Trying to understanding form based authentication

I am using this example http://support.microsoft.com/kb/326340.

Looking at this example or any form based authentication what tells the web site that the user has been authenticated?

I ask because with my code I navigate to the default page. I am redirected to the login page. I enter my credentials and am authenticated and sent to the requested page.

Now I want to go to another page in the site. What tells IIS7 that I do not have to be authenticated again for this new page? That is my problem I think.

I can authenticate the user but every page I naviagte to forces me to authenticate the user again. I'm use to VB 6 not web apps so In my experience I would simply set a boolen global variable after the initial authentication so where is the variable? or the web programming equivialant.

 

Thanks,

Ty

0
TBarton
5/6/2008 6:33:28 PM
asp.net.security 27051 articles. 1 followers. Follow

8 Replies
515 Views

Similar Articles

[PageSpeed] 43

The authentication information is set in a cookie in the client's browser when you call the Response.Cookies.Add(authCookie) in you logon page. Now it could be that you are not setting up the cookie correctly (maybe you are sending a cookie with one name in the response, and then checking for a different cookie name)

Hope this helps.

 

Jaime


Don't forget to click "Mark as Answer" on the post that helped you. That way future readers will know which post solved your issue
http://weblogs.asp.net/JaimedelPalacio
0
jaimedp
5/7/2008 1:43:27 AM

Ok so heres the code to creat a cookie.

Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate

Dim adPath As String = "LDAP://DC=test,DC=lcl" 'Path to your LDAP directory server

Dim adAuth As FormsAuth.LdapAuthentication = New FormsAuth.LdapAuthentication(adPath)

Try

If (True = adAuth.IsAuthenticated("test.lcl", Login1.UserName, Login1.Password)) Then

Dim groups As String = adAuth.GetGroups()

'Create the ticket, and add the groups.

Dim isCookiePersistent As Boolean = True

Dim authTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _

Login1.UserName, DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups)

'Encrypt the ticket.

Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)

'Create a cookie, and then add the encrypted ticket to the cookie as data.

Dim authCookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)

If (isCookiePersistent = True) Then

authCookie.Expires = authTicket.Expiration

End If

'Add the cookie to the outgoing cookies collection.

Response.Cookies.Add(authCookie)

'You can redirect now.

'Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUsername.Text, False))

Server.Transfer(FormsAuthentication.GetRedirectUrl(Login1.UserName, False))

'Server.Transfer("Announce.aspx")

'Server.Transfer("Announce.aspx")

Else

errorLable.Text = "Authentication did not succeed. Check user name and password."

End If

Catch ex As Exception

errorLable.Text = "Error authenticating. " & ex.Message

End Try

End Sub

 Now I thought the cookie would be named "authCookie" but when I look in the cookie folders it seems to be dallas@localhost[1].

So now the question I have is that where is this cookie called from to see if it exists? In the web.config or in the login page load event or in the load event of the page I'm trying to navigate to?

Thanks,

Ty

0
TBarton
5/7/2008 8:25:12 PM
TBarton:
Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate

Dim adPath As String = "LDAP://DC=test,DC=lcl" 'Path to your LDAP directory server

Dim adAuth As FormsAuth.LdapAuthentication = New FormsAuth.LdapAuthentication(adPath)

Try

If (True = adAuth.IsAuthenticated("test.lcl", Login1.UserName, Login1.Password)) Then

Dim groups As String = adAuth.GetGroups()

'Create the ticket, and add the groups.

Dim isCookiePersistent As Boolean = True

Dim authTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _

Login1.UserName, DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups)

'Encrypt the ticket.

Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)

'Create a cookie, and then add the encrypted ticket to the cookie as data.

Dim authCookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)

If (isCookiePersistent = True) Then

authCookie.Expires = authTicket.Expiration

End If

'Add the cookie to the outgoing cookies collection.

Response.Cookies.Add(authCookie)

'You can redirect now.

'Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUsername.Text, False))

Server.Transfer(FormsAuthentication.GetRedirectUrl(Login1.UserName, False))

'Server.Transfer("Announce.aspx")

'Server.Transfer("Announce.aspx")

Else

errorLable.Text = "Authentication did not succeed. Check user name and password."

End If

Catch ex As Exception errorLable.Text = "Error authenticating. " & ex.Message

End Try

End Sub

 Hi

Please try to set the (AuthenticateEventArgs.Authenticated = true) when username and password is correct. Here is an example:

 Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate

        If (PasswordAndUserIsCorrect) Then
            e.Authenticated = True          

        Else
            e.Authenticated = False
        End If
    End Sub


Best Regards
XiaoYong Dai
Microsoft Online Community Support

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
0
XiaoYong
5/8/2008 6:22:36 AM

That looks like it might work but here is the problem. This sub is only run when the user clicks the login button on of the login control. So when I go to navigate to the next page this event is not called. I have been trying to figure out a way to call the click event of the button in the page load event but I cannot figure out how to do that without errors because the button is not a seprate control but part of the login control.

0
TBarton
5/8/2008 1:23:00 PM

TBarton:

I have been trying to figure out a way to call the click event of the button in the page load event

but I cannot figure out how to do that without errors because the button is not a seprate control but part of the login control.

Hi

I think you are programming the web application using the idea of winform application. A common way to authenticate user on network is send 302 statuscode for anonymous user in order to force them login. Well, a step by step Tutorials about Configuring ASP.NET 2.0 Application to use Forms Authentication with Active Directory might help

http://msdn.microsoft.com/en-us/library/ms998360.aspx


Best Regards
XiaoYong Dai
Microsoft Online Community Support

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
0
XiaoYong
5/9/2008 2:54:58 AM

Oddly enough I tried that code but kept getting a Unable to establish a secure connection to the server error until I removed some of the code. I have post to find out what me causing that. I was using a domain admin account but was still getting that error. There is a problem soemwhere but I do not know where. I assume the issue is with some setting in IIS7 or with ASP.NET.

I basically have the default settings when I installed IIS7, Visual Studio 2008 and my web site. I know that with IIS6 there needed to be settings changed or added to access AD but IIS7 is not set up the same so Does anyone know what the settings need to be outside of the code in the project itself?

I do apperciate all the help you have given me.

Thanks,

Ty

0
TBarton
5/9/2008 12:18:01 PM

Hi

It's possible that the specified LDAP path is invalid. You may contact your network admnstrator to make sure the directory you entered contains a complete domain, DC, OU, CN,

Here is an example: 

LDAP://testdomain.test.com/CN=Users,DC=testdomain,DC=test,DC=com  (check your domain name and other attributes so that it points to your Active Directory users container)


Best Regards
XiaoYong Dai
Microsoft Online Community Support

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
0
XiaoYong
5/12/2008 6:17:34 AM

Domain is correct as I said the user is authenticated. I'm soon just going to scrap it and pull all the user info from AD with a script and place it into a DB table and the authenticate from that.

 Thanks,

Ty

0
TBarton
5/12/2008 9:44:52 AM
Reply:

Similar Artilces:

Login with form based authentication and roles based security
Hi, I've develop Sign In pages apply Forms Authentication and Roles Based Security. It means, 1 user can have many roles (HttpContext.Current.User = New GenericPrincipal(fi, astrRoles)). Let's say User ID: sr102, then it roles is Sales, Marketing and Logistic. Im using User.IsInRole("Sales") to control the applications modules. My application like as follow 1. After login success, application show all the application modules such as Logistic, Sales, Marketing, IT, Human Resource and Warehouse. From user id, application will know the roles assigned. How to enable and di...

differences between Windows-based Authentication and Forms-based Authentication
I just want to know what is the differences between Windows-based Authentication and Forms-based Authentication?Why Forms-based Authentication?Thanks in advance... Well there is one important reason  you would want to use Forms based authentication and that is if you don't want to buy a seperate CAL for each and every user on your site.  This authentication is very good for internet sites.Windows authentication is very good for intranet sites where only employees that already have a windows account will be visiting.You should choose one or the other based on the goals for your si...

Page-based Security with Forms Authentication
Hi Guys, Any Idea abt. Page-based Security with Forms Authentication. If I know (have actually maintained in the database) which user can access which page(.aspx file) then what is the best way to protect the pages when the user login in the system with valid username/password. The whole idea is A user will be intially provided links(static meenu) once user is authenticated. Clicking on these links will take User to these pages. Now here I want to check whether a User can view this page or not (Effectively I need to check on all Pages's Page Load method) So my question is what...

Role-based Security with Forms Authentication
Hi all,   I have a problem with the role based security with Forms Authentication.   Here is my code that I followed from http://www.codeproject.com/aspnet/formsroleauth.asp.     Web.config   <authorization>     <!-- Order and case are important below -->     <allow roles="Administrador,Utilizador"/>     <deny users="*"/>   </authorization>   Login.aspx   After the db query..   FormsAuthentica...

Forms based Authentication not.. Authenticating!
Hi Ladies and Gentlemen, Problem number two - I'm trying to organise authentication for my admin directory as most people do. My directory structure is as follows:Root;   Web.config   \Admin;       Index.aspx       Login.aspxSo essentially my root contains the web.config, and the admin folder contains the files I want to protect.In my web.config, I have the following lines of (relevant) code: <authentication mode="Forms">           ...

Role-based security with forms authentication #2
i have found this article that shows exactally what we need, this is in asp.net 1.1. Do we have a similar article/example in 2.0? http://www.codeproject.com/aspnet/formsroleauth.asp    Assuming you are talking about Roles, that feature is built into ASP.NET 2.0. Here is a nice walkthrough on how to setup roles for 2.0: http://msdn2.microsoft.com/en-us/library/t32yf0a9(VS.80).aspxCheers,       Kevin JonesMy Blog We already have a site in ASP and are now moving it to asp.net 2.0. For some of the members we auto login; we s...

Secure HTML Pages with Forms Based Authentication
My Application has a manual that is written in HTML. I would like to secure this so people can’t navigate directly to the manual without logging in. The Help Directory is within the project, but when you go directly to the URL (http://securedomain/help/default.htm) the html page bypasses Forms Based Authentication. How do I fix this? ...

File Security Using Forms based Authentication
How does one set up or specify or give a web site set up using forms based authentication permissions to delete a directory on the web server? Which windows user is running if forms based authentication is being used and only Anonymous security is set in IIS? ...

Role-based Security with Forms Authentication
Hi, I've followed this article to get roles based forms authentication to work. http://www.codeproject.com/aspnet/formsroleauth.asp It works great BUT I cannot get any 'log out' functionality to work. I have tried: Session.Abandon() FormsAuthentication.SignOut() But I still remain logged in? What am I doing wrong? R I have also added the following line (as suggested somewhere else) Session.Abandon() Response.Cookies(FormsAuthentication.FormsCookieName).Expires = DateTime.Now.AddYears(-10) FormsAuthentica...

Role-based Security with Forms Authentication #3
I develop a login page and I am using role-base security (user and admin). Based on this article http://www.codeproject.com/aspnet/formsroleauth.asp?df=100&forumid=6668&exp=0&select=2019651 If the admin logins, then the app is working fine.If user login, I want to say on the message “you’re login successfully but not authorize to use this application”.  How do I do that? Thanks oops... You will need to add "user" to your web.config authorized roles. And then you just nede to use User.IsInRole function to validate the users role. <PRE lang=xml><co...

Active Directory forms authentication based on security group?
Hi, I am creating a website using forms authentication & the ActiveDirectory membership provider. I have successfully authenticated against users in the container however now I am looking to only allow access to those from the "Administrators" security group within Active Directory. I have done a fair bit of research and have played around the "AspNetWindowsTokenRoleProvider" as the default provider for the "rolemanager" and added "<allow roles="BUILTIN\Administrators" />" within the "<authorization>" section ...

Form Authentication... Error when trying multiple authentication.
I am using form authentication on the site already. I am creating a new directory under the same root which also needs to be protected. I can do that by modifying the web.config file and adding the code to protect that directory as well. That scenario will not work for me because I need the users who are going to the new directory under the same root to be forwarded to another authentication page than the other pages. When I tried to duplicate the web.config file in the new directory, I get an error about machinetoapplication is not allowed. I tried creating a virtual directory ...

Problem with Role-Based Authentication with Forms Authentication
Hi, I am trying to implement Role-Based Authentication and stuck with it for couple of days. Please help me..... :( Here's my code   ----------- login.aspx.vb -------------------------------------------------------------------- Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.Click FormsAuthentication.Initialize() conn = New SqlConnection(strConnection) Dim cmdSelect As New SqlCommand("select roles from login where username=@username and password=@password", conn) Dim dr As SqlDataReader conn.Open() cmdSelect.Parameters.Add(...

Role based security based on Windows authentication
Hello there, A newbie question here.. I am trying to build an application using  role-based security (ie. it would let in only selected users) and I am using Wingdows Authentication as a security model. The problem is that no matter what I do I cannot restrict usage only to specific users. It works on the all or none basis. Ie no matter what I set in the web.config file, it does not effect the security, except setting <deny users="*"/> blocks access altogether..Currently I have the following settings set in the web.config file with no other settings/code set anywhere &nb...

Web resources about - Trying to understanding form based authentication - asp.net.security

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

Authentication - Facebook-Entwickler
Please note: On October 3, 2012, the offline_access permission will be removed. If you are building...

Facebook Adds Two Factor Authentication for Login and Redesigns Family Safety Center
... announced the release of several new tools to help users stay safe while using the site. Soon, users will be able to enable two factor authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.


YouTube - How To Hack Twitter's New Two Factor Authentication
Veröffentlicht am 23.05.2013 Connect! http://toopher.com http://facebook.com/toopherinc http://twitter.com/toopher CEO Josh Alexander wants ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Two-factor authentication - cyber security -
Two recent hacking cases highlight how personal emails can impact overall business security through tiny weaknesses.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

Hands on: Twitter two-factor authentication
Optus and Vodafone customers need not apply when it comes to Twitter's two-factor authentication.

Resources last updated: 1/12/2016 7:01:18 PM