keep me logged in for windows + forms login
I want the functionality of Facebook and GMail to be implemented in my ASP.NET application.
I use a combination of windows and forms login and all of this is working just fine.
I have a login page which has the following code:
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
IntPtr token;
IntPtr tokenDuplicate;
[DllImport("advapi32.dll", SetLastError = true)]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
protected void LoginButton_Click(object sender, EventArgs e)
{
if (LogonUserA(userName, Domain.Text, Password.Text, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) == 0)
{
BadCredentials.Visible = true;
BadCredentials.Text = "Not A Valid User";
Global.logger.Info("LogonUserA failed with GetLastWin32Error code =" + Marshal.GetLastWin32Error());
return;
}
Global.logger.Info("LogonUserA is sucessful");
if (DuplicateToken(token, 2, ref tokenDuplicate) == 0)
{
BadCredentials.Visible = true;
BadCredentials.Text = "Internal Error: DuplicateToken failed";
return;
}
Session["TokenDuplicate"] = tokenDuplicate;
if (new GUIUtility().impersonateValidUser(Session) == false)
{
BadCredentials.Visible = true;
BadCredentials.Text = "Impersonation failed";
return;
}
if (GUIUtility.IsUserPartOfWindowsGroup(compUsrNameForEncryption, adminGroupName) == true)
{
// The user is Instance Admin
BadCredentials.Visible = false;
}
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version
UserName.Text, // user name
DateTime.Now, // creation
DateTime.Now.AddMinutes(60),// Expiration
false, // Persistent
role); // User data
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
//authCookie.Secure = FormsAuthentication.RequireSSL;
// Add the cookie to the outgoing cookies collection.
HttpContext.Current.Response.Cookies.Add(authCookie);
开发者_JS百科 //Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text, false));
Response.Redirect("~/Default.aspx");
// Company Admin has logged on
}
This is what is there on my web.config which can be useful:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="GUI" slidingExpiration="true" timeout="30" path="/">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<sessionState mode="InProc" cookieless="false" timeout="30"/>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
-->
<customErrors mode="On" defaultRedirect="~/Login.aspx">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
This code in my global.ascx:
protected void Application_BeginRequest(object sender, EventArgs e)
{
try
{
string cookieName = FormsAuthentication.FormsCookieName.ToString();
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if (null != authCookie)
{
authCookie.Secure = true;
}
}
catch (Exception ex)
{
Global.logger.Error("Application_BeginRequest: Exception: " + ex);
}
}
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Extract the forms authentication cookie
string redirectSecureUrl = Request.Url.ToString();
string cookieName = FormsAuthentication.FormsCookieName.ToString();
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if (null == authCookie)
{
// There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch (Exception ex)
{
Global.logger.Error("Application_AuthenticateRequest: Exception: " + ex);
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[] { '|' });
// Create an Identity object
FormsIdentity id = new FormsIdentity(authTicket);
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
}
What happens if I make the persistent cookie true instead of false?
Thanks.
For reference...
If you use true a cookie with a fixed expiry date will be created rather than a session only cookie. The cookie & therefore the authentication ticket will then survive the browser being closed.
Simon
加载中,请稍侯......
精彩评论