I have a ASP.NET Web Form Single Page Application.
It uses Form Security and System.Web.Security.SqlMembershipProvider
The authentication is configured like this:
<authentication mode="Forms">
<forms name=".ASPXFRM" protection="All" timeout="120" loginUrl="~/Authdentication.aspx" />
</authentication>
This application is a Point Of Sale. As of now, all employees in the store use the same username/password to login.
Now, we need to add more security into the application.
The ideal situation would be that.
In the morning, cashier #1 and cashier #2 log in using their username and password.
After some time of inactivity, the app locks.
Then, cashier #1 or #2 enters his PIN (5 digit code) different from its password to unlock the app (and auto"magicly") reauthenticate..
Any suggestion, experience with this scenario?
Question:
How can I have multiple user use the same application on the same computer in the same browser window without having to logoff/loggin each time. Behind the scene could occur the logoff / login process but I want the process to be quick and easy for the user.
If the idea of using password to login while pin to unlock is to maintain session even when account is locked due to in activity then perhaps you should use different values for forms and session timeouts. For example
<authentication mode="Forms">
<forms name=".ASPXFRM" protection="All" timeout="15" loginUrl="~/Authdentication.aspx" />
</authentication>
<sessionState mode="InProc" timeout="60"/>
This should force you authenticate every 15 minutes you stay inactive but session won't be lost for an hour.
Related
I'm using .NET 4.5, and my site is logging users out after 10 minutes of inactivity, even though I have login time set to 45 minutes.
It's very frustrating for the users.
In web.config, for sessionState this is what i have:
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="45">
and for authentication :
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" defaultUrl="~/" protection="All"/>
</authentication>
it's hosted on GoDaddy whose support is useless, but it means I can't control the app pool recycling but I don't think that's the issue.
I just can't get to the bottom of it.
Can anyone help?
I created two ASP.NET Web Forms Application in which I use separate Form authentication
with different machine keys .
But when I login in one of them I am logout in other.
Same thing happen on production server and on localhost.
If you haven't configured at least one of the two applications to use a non-default cookie name, they will both try to use the same cookie name ".ASPXAUTH", and if by "on the same server" you mean they are accessed using the same hostname, then logging into one will overwrite the cookie of the other.
Try overriding the cookie name in your Web.config, something like this:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name=".FOOASPXAUTH" />
</authentication>
And in the other application:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name=".BARASPXAUTH" />
</authentication>
Usually I have:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
timeout="30"
slidingExpiration="true"
</authentication>
which (IMHO) means that the cookie expires after 30 minutes of inactivity - sliding expiration means that any activity sets the cookie's expiry time back to 30 minutes.
Now I have the requirement that I would like the cookie to be stored indefinately, unless the user logs out explicitly. This means, that even if the browser is closed and reopened and the user goes to a side that requires authentication, no login is required. Is this possible?
What you describe sounds equivalent to forcing the remember me checkbox to always be checked. To achieve that, go to your your Login action, and do the following:
FormsAuthentication.SetAuthCookie(username, true);
use SetAuthCookie method. SetAuthCookie
FormsAuthentication.SetAuthCookie(UserID, false); // not persisting cookie accross the browser session.
FormsAuthentication.SignOut().// for signout
I'm implementing "Remember Me" feature, I want the user to not have to enter login/password again.
It's seems to work in local, but in a shared hosting, It last for about 15 minutes then logout. Here is the code:
controller:
FormsAuthentication.SetAuthCookie("username", true);
Web.config:
<authentication mode="Forms" >
<forms loginUrl="~/Account/LogOn" timeout="262974" cookieless="UseCookies" />
</authentication>
<sessionState mode="InProc" timeout="262974" cookieless="UseCookies" />
EDIT
I've added the sessionState, but still the same problem, working on local and not on the server?
what am I missing?
Look into the sessionstate element in your web.config. For example:
<sessionState mode="InProc" timeout="60" />
Check out the following SO question for differences between the sessionstate element and the forms element in your web.config:
Differences in forms auth timeout and session timeout
The accepted answer by #womp states the following:
A session starts every time a new user hits the website, regardless of
whether or not they are anonymous. Authentication has very little to
do with Session.
Authentication timeout is the amount of time that the authentication
cookie is good for on the user's browser. Once the cookie expires,
they must re-authenticate to access protected resources on the site.
So, if Session times out before the Authentication cookie - they are
still authenticated, but all their session variables disappear, and
may cause errors in your website if you are not disciplined in
checking for nulls and other conditions brought about by missing
session.
If Authentication times out before the session, then all their session
variables will still exist, but they won't be able to access protected
resources until they log back in again.
I finally found the solution, I had to use StateServer instead of InProc and also a machine key, Here is the full solution:
Controller:
FormsAuthentication.SetAuthCookie("username", true);
Web.config:
<authentication mode="Forms" >
<forms loginUrl="~/Account/LogOn" timeout="262974" cookieless="UseCookies" />
</authentication>
<sessionState mode="StateServer" timeout="262974" cookieless="UseCookies" />
<machineKey validationKey="5BAE63F50C69C1BBB7BFC2E696674389C307E28E9DEB60FB273B85CAD8FC3C2261FB13DF92B90A99C6EB684FDB1F6E3E92E1A42083EB77B5918126DD52245FB5" decryptionKey="11F6FE0C790413FFF3E230387168016B212216DEF727C4157CDDD0558BEAE5B7" validation="SHA1" decryption="AES" />
I have a shared hosting with Arvixe and it's in their Support where I found the solution: support.arvixe.com
Go to : ASP.NET Settings and scroll to Session settings change "value" none to "Forms" It will be done!
I have read some issues related to session time out and i have changed the settings but no avail.
This is entry of session in web.config. i want to expire the session after 5 hours.
<sessionState mode="InProc" timeout="300" />
On Login page i am adding user name in session
Session.Add("Authenticated", UserName);
and my each page is inherited with BasePage and in base class i have this check for each page.
if (Session["Authenticated"] == null)
{
Response.Redirect("../userlogin.aspx");
}
but session expires before one hour.
I want to confirm that during this there is no change in web.config, Bin folder files etc.
Take a look at this ASP.NET Session Timeouts.
Besides IIS Idle timeout there is Forms authentication timeout, which is 30 min by default. So you will be redirected to the login page before the session actually expired.
<system.web>
<authentication mode="Forms">
<forms timeout="300"/>
</authentication>
<sessionState timeout="300" />
</system.web>
If you are hosting it on IIS6 (Win2K3) then go to the settings in the Application Pool in which your application runs. You need to set it there as well.