:o( .... Client not redirected to login page.

[M O J O]

Hi,

I have a huge problem.

I'm using cookieless sessionstate. When I try to access a "secure" page
(that is, a page that requires the user has logged in), the user is
redirected to the login page perfectly - no problem.

But when the user IS logged in, and he manually remove the cookie part from
the url (in the address bar) and hit enter, this creates a new session and
when he tries to access my "secure" page again, he is NOT sendt to the login
page. (

What am I doning wrong?

Here's some of my code:

WEB.CONFIG....

<authentication mode="Forms">
<forms name="MyTestApp" path="/" loginUrl="login.aspx" protection="All"
timeout="25"></forms>
</authentication>

<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="true" timeout="30" />


LOGIN.ASPX

Dim ticket As New FormsAuthenticationTicket(1, "TestUser",
System.DateTime.Now, System.DateTime.Now.AddMinutes(30), False, "MyTestApp",
FormsAuthentication.FormsCookiePath)

' Encrypt the ticket.
Dim encTicket As String = FormsAuthentication.Encrypt(ticket)

' Create the cookie.
.Response.Cookies.Add(New
HttpCookie(FormsAuthentication.FormsCookieName, encTicket))



Thank you in advance!

M O J O

 

[Guest]

You are using cookieless sessions. Your authentication info is stored in
cookies still. Look at your code, you have a Response.Cookies.Add where you
take care of the auth. That info in the url is just the session ID.

 

[Steven Cheng[MSFT]]

Hi MOJO,

As for the authentication problem you mentioned, I think Scott.'s
suggestion is reasonable. The ASP.NET'S
FormsAuthentication is based on cookie(use cookie to store authentication
ticket). So I think your client user may not enable the cookie since you
use cookieless session, yes? If the client browser disable cooie, the
formsauthentication won't work. To confirm this, you can make a test page
which write some cookie value to client and retrieve them again from client
to see whether the clientside can accept cookie.
In addition, if you are sure that your application is aim at "no cookie
client", I suggest that you manually implement your authentication and
store the authentication ticket in the Session collection after the user
login.
If you have any other questions, please feel free to post here. Thanks.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hi MOJO,

Have you had a chance to check out the suggestions in my last reply or have
you got any further ideas on this issue? If you have anything unclear or if
there're anything else we can help, please feel free to post here.

Thanks.

Regards,

Steven Cheng
Microsoft Online Support

 

[M O J O]

Hi Steven,

Yes and thank you!

I was sad to find out that Form authentication used cookies.

I found this article and implemented in my website:

www.codeproject.com/aspnet/cookieless.asp

Thank you again for helping me out!

M O J O

 

[Steven Cheng[MSFT]]

Hi MOJO,

You are welcome! Yes, I've also read the "cookieless formsauthentication"
article in codeproject and since it's implemented via url querystring, it
may cause some other problems sometimes. Anyway, thanks again for your
posting and please feel free to post here if you have any problems in the
furture

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)