Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8
This is the forum to discuss the Wrox book Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow; ISBN: 9780764596988
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old April 9th, 2009, 12:01 AM
Registered User
 
Join Date: Apr 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default How is forms auth cookie set w/o throwing exception?

Stefan, you write on pages 265 and 266 (in Chapter 6):

When ASP.NET detects that a response has been modified, prior to handing
the request back to IIS6, it checks to see if the request was either a
POST request or a request for a classic ASP page. If it's either, ASP.NET
will thrown an exception rather than hand control back to IIS6.
......
What are some of the things you can safe do in ASP.NET?
.....
Forms authentication APIs that create tickets as well as encrypting and
decrypting string representations of the tickets. However you cannot call
methods like SetAuthCookie or RedirectFromLoginPage.

Given what you say above, how is the ASP.NET 2.0 forms authentication
mechanism able to store the forms authorization cookie in the response without
causing an exception to be thrown? And after the user logs in, presumably
the forms auth mechanism would invoke RedirectFromLoginPage to redirect the
user back to the default.asp page ... so that would also cause an exception
to be thrown wouldn't it? I must be missing something here. And the need
to invoke SetAuthCookie and redirect to an asp page would not just occur
on the initial login, it would of course also occur wheneve the auth cookie
expires.

One additional question: if an http request is for an aspx page, wouldn't the
page be processed twice by the ISAPI extension for ASP.NET -- once because
of the wildcard mapping and once because of the regular mapping for the
.aspx suffix? Why doesn't this lead to duplicate processing?

Thanks for any clarification,
Mike

Last edited by mike66; April 9th, 2009 at 08:27 AM.
Reply With Quote
  #2 (permalink)  
Old April 10th, 2009, 11:55 AM
Registered User
 
Join Date: Apr 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default UrlAuthorizationModule short-circuits request processing

I found the answer to my first question on page 272 (Chapter 6) where Stefan states
that the UrlAuthorizationModule short-circuits request processing, i.e. immediately
forwards the call to EndRequest.

Mike
Reply With Quote
  #3 (permalink)  
Old April 10th, 2009, 03:05 PM
Wrox Author
 
Join Date: Feb 2006
Location: Redmond, Washington, USA.
Posts: 76
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Wildcard mapping doesn't cause double execution of .aspx because .aspx is already handled by the ASP.NET ISAPI extension. The problem with modifying the response when using wildcard mappings only occurs when there is something other than ASP.NET that expects to work with the response data after ASP.NET runs. Classic ASP is a good example since it has its own ISAPI extension that expects to have exclusive access to response data.

As you noted below, when an anonymous user first tries to access non-ASP.NET content (i.e. foo.asp) - and wildcard mapping is in effect - and ASP.NET has UrlAuthorization turned on - the redirect triggered by authorization failure immediately ends the request. At that point ASP.NET sends a redirect the response ends. So the request never gets passed back out of ASP.NET and over to classic ASP.
__________________
-Stefan
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Throwing Security Exception Error Manoj Bisht ASP.NET 3.5 Professionals 2 March 28th, 2009 02:52 AM
SelectSingleNode throwing exception: anup_daware .NET Framework 2.0 1 February 3rd, 2008 12:04 PM
Forms Auth and Roles ~Bean~ ASP.NET 2.0 Professional 1 August 22nd, 2006 12:35 PM
Axis client throwing exception sometimes chandootechie J2EE 0 March 17th, 2006 07:51 AM
RangeValidaor throwing exception anup_daware .NET Framework 1.x 0 March 16th, 2006 07:54 AM



All times are GMT -4. The time now is 07:04 PM.


Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.