Forms Based Authentication Issue (VIEWSTATE) Login Form On Non Protected Page

[Kyle Peterson]

Hi,

I am doing Forms Based Authentication using the built in tools of .NET.
Authenticating off a database with some code a wrote and using login.aspx,
web.config, etc etc... the usual deal..
I have it all working fine and pages I want to protect show a login page
before being logged in to.

The problem lies that I have a few clients that want to have a tiny login
form on an area of their homepage. So basically we are talking about a login
form on a non protected page that submits to a protected page. A lot of
sites do this as I am sure you know.

Now, because of VIEWSTATE and the fact that forms need to post to themselves
I cant just put appropriate form code on the homepage posting to some
protected page. (LIKE YOU COULD EASILY DO IN A CLASSIC ASP SCENARIO)

I turning off VIEWSTATE isn;t really an option.

So, what is the solution... is there no way to do something like this using
the built in forms authentication structure of .NET.

Any ideas or articles someone can point me to would be most appretiated. I
have searched for weeks before asking this here. I just can't come up with a
good solution other there writing something totally custom just to handle
this scenario that doesn't use the built in Forms Authentication Fetaures
but checks the user credentials, sets the authentication ticket.. all via
basic inline code..etc etc

Is that my only solution ? Is this something Microsoft left out of the forms
authentication scenarios ? Seems like it is something a lot of people want
to do.

Thanks

 

[Kyle Peterson]

man, I didn't think anyone would have an answer...

anybody ?

 

[Dominick Baier]

well - you could have some java script that takes the form values and posts
them to an SSL protected page - or use the use the PostBackUrl property on
the button/linkbutton etc...

 

[Kyle Peterson]

I have actually looked for javascript that can do a form post on it's own.
Couldn't find anything.
Not sure I am searching for the right terms.

Still, that solution to me seems like a total cobb.. however I would be
willing to try it if I could find some javascript code to do that. CLient
side code ain't my thing.

 

[Dominick Baier]

have you tried Button.PostBackUrl?

 

[Kyle Peterson]

that could be a solution.. looking into it now...
got to try it out... hopefully you can specify the ReturnURL via querystring
as well in the page your posting to..

if so it may work

 

[Kyle Peterson]

I tried to PostBackUrl and the javascript posting idea.. I can get them both
to work on simple forms posting data to a 2nd page... but they just wont
work under a "forms authentication scenario"

argg... something so simple yet .NET makes it so complicated.. I guess I'll
keep searching for answers

 

[Dominick Baier]

what's the problem?

 

[Kyle Peterson]

well, what happens is this..

you have you login page by itself whether using the javascript idea or a
PostBackUrl scenario .. you enter the login info and it tries to post to the
login.aspx?ReturnURL=blahblah (pseudo code)

anyway, it goes to that page but just doesn't log you in,, once there you
see a blank form and can enter the username/password and log in fine.. but
the remote post to it just never does anything...

Like I said, I tried the concept with some basic forms posting to other
pages and form values can be response.written so the post is working..

Either you can't do something like this when dealing with forms
authentication or maybe there are some hidden variables I need to send along
with the post.. but I dont think so..especially with PostBackUrl which still
keeps the viewstate stuff in check... I been messing around with all of this
for days now.. there is just no info anywhere that I can find where anyone
has specifically done this relating to forms authentication.

The ?ReturnURL may be causing a problem too as far as the posting process
goes.. not sure.. I tried not using and having a DefaultURL set in the
web.config which didn't work either.. I tried a lot of things I haven't even
mentioned.

I got 3 new books coming this week and I am praying one of them has
something usefull in it. Two of them are very specific to asp.net
authentication.

 

[Dominick Baier]

How do you set the cookie?

Why can't you grab the values from Page.Form["..."] and do a FormsAuthentication.SetAuthCookie
- and afterwards a Response.Redirect??

I don't see a problem.

Is one of the books from MS Press?

 

[Kyle Peterson]

I can and that is probably what I will do.. but I didnt really want to make
a custom deal just for that.

Though the basics of .NET forms authentication are being used I have an
custom authentication deal going on where I do all my checks against a
database.. part of it gets called from an asp.net dll I created. Code
Behind.. I really want everything to work with "login.aspx" as part of the
main authentication logic if hidden from the customer .. Basically there is
licensing code they are not supposed to easily see as I sell this
authentication system to various corporations (its a special add-on to a web
based mailing system made by a major player) and licensing it via domains as
well as other means. They need a license key in the web.config to run the
system.

I really didnt want to create a special scenario just for doing a login box
on the home page and probably another dll just used when doing that. That is
the answer. Without showing you all my code I can't really make you
understand but I have my reasons.

I was trying to do everything all at once and was doing pretty good until
this issue popped up.

In the end it seems I will have to make a special page just for this and set
the authentication ticket info there as well after doing the checks..
Seems stupid though for this one purpose but I dont see another way at the
moment.

How do you set the cookie?

Why can't you grab the values from Page.Form["..."] and do a
FormsAuthentication.SetAuthCookie - and afterwards a Response.Redirect??

I don't see a problem.

Is one of the books from MS Press?

-----
Dominick Baier (http://www.leastprivilege.com)

well, what happens is this..

you have you login page by itself whether using the javascript idea or
a PostBackUrl scenario .. you enter the login info and it tries to
post to the login.aspx?ReturnURL=blahblah (pseudo code)

anyway, it goes to that page but just doesn't log you in,, once there
you see a blank form and can enter the username/password and log in
fine.. but the remote post to it just never does anything...

Like I said, I tried the concept with some basic forms posting to
other pages and form values can be response.written so the post is
working..

Either you can't do something like this when dealing with forms
authentication or maybe there are some hidden variables I need to send
along with the post.. but I dont think so..especially with PostBackUrl
which still keeps the viewstate stuff in check... I been messing
around with all of this for days now.. there is just no info anywhere
that I can find where anyone has specifically done this relating to
forms authentication.

The ?ReturnURL may be causing a problem too as far as the posting
process goes.. not sure.. I tried not using and having a DefaultURL
set in the web.config which didn't work either.. I tried a lot of
things I haven't even mentioned.

I got 3 new books coming this week and I am praying one of them has
something usefull in it. Two of them are very specific to asp.net
authentication.

 

[Dominick Baier]

so why don't you create a login user/web control that handles the authentication
logic - this can be embedded on any page...?


-----
Dominick Baier (http://www.leastprivilege.com)

I can and that is probably what I will do.. but I didnt really want to
make a custom deal just for that.

Though the basics of .NET forms authentication are being used I have
an custom authentication deal going on where I do all my checks
against a database.. part of it gets called from an asp.net dll I
created. Code Behind.. I really want everything to work with
"login.aspx" as part of the main authentication logic if hidden from
the customer .. Basically there is licensing code they are not
supposed to easily see as I sell this authentication system to various
corporations (its a special add-on to a web based mailing system made
by a major player) and licensing it via domains as well as other
means. They need a license key in the web.config to run the system.

I really didnt want to create a special scenario just for doing a
login box on the home page and probably another dll just used when
doing that. That is the answer. Without showing you all my code I
can't really make you understand but I have my reasons.

I was trying to do everything all at once and was doing pretty good
until this issue popped up.

In the end it seems I will have to make a special page just for this
and set
the authentication ticket info there as well after doing the checks..
Seems stupid though for this one purpose but I dont see another way at
the
moment.

How do you set the cookie?

Why can't you grab the values from Page.Form["..."] and do a
FormsAuthentication.SetAuthCookie - and afterwards a
Response.Redirect??

I don't see a problem.

Is one of the books from MS Press?

-----
Dominick Baier (http://www.leastprivilege.com)

well, what happens is this..

you have you login page by itself whether using the javascript idea
or a PostBackUrl scenario .. you enter the login info and it tries
to post to the login.aspx?ReturnURL=blahblah (pseudo code)

anyway, it goes to that page but just doesn't log you in,, once
there you see a blank form and can enter the username/password and
log in fine.. but the remote post to it just never does anything...

Like I said, I tried the concept with some basic forms posting to
other pages and form values can be response.written so the post is
working..

Either you can't do something like this when dealing with forms
authentication or maybe there are some hidden variables I need to
send along with the post.. but I dont think so..especially with
PostBackUrl which still keeps the viewstate stuff in check... I been
messing around with all of this for days now.. there is just no info
anywhere that I can find where anyone has specifically done this
relating to forms authentication.

The ?ReturnURL may be causing a problem too as far as the posting
process goes.. not sure.. I tried not using and having a DefaultURL
set in the web.config which didn't work either.. I tried a lot of
things I haven't even mentioned.

I got 3 new books coming this week and I am praying one of them has
something usefull in it. Two of them are very specific to asp.net
authentication.

"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message

what's the problem?

-----
Dominick Baier (http://www.leastprivilege.com)
I tried to PostBackUrl and the javascript posting idea.. I can get
them both to work on simple forms posting data to a 2nd page...
but they just wont work under a "forms authentication scenario"

argg... something so simple yet .NET makes it so complicated.. I
guess I'll keep searching for answers


that could be a solution.. looking into it now...
got to try it out... hopefully you can specify the ReturnURL via
querystring as well in the page your posting to..
if so it may work
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message
have you tried Button.PostBackUrl?

-----
Dominick Baier (http://www.leastprivilege.com)
I have actually looked for javascript that can do a form post
on
it's
own.
Couldn't find anything.
Not sure I am searching for the right terms.
Still, that solution to me seems like a total cobb.. however I
would
be willing to try it if I could find some javascript code to do
that.
CLient side code ain't my thing.
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message
well - you could have some java script that takes the form
values and posts them to an SSL protected page - or use the
use the PostBackUrl property on the button/linkbutton etc...

-----
Dominick Baier (http://www.leastprivilege.com)
Hi,

I am doing Forms Based Authentication using the built in
tools
of
.NET.
Authenticating off a database with some code a wrote and
using
login.aspx,
web.config, etc etc... the usual deal..
I have it all working fine and pages I want to protect show a
login
page
before being logged in to.
The problem lies that I have a few clients that want to have
a
tiny
login form on an area of their homepage. So basically we are
talking
about a login form on a non protected page that submits to a
protected
page. A lot of sites do this as I am sure you know.
Now, because of VIEWSTATE and the fact that forms need to
post
to
themselves I cant just put appropriate form code on the
homepage
posting to some protected page. (LIKE YOU COULD EASILY DO IN
A
CLASSIC ASP SCENARIO)
I turning off VIEWSTATE isn;t really an option.
So, what is the solution... is there no way to do something
like this using the built in forms authentication structure
of
.NET.
Any ideas or articles someone can point me to would be most
appretiated. I have searched for weeks before asking this
here. I just can't come up with a good solution other there
writing something totally custom just to handle this scenario
that doesn't use the built in Forms Authentication Fetaures
but checks the user credentials, sets the authentication
ticket.. all via basic inline code..etc etc

Is that my only solution ? Is this something Microsoft left
out of the forms authentication scenarios ? Seems like it is
something a lot of people want to do.

Thanks

 

[Kyle Peterson]

that sorta is what it is..

so why don't you create a login user/web control that handles the
authentication logic - this can be embedded on any page...?


-----
Dominick Baier (http://www.leastprivilege.com)

I can and that is probably what I will do.. but I didnt really want to
make a custom deal just for that.

Though the basics of .NET forms authentication are being used I have
an custom authentication deal going on where I do all my checks
against a database.. part of it gets called from an asp.net dll I
created. Code Behind.. I really want everything to work with
"login.aspx" as part of the main authentication logic if hidden from
the customer .. Basically there is licensing code they are not
supposed to easily see as I sell this authentication system to various
corporations (its a special add-on to a web based mailing system made
by a major player) and licensing it via domains as well as other
means. They need a license key in the web.config to run the system.

I really didnt want to create a special scenario just for doing a
login box on the home page and probably another dll just used when
doing that. That is the answer. Without showing you all my code I
can't really make you understand but I have my reasons.

I was trying to do everything all at once and was doing pretty good
until this issue popped up.

In the end it seems I will have to make a special page just for this
and set
the authentication ticket info there as well after doing the checks..
Seems stupid though for this one purpose but I dont see another way at
the
moment.

How do you set the cookie?

Why can't you grab the values from Page.Form["..."] and do a
FormsAuthentication.SetAuthCookie - and afterwards a
Response.Redirect??

I don't see a problem.

Is one of the books from MS Press?

-----
Dominick Baier (http://www.leastprivilege.com)
well, what happens is this..

you have you login page by itself whether using the javascript idea
or a PostBackUrl scenario .. you enter the login info and it tries
to post to the login.aspx?ReturnURL=blahblah (pseudo code)

anyway, it goes to that page but just doesn't log you in,, once
there you see a blank form and can enter the username/password and
log in fine.. but the remote post to it just never does anything...

Like I said, I tried the concept with some basic forms posting to
other pages and form values can be response.written so the post is
working..

Either you can't do something like this when dealing with forms
authentication or maybe there are some hidden variables I need to
send along with the post.. but I dont think so..especially with
PostBackUrl which still keeps the viewstate stuff in check... I been
messing around with all of this for days now.. there is just no info
anywhere that I can find where anyone has specifically done this
relating to forms authentication.

The ?ReturnURL may be causing a problem too as far as the posting
process goes.. not sure.. I tried not using and having a DefaultURL
set in the web.config which didn't work either.. I tried a lot of
things I haven't even mentioned.

I got 3 new books coming this week and I am praying one of them has
something usefull in it. Two of them are very specific to asp.net
authentication.

"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message

what's the problem?

-----
Dominick Baier (http://www.leastprivilege.com)
I tried to PostBackUrl and the javascript posting idea.. I can get
them both to work on simple forms posting data to a 2nd page...
but they just wont work under a "forms authentication scenario"

argg... something so simple yet .NET makes it so complicated.. I
guess I'll keep searching for answers


that could be a solution.. looking into it now...
got to try it out... hopefully you can specify the ReturnURL via
querystring as well in the page your posting to..
if so it may work
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message
have you tried Button.PostBackUrl?

-----
Dominick Baier (http://www.leastprivilege.com)
I have actually looked for javascript that can do a form post
on
it's
own.
Couldn't find anything.
Not sure I am searching for the right terms.
Still, that solution to me seems like a total cobb.. however I
would
be willing to try it if I could find some javascript code to do
that.
CLient side code ain't my thing.
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message
well - you could have some java script that takes the form
values and posts them to an SSL protected page - or use the
use the PostBackUrl property on the button/linkbutton etc...

-----
Dominick Baier (http://www.leastprivilege.com)
Hi,

I am doing Forms Based Authentication using the built in
tools
of
.NET.
Authenticating off a database with some code a wrote and
using
login.aspx,
web.config, etc etc... the usual deal..
I have it all working fine and pages I want to protect show a
login
page
before being logged in to.
The problem lies that I have a few clients that want to have
a
tiny
login form on an area of their homepage. So basically we are
talking
about a login form on a non protected page that submits to a
protected
page. A lot of sites do this as I am sure you know.
Now, because of VIEWSTATE and the fact that forms need to
post
to
themselves I cant just put appropriate form code on the
homepage
posting to some protected page. (LIKE YOU COULD EASILY DO IN
A
CLASSIC ASP SCENARIO)
I turning off VIEWSTATE isn;t really an option.
So, what is the solution... is there no way to do something
like this using the built in forms authentication structure
of
.NET.
Any ideas or articles someone can point me to would be most
appretiated. I have searched for weeks before asking this
here. I just can't come up with a good solution other there
writing something totally custom just to handle this scenario
that doesn't use the built in Forms Authentication Fetaures
but checks the user credentials, sets the authentication
ticket.. all via basic inline code..etc etc

Is that my only solution ? Is this something Microsoft left
out of the forms authentication scenarios ? Seems like it is
something a lot of people want to do.

Thanks

 

[Kyle Peterson]

And Dominick..

Thank you very much for the responses.. I do appretiate the ideas and help.

Take Care..

that sorta is what it is..

so why don't you create a login user/web control that handles the
authentication logic - this can be embedded on any page...?


-----
Dominick Baier (http://www.leastprivilege.com)

I can and that is probably what I will do.. but I didnt really want to
make a custom deal just for that.

Though the basics of .NET forms authentication are being used I have
an custom authentication deal going on where I do all my checks
against a database.. part of it gets called from an asp.net dll I
created. Code Behind.. I really want everything to work with
"login.aspx" as part of the main authentication logic if hidden from
the customer .. Basically there is licensing code they are not
supposed to easily see as I sell this authentication system to various
corporations (its a special add-on to a web based mailing system made
by a major player) and licensing it via domains as well as other
means. They need a license key in the web.config to run the system.

I really didnt want to create a special scenario just for doing a
login box on the home page and probably another dll just used when
doing that. That is the answer. Without showing you all my code I
can't really make you understand but I have my reasons.

I was trying to do everything all at once and was doing pretty good
until this issue popped up.

In the end it seems I will have to make a special page just for this
and set
the authentication ticket info there as well after doing the checks..
Seems stupid though for this one purpose but I dont see another way at
the
moment.
in message
How do you set the cookie?

Why can't you grab the values from Page.Form["..."] and do a
FormsAuthentication.SetAuthCookie - and afterwards a
Response.Redirect??

I don't see a problem.

Is one of the books from MS Press?

-----
Dominick Baier (http://www.leastprivilege.com)
well, what happens is this..

you have you login page by itself whether using the javascript idea
or a PostBackUrl scenario .. you enter the login info and it tries
to post to the login.aspx?ReturnURL=blahblah (pseudo code)

anyway, it goes to that page but just doesn't log you in,, once
there you see a blank form and can enter the username/password and
log in fine.. but the remote post to it just never does anything...

Like I said, I tried the concept with some basic forms posting to
other pages and form values can be response.written so the post is
working..

Either you can't do something like this when dealing with forms
authentication or maybe there are some hidden variables I need to
send along with the post.. but I dont think so..especially with
PostBackUrl which still keeps the viewstate stuff in check... I been
messing around with all of this for days now.. there is just no info
anywhere that I can find where anyone has specifically done this
relating to forms authentication.

The ?ReturnURL may be causing a problem too as far as the posting
process goes.. not sure.. I tried not using and having a DefaultURL
set in the web.config which didn't work either.. I tried a lot of
things I haven't even mentioned.

I got 3 new books coming this week and I am praying one of them has
something usefull in it. Two of them are very specific to asp.net
authentication.

"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message

what's the problem?

-----
Dominick Baier (http://www.leastprivilege.com)
I tried to PostBackUrl and the javascript posting idea.. I can get
them both to work on simple forms posting data to a 2nd page...
but they just wont work under a "forms authentication scenario"

argg... something so simple yet .NET makes it so complicated.. I
guess I'll keep searching for answers


that could be a solution.. looking into it now...
got to try it out... hopefully you can specify the ReturnURL via
querystring as well in the page your posting to..
if so it may work
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message
have you tried Button.PostBackUrl?

-----
Dominick Baier (http://www.leastprivilege.com)
I have actually looked for javascript that can do a form post
on
it's
own.
Couldn't find anything.
Not sure I am searching for the right terms.
Still, that solution to me seems like a total cobb.. however I
would
be willing to try it if I could find some javascript code to do
that.
CLient side code ain't my thing.
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
wrote in message
well - you could have some java script that takes the form
values and posts them to an SSL protected page - or use the
use the PostBackUrl property on the button/linkbutton etc...

-----
Dominick Baier (http://www.leastprivilege.com)
Hi,

I am doing Forms Based Authentication using the built in
tools
of
.NET.
Authenticating off a database with some code a wrote and
using
login.aspx,
web.config, etc etc... the usual deal..
I have it all working fine and pages I want to protect show a
login
page
before being logged in to.
The problem lies that I have a few clients that want to have
a
tiny
login form on an area of their homepage. So basically we are
talking
about a login form on a non protected page that submits to a
protected
page. A lot of sites do this as I am sure you know.
Now, because of VIEWSTATE and the fact that forms need to
post
to
themselves I cant just put appropriate form code on the
homepage
posting to some protected page. (LIKE YOU COULD EASILY DO IN
A
CLASSIC ASP SCENARIO)
I turning off VIEWSTATE isn;t really an option.
So, what is the solution... is there no way to do something
like this using the built in forms authentication structure
of
.NET.
Any ideas or articles someone can point me to would be most
appretiated. I have searched for weeks before asking this
here. I just can't come up with a good solution other there
writing something totally custom just to handle this scenario
that doesn't use the built in Forms Authentication Fetaures
but checks the user credentials, sets the authentication
ticket.. all via basic inline code..etc etc

Is that my only solution ? Is this something Microsoft left
out of the forms authentication scenarios ? Seems like it is
something a lot of people want to do.

Thanks