help with asp.net/JS and cookies

Magus,
Can you provide these..
1.Your Authentication codes..Are you redirecting after the users have logged in.
2.I'm sure ,You must have made some changes in your webconfig file.Can you show us your authentication in your Webconfig file..

hi,
i'm kind of new to asp
i used a few tutorials to put together a basic login page and to dump the information to a cookie.

overview:
i guess what i'm trying to accomplish is to have an ASP.net login page
and JavaScript validation though out the pages
it would be nice to check for some validation of the cookie to ensure its not just fabricated by user. but its not necessary at all
unfortunately time is an important factor so i try and skim corners where i can :evil:

Problem:
The cookie is created and the JS validation works
The problem is the cookie doesn’t terminate after x time I think it happens after reboot or a day
I’m not exactly how to approach this

And any help you can provide would be greatly appreciated.
:cheesy:
Thanks
MagusDF

yep
its actually a temporary solution until some one signs papers and i get acces to the lotus database
web config

<configuration>
<system.web>
<authentication mode = "Forms">
<forms name="CHeck" protection="All" timeout="10">
<credentials passwordFormat = "Clear">
<user name ="abc" password = "123"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users = "?"/>
</authorization>
</system.web>
</configuration>

asp/vb.net

Sub doLogin(sender as object, e as eventargs)
If FormsAuthentication.Authenticate(uname.text, pword.text) Then
FormsAuthentication.SetAuthCookie(uname.text, true)
Response.Redirect("ww_executive.htm")
Else
Response.Redirect("login.aspx")
End If
End Sub

javascript

function run() {
       if (document.cookie.indexOf('CHeck')==-1){
       location.href="login.aspx";
       }
       else if (document.cookie.indexOf("CHeck")!=null) {
       location.href="ww_executive.htm";
       }
}

i know this is probably atrocious. But my total exposure to asp is about 3 hours now.

I don't understand the need for JavaScript here. ASP.NET Forms authentication handles it all for you, including managing the cookies.

well there is about 500 pages
i will be inserting java script tags to stop someone form skipping into a page unless they logged in

using just asp the way I have now
some one can just jump right in to a page by typing in the address
the java script redirects them back to the login page if the cookie doesn’t exist

It seems a lot easier for me to insert a java script for the validation rather than converting each of the pages to an asp page and redoing all the links.

My problem is that the cookie doesn’t disappear within the 10 minutes

I can take the java script element if I can insert a small asp script to do the validation but I really don’t know asp.net

You misunderstand ASP.NET Forms Authentication. It will handle all of this for you, automatically. You set it so that it authenticates the entire site, or particular directories. You don't have to write any JavaScript at all. If someone navigates to a page, ASP.NET will check to see if they are authenticated or not. If not, they are directed to your login page. Do a Google search of "ASP.NET Forms Authentication", and research it thoroughly.

thanks for the tip
i've read several pages on this
including
http://www.ondotnet.com/pub/a/dotnet/2003/01/06/formsauthp1.html
part 1 and 2

but i still seem to be missing somehting
if you can help point me towards the right direction

currently the pages themselves don't invoke the login
i haven't come across a overview or example that really goes in to it much

if you can point me in the right direction it would be greatly appreciated,

Thanks,
Magus

Please look at the following web.config file:

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms name=".MYCOOKIE" 
             loginUrl="login.aspx" 
             protection="All" 
             timeout="30" 
             path="/"/> 
    </authentication>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

The properties/attributes of the "forms" element control your authentication cookie. The "name" specifies the name of the cookie. "protection" is how your cookie will be protected. "All" means it will be validated and encrypted. "Timeout" controls when your cookie will expire, in minutes.

Notice also the "loginurl" property. It points to "login.aspx" in this sample. This is the page YOU MUST WRITE.

In the "authorization" section, you can see we're denying access to all anonymous users. This means no matter which page they link to, if they're not authenticated, they'll be redirected to the login.aspx.

What should your login.aspx page do? Prompt for username and password, obviously. You can compare the values the user enters to something you've hardcoded, or you can look the values up in the database, whatever you like!

Once you've determined, through whatever mechanism you care to code, that the username and password are valid, you have to let the authentication mechanism know they are a valid, authenticated user.

You do this by using the FormsAuthentication class in the code-behind of your login.aspx page.

There are a number of methods & properties, including .Authenticate, and .RedirectFromLogin.

You can also store your usernames and passwords within the web.config file itself, by adding a "credentials" node:

<credentials passwordFormat="Clear">
          <user name="user1" password="password1"/>
          <user name="user2" password="password2"/>
          <user name="user3" password="password3"/>
        </credentials>

This is perhaps the easiest way. Then in your login.aspx page, you can use the Authenticate method. Say you have a field named "username" and one named "password", and a button named "login":

void Login_Click(Object sender, EventArgs E) 
{
  // authenticate user: this sample authenticates 
  // against users in your app domain's web.config file
  if (FormsAuthentication.Authenticate(username.Value,
                                       password.Value))
  {
    FormsAuthentication.RedirectFromLoginPage(username.Value, true);
   //the boolean persists the cookie.
  } 
  else 
  {
    lblResults.Text = "Invalid Credentials: Please try again";
  }
}

apologies for being so persistent
but i already have both of those set up and login.aspx works

i guess the part that i'm confused about is the individual pages?
should there be some script or something that checks the verification
or is it skipping because its a configuration on the server end

unfortunately i don't have access to the server and there is about 5 pages of paper that need to be pushed each time i want to change a setting

but if some one types in
EX:
url/pagename.htm
www.somedomain/sales.htm

it will skip the validation presses

that is the part i'm lost at

If "sales.htm" is in the same folder as the web.config file, authentication will be automatic. If a user tries to browse that specific page, ASP.NET first checks the web.config file to see if anonymous browsing is allowed. If it isn't, it looks for instructions on how to authenticate. It finds them in the <forms> node, and redirects the user to login.aspx. The login.aspx page authenticates the user, and then redirects them to their original page, in this case, sales.htm.

Nothing special needs to go on the sales.htm page.

If you've set all this up and it isn't working, then you haven't set it all up correctly!

hmm
its definetly in the same folder
guess its a server issue :!:

just incase tho

here is my web.config code

<configuration>
  <system.web>


    <authentication mode="Forms">
      <forms name=".validation"
             loginUrl="log.aspx"
             protection="All"
             timeout="30"
             path="/">

            <credentials passwordFormat = "Clear">
                <user name ="abc" password = "123"/>
            </credentials>
     </forms>

    </authentication>

    <authorization>
        <deny users="?" />
    </authorization>

  </system.web>
</configuration>

Fix your "path". Compare what I posted to what you posted!

ok
seems there was actually 3 problems
server didn't have 1.1 bound
the path was also an issue

how ever 1 more left

seems i get that lock down anytime i go to any asp or aspx page
but if i go straight to an htm or html page it bypasses the login

any recomendations?

MagusDF

Are those HTML files added to your ASP.NET Project? Or are they just "out there" on the server?

i'd say floating out there
as i'm not familiar with what that means
the coding was done in notepad so i don't really have a project set up for .net

I think they have to be part of the project. I admit that's just a guess. Perhaps someone else can chime in on this thread and confirm that. But since ASP.NET applications are compiled, that's my guess... that any HTML files added to the project are "compiled into" the application, and thus partake in its security.

would that be a part of the global.asax or web.config

i tried doing a search on it
found a couple of things on setting up projects using ms dev studio but i'm sure there has to be a manual way of doing it.

that’s why i was initially thinking about the JS element to authenticate the individual pages.

i have 3 asp scripts in the same folder as the core htmls and each of those gets a login but seems the plain htm files aren’t in that group.

i'd think there should be a tag or some declaration for it to be picked up

thanks,
MagusDF

ok got a little more info
sry about the extra post but the edit function isn't there any more

some one suggested
Map htm to run under the ASP.NET dll, which is done through IIS (Home Directory Tab / Configuration / Mappings)

anyone have any references or anything?

THanks,
MagusDF

Try this screenshot:

[IMG]http://www.tgreer.com/daniweb/IIS-html.gif[/IMG]

1) start IIS Admin, from your Adminstrative Tools start menu.

2) highlight Default Web Site (or the appropriate website), click Properties button on the menu

3) click the Home Directory tab.

4) click the "configuration" button

5) click "Add" button

6) In the "Executable", enter the same value that the ".aspx" value has, which will be an instance of the "aspnet_isapi.dll".

7) in the "Extension", type ".html".

9) click "OK, and so on to save your changes and close the IIS admin tool.

That should force HTML files to be processed via ASP.NET, and hopefully then participate in ASP.NET security.

sooo close but seems enabling that option creates a side effect
i know the user names used to log in work well
but the authentication doen't go through

dissabling the option and going to the aspx pages and logging in it works fine

:confused:
any ideas?

...sooo close

Seems like we're down to just stabbing in the dark, but what would happen if you renamed your .html files to .aspx?

fixed it
it was a coding issue
was a work arround but the server i have running on my laptop
but it just works diferently on theirs

"." to "/" for path

in web.config

peace at last

... i think :cheesy: