|
|
 |
BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8
 | This is the forum to discuss the Wrox book Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow; ISBN: 9780764596988 |
|
Welcome to the p2p.wrox.com Forums.
You are currently viewing the BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8 section of the Wrox p2p Programmer to Programmer discussion community. This is a community of more than 40,000 computer programmers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining our free Wrox p2p community you can post your own programming questions and respond to other programmers’ questions. Registered users also don't have to see the ads that are displayed to guests. Registration is fast, simple and absolutely free so please, join today!
Join today and post to win prizes! Post more to increase your chances of being Wrox’s top poster of the month.
|
 |
April 9th, 2009, 12:01 AM
|
|
Registered User
|
|
Join Date: Apr 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
How is forms auth cookie set w/o throwing exception?
Stefan, you write on pages 265 and 266 (in Chapter 6):
When ASP.NET detects that a response has been modified, prior to handing
the request back to IIS6, it checks to see if the request was either a
POST request or a request for a classic ASP page. If it's either, ASP.NET
will thrown an exception rather than hand control back to IIS6.
......
What are some of the things you can safe do in ASP.NET?
.....
Forms authentication APIs that create tickets as well as encrypting and
decrypting string representations of the tickets. However you cannot call
methods like SetAuthCookie or RedirectFromLoginPage.
Given what you say above, how is the ASP.NET 2.0 forms authentication
mechanism able to store the forms authorization cookie in the response without
causing an exception to be thrown? And after the user logs in, presumably
the forms auth mechanism would invoke RedirectFromLoginPage to redirect the
user back to the default.asp page ... so that would also cause an exception
to be thrown wouldn't it? I must be missing something here. And the need
to invoke SetAuthCookie and redirect to an asp page would not just occur
on the initial login, it would of course also occur wheneve the auth cookie
expires.
One additional question: if an http request is for an aspx page, wouldn't the
page be processed twice by the ISAPI extension for ASP.NET -- once because
of the wildcard mapping and once because of the regular mapping for the
.aspx suffix? Why doesn't this lead to duplicate processing?
Thanks for any clarification,
Mike
Last edited by mike66 : April 9th, 2009 at 08:27 AM.
|
April 10th, 2009, 11:55 AM
|
|
Registered User
|
|
Join Date: Apr 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
UrlAuthorizationModule short-circuits request processing
I found the answer to my first question on page 272 (Chapter 6) where Stefan states
that the UrlAuthorizationModule short-circuits request processing, i.e. immediately
forwards the call to EndRequest.
Mike
|
April 10th, 2009, 03:05 PM
|
|
Wrox Author
|
|
Join Date: Feb 2006
Location: Redmond, Washington, USA.
Posts: 76
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Wildcard mapping doesn't cause double execution of .aspx because .aspx is already handled by the ASP.NET ISAPI extension. The problem with modifying the response when using wildcard mappings only occurs when there is something other than ASP.NET that expects to work with the response data after ASP.NET runs. Classic ASP is a good example since it has its own ISAPI extension that expects to have exclusive access to response data.
As you noted below, when an anonymous user first tries to access non-ASP.NET content (i.e. foo.asp) - and wildcard mapping is in effect - and ASP.NET has UrlAuthorization turned on - the redirect triggered by authorization failure immediately ends the request. At that point ASP.NET sends a redirect the response ends. So the request never gets passed back out of ASP.NET and over to classic ASP.
__________________
-Stefan
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
