开发者

Problem with ASP.NET Authentication

问答 作者:

I'm having problem with our login procedure.

Some customers complain that they can't login. I can see in our logs that their login is successful and that they are redirected from the login page to the member area. But there somehow the login isn't detected and they are bounced back to the login page.

I've asked customers to check if cookies are supported (http://www.html-kit.com/tools/cookietester/) but problem remains even if this test returns true.

This is how I've implemented the login procedure (simplyfied):

protected void Login(string email, string password)
{

FormsAuthentication.SignOut();


Guid clientId = /* Validate login by checking email and password, if fails display error otherwise get client id */


FormsAuthentication.SetAuthCookie(clientId.ToString(), true);

HttpContext.Current.Response.Redirect("~/Members.aspx");


}

On the member page I check for authentication by in Page_Load function:

public static void IsAuthenticated()
{
 if (!HttpContext.Current.User.Identity.IsAuthenticated)
 {
         HttpContext.Current.Response.Redirect("~/Login.aspx", true);
 }
}

Maybe I'm using FormsAuthentication completely wrong?

I've asked this before but still haven't been able to figure this out, I'd appreciate any help.

From my Web.Config:

<system.web>
    <compilation debug="false">
      <assemblies>
       ...
      </assemblies>
    </compilation>
    <authentication mode="Forms"/>
    <sessionState mode="InProc" cookieless="false" timeout="180"/>
    开发者_JAVA百科<customErrors mode="On"/>
    <httpHandlers>
    ...
    </httpHandlers>
    <httpModules>
    ...
    </httpModules>   </system.web>

public static void IsAuthenticated() { if (!HttpContext.Current.User.Identity.IsAuthenticated) { HttpContext.Current.Response.Redirect("~/Login.aspx", true); } }

is not necessary when you use forms authentication.

When you specify the forms authentication in the web.config (in which you also specify the login page)

<authentication mode="Forms">
  <forms loginUrl="/Authorization/Login" timeout="60" />
</authentication>

and you deny all non-athenticated users access

<authorization>
          <deny users="?" />
      </authorization>

you don't have to check the authentication of a user yourself, the framework takes care of that.

I would place the FormsAuthentication.SignOut(); code behind a 'logout' link

Seperate the call of SignOut() and SetAuthCookie() in different methods. You may call FormsAuthentication.SignOut(); when the Login page loads first time - simply just do away from calling SignOut() on Login page. And Call FormsAuthentication.SetAuthCookie(clientId.ToString(), true); after authentication is successful.

Normally you would use FormsAuthentication.Authenticate together with some membership provider, but this should work, and it actually does in my machine.

Are you removing the FormsAuthentication from your registered HTTP modules? Normally, this is in the machine wide web.config:

<configuration>
  <system.web>
    <httpModules>
      <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"  />
    </httpModules>
  </system.web>
</configuration>

If you put a <clear /> inside that same section of your own web.config, you're effectively removing that module.

My tested Web.config is pretty clean, it only has <authentication mode="Forms"/> configured.

继续阅读:asp.net

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9