mode="InProc"
cookieless="false"
timeout="70"/>
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx"
loginUrl="~/Login.aspx"
slidingExpiration="true"
timeout="1" />
</authentication>
<anonymousIdentification enabled="false" />
<authorization>
<deny users="?" />
</authorization>
The 1-second delay for expiration is for debug purpose.
Is it possible to do what I need to?
Many thanks
Think this may have already been answered.
Calling a method on Session Timeout?
Apologies if this is different.
In javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,
I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,
if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.
Thanks
The authentication cookie is marked with http-only, meaning it cannot be accessed by javascript. If you want to check is the user is authenticated, simply output a javascript variable, an hidden field or whatever you prefer from your code-behind. You can then check this easily in JS.
There is a .ASPXAUTH cookie set, you are obviously correct. It is used to determine if a user if logged in.
To get what you need look over your web.config for the config section:
<authentication mode="Forms">
<forms
loginUrl="~/login.aspx"
protection="All"
timeout="30"
name="ExampleSite.FormsAuthentication"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="index.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"
/>
</authentication>
When the user is successfully authenticated a cookie will be set based off the name="ExampleSite.FormsAuthentication" parameter. It will expire after logging out or after the session expires. You will see a cookie on Chrome/FFX or whatever browser you are using called ExampleSite.FormsAuthentication with an encrypted value. Obviously the name parameter you are using will be different and not ExampleSite.FormsAuthentication but you get the idea.
You could always check and see if the cookie exists. As mentioned be careful of the http-only (with relation to JS). As you can also override that value in the web.config so you can access it with JS.
<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />
I have one application where after successful Login user will be redirected to Home.aspx.
Now if I try Response.Redirect("Home.aspx") it doesnt work, But if I try
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, false);..its working.
Now my question is why Response.Redirect() is not working?
I know FormsAuthentication.RedirectFromLoginPage do much more than Login, it also sets cookie,and also redirects to Login Page, but why Redirct() is not working?
web.config:
<authentication mode="Forms">
<forms loginUrl="LogIn.aspx" defaultUrl="Home.aspx" path="/"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Can somebody help?
You already have the answer pretty much.
Response.Redirect does not set the authentication cookie so when Home.aspx is loading it fails authentication and will redirect you back to the login page.
To use response.redirect, you will have to manage the cookie yourself, an example from https://web.archive.org/web/20210513002246/https://www.4guysfromrolla.com/webtech/110701-1.3.shtml is:
Dim cookie As HttpCookie = FormsAuthentication.GetAuthCookie(UserName.Text, _
chkPersistCookie.Checked)
Response.Cookies.Add (cookie)
Response.Redirect(FormsAuthentication.GetRedirectUrl (UserName.Text, _
chkPersistCookie.Checked))
EDIT:
To answer the question in your comment, if you pass true as the second parameter to RedirectFromLoginPage then the cookie will be set to never expire, and you won't need to login again.
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, true)
I am using formAuthentication with the following Web.Config file.
<authentication mode="Forms">
<forms name="SnowBall" timeout="30" slidingExpiration="true" loginUrl="Login.aspx" cookieless="AutoDetect">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I have a user control which has a LogOut button. Code of the logout button is:
FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
After executing this code, I am no longer able to authenticate the user. When i click "Sign In", the page is refreshed and event handlers are not executed.
When I close the browser window and re-run the site, everything works fine. Please help me.
First you need to clear that there are two separate Ids one is session id which is alloted for browser session and another is form authentication cookie which is encrypted alphanumeric id.
Whenever you use formauthentication.signout your formauthentication cookies will removed as per your implementation.But your session id will remain there.
You cancheck it by using fiddler/ firefox browser.
I have found the solution.Hope it helps somebody out there
Problem lies with this line
Response.Redirect("Login.aspx");
What it does is redirects user to Login.aspx with ReturnUrl as querystring.For Eg.
Login.aspx?ReturnUrl="Name of the page from where logout happened";
Now what happened was that FormsAuthentication.GetRedirectUrl() preserved this querystring path and after authentication was redirecting to this path.the user credentials i was putting in were not authorized to view this page.So i was always on the login screen.
To Resolve this issue replace
Response.Redirect("Login.aspx");
With
Response.Redirect(FormsAuthentication.LoginUrl);
I want to set my FormsAuthentication cookie to timeout BUT VIA CODE. I know I can do this in the web.config but I want to configure at the database. Is this possible via code?
<system.web>
<authentication mode="Forms">
<forms timeout="50000000"/>
</authentication>
</system.web>
To do this you'll need to create your own FormsAuthenticationTicket and cookie and add it to the response manually. See the example on the linked page.