Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Reusing user controls, forms, etc...
Message
From
12/03/2004 00:54:42
Keith Payne
Technical Marketing Solutions
Florida, United States
 
General information
Forum:
ASP.NET
Category:
Other
Title:
Re: Reusing user controls, forms, etc...
Miscellaneous
Thread ID:
00884626
Message ID:
00885478
Views:
23
I recognize the reference to Persist.Checked in your code. That sample is linked all over the internet. Unfortunately, it has some errors and needs to be trimmed up to work correctly.

However, you are correct in surmising that the True parameter in the RedirectFromLoginPage is causing you to stay logged in all the time. The True parameter creates a persistent cookie (as opposed to a cookie that is deleted when the browser session is ended). If your development machine is also your web server, the cookie is located in the C:\Documents and Settings\*username*\Cookies folder named *username*@localhost[1].txt. You will have to delete this file to continue to test your login.aspx form.

Concerning the viewstate error, is this occuring on the postback for your Logout button, or when the default.aspx page is being initialized? I have a UserControl with a logout link also, and I haven't experienced that problem.

Don't get too crazy with the Logout button. 99 times out of 100 the user will simply close the browser window rather than logging out. Actually, looking at my code, I don't call SignOut in the UserControl. I redirect to the Login page and do the SignOut before logging in again in the click event of the Login button.

There really isn't any benefit to calling the SignOut method unless you have some of your own events hooked into it. All it does is delete the FormsAuthenticationTicket from the cookie - and the cookie from your hard drive if the cookie is empty.

--------------------------

Recalling my own experience in figuring out how all this mumbo-jumbo is supposed to work, I was seriously confused about the relationship between the FormsAuthenticationTicket and the browser cookie. Especially so because the ticket has an expiration and the cookie has a separate expiration.

The cookie is a text file that contains one or more "key-value" pairs, which are also called "name-value" pairs sometimes. These key-value pairs are what you use in the SortedList, QueryString, Session and ViewState classes, among others. One of the key-value pairs in the cookie is the FormsAuthenticationTicket.

The key of the Ticket is the name attribute of the forms element in your web.config ("formsauth"). This is how ASP.NET retrieves the Ticket every time the user requests a page. You don't have to use the key anywhere else in your code because it is in your web.config, which gets read by ASP.NET on each request too.

The value of the Ticket is the data that you pass to the Authenticate method. There is more than the Username and Password in the ticket; The Authenticate method plugs in default values for the rest of the data. Specifically, the expiration of the ticket (not the cookie) is one of the default values that the Authenticate method uses. If you are interested in the other data, check out the Contructor for the FormsAuthenticationTicket class in the help file.

---------------------

Well, I could go on for days about this stuff, but I've run out of time tonight. I've considered writing an article for the UT concerning forms authentication, maybe I will get some motivation and do it soon.

This is only the top-most layer of forms authentication, and it isn't particularly secure unless a lot more work goes into it. Forms Authentication is a bear to understand, so don't be discouraged. Just keep plugging away at it and you will reach the summit of Mount Microsoft soon enough :)

>Hi Keith,
>As you said I'm almost there... I put the following in web.config:
>
>  <location path="MembersArea">
>    <system.web>
>      <authorization>
>        <deny users="?" />
>      </authorization>
>    </system.web>
>  </location>
>
>
>    <authentication mode="Forms">
>      <forms name="formsauth"
>        loginUrl="login.aspx"
>        protection="All"
>        timeout="60" >
>        <credentials passwordFormat="Clear">
>          <user name="doru" password="doru"/>
>        </credentials>
>      </forms>
>    </authentication>
>    <authorization>
>        <allow users="*" />
>    </authorization>
>
>...and it seemd to be working - every time I clicked on a hyperlink to the form in the restricted area, I was taken to the login page. So far so good...
>Then I added the credentials tag, and the following code in the login button:
>
>if (FormsAuthentication.Authenticate(txtUsr.Text, txtPwd.Text))
>  FormsAuthentication.RedirectFromLoginPage(txtUsr.Text, true);
>
>and this took me straight to the page... Amazing!
>
>Problem is, now I seem to stay logged in all the time - maybe because of the 'true' in the redirect? The code that I looked at said 'Persist.Checked', but the compiler complained about missing a namespace, so I replaced it with 'true'.
>The next step is that I'd like to logout. I added a logout button in my user control, and had the following in the click:
>
>  FormsAuthentication.SignOut();
>  Response.Redirect("default.aspx");
>
>but when I click it I get: The viewstate is invalid for this page and might be corrupted
>I've tried with the logout button on the form, not on the user control, but I get the same error.
>It looks like I have a long way to go, so I can use a lot of help...
>Thank you.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform