Form Authentication Forcefully logout
in web.config code is section enables configuration of what to do if/when an unhandled error occurs during the execution of a request. Specifically, it enables developers to configure html error pages to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
<forms loginUrl="Login.aspx" cookieless="UseCookies">
</forms>
</authentication>
whenever iam closing application and logging back user remains in and ask me to log out.. i want to make sure whenever application starts it should not be logged in previously..
this is web.config code..
<authentication mode="Forms">
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
<forms loginUrl="Login.aspx" cookieless="UseCookies">
</forms>
</authentication>
<authorization>
<allow roles="Administrator,Attorney,Director of Operations,Office Manager,Paralegal,Partner,Processor,Salary Admin,Unit Manager"/>
<deny users="?"/>
</authorization>
<pages>
</pages>
</system.web>
Login button code
string [] arr = new string[10];
bool bCheckUser;
try
{
if ((txtUserName.Text == "") || (txtPassword.Text == ""))
{
lblError.Visible = true;
lblError.ForeColor = System.Drawing.Color.Red;
lblError.Text = "Enter UserName and Password";
}
else
{
bCheckUser = Membership.ValidateUser(txtUserName.Text, txtPassword.Text);
arr = Roles.GetRolesForUser(txtUserName.Text);
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);
FormsAuthentication.Authenticate(txtUserName.Text, txtPassword.Text);
if (bCheckUser == true)
{
lblError.Visible = false;
Response.Redirect("MainMenu.aspx");
}
else
{
lblError.Visible = true;
lblError.ForeColor = System.Drawing.Color.Red;
lblError.Text = "You Username or Password is Invalid. Please try Again";
}
}
}
catch(Exception ex)
{
lblError.Text = ex.Message.ToString();
}
}
You are passing true to this method that is to create persistent cookies:
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);
pass false instead and also move that inside of if block and remove that redirect if you don't want hard redirect:
if (bCheckUser == true)
{
lblError.Visible = false;
// Response.Redirect("MainMenu.aspx");
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
}
Or use SetAuthCookie method like below:
if (bCheckUser == true)
{
lblError.Visible = false;
FormsAuthentication.SetAuthCookie(txtUserName.Text, false);
Response.Redirect("MainMenu.aspx");
}
Edit: It looks like you are calling FormsAuthentication.RedirectFromLoginPage regardless of whether Membership.ValidateUser returns true or false. That might have something to do with it. Is this code being called in the Page_Load of your login page?
A couple of questions I have for you:
- Are you actually closing the browser and then reopening it, or just returning to your site after receiving an error in the same browser?
- Does your login page have a Remember Me setting?
- Have you restricted access to your webpages in your webconfig?
By default I think the webconfig leaves most pages open. You'll need an authorization section to restrict access.
<authorization>
<deny users="?" />
</authorization>
Here's some links to check out as well:
- http://ondotnet.com/pub/a/dotnet/2004/02/02/effectiveformsauth.html
- http://www.asp.net/security/tutorials/an-overview-of-forms-authentication-vb
加载中,请稍侯......
精彩评论