Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8
This is the forum to discuss the Wrox book Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow; ISBN: 9780764596988
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
Old April 8th, 2009, 11:01 PM
Registered User
Join Date: Apr 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default How is forms auth cookie set w/o throwing exception?

Stefan, you write on pages 265 and 266 (in Chapter 6):

When ASP.NET detects that a response has been modified, prior to handing
the request back to IIS6, it checks to see if the request was either a
POST request or a request for a classic ASP page. If it's either, ASP.NET
will thrown an exception rather than hand control back to IIS6.
What are some of the things you can safe do in ASP.NET?
Forms authentication APIs that create tickets as well as encrypting and
decrypting string representations of the tickets. However you cannot call
methods like SetAuthCookie or RedirectFromLoginPage.

Given what you say above, how is the ASP.NET 2.0 forms authentication
mechanism able to store the forms authorization cookie in the response without
causing an exception to be thrown? And after the user logs in, presumably
the forms auth mechanism would invoke RedirectFromLoginPage to redirect the
user back to the default.asp page ... so that would also cause an exception
to be thrown wouldn't it? I must be missing something here. And the need
to invoke SetAuthCookie and redirect to an asp page would not just occur
on the initial login, it would of course also occur wheneve the auth cookie

One additional question: if an http request is for an aspx page, wouldn't the
page be processed twice by the ISAPI extension for ASP.NET -- once because
of the wildcard mapping and once because of the regular mapping for the
.aspx suffix? Why doesn't this lead to duplicate processing?

Thanks for any clarification,

Last edited by mike66; April 9th, 2009 at 07:27 AM..
Old April 10th, 2009, 10:55 AM
Registered User
Join Date: Apr 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default UrlAuthorizationModule short-circuits request processing

I found the answer to my first question on page 272 (Chapter 6) where Stefan states
that the UrlAuthorizationModule short-circuits request processing, i.e. immediately
forwards the call to EndRequest.

Old April 10th, 2009, 02:05 PM
Wrox Author
Join Date: Feb 2006
Location: Redmond, Washington, USA.
Posts: 76
Thanks: 0
Thanked 0 Times in 0 Posts

Wildcard mapping doesn't cause double execution of .aspx because .aspx is already handled by the ASP.NET ISAPI extension. The problem with modifying the response when using wildcard mappings only occurs when there is something other than ASP.NET that expects to work with the response data after ASP.NET runs. Classic ASP is a good example since it has its own ISAPI extension that expects to have exclusive access to response data.

As you noted below, when an anonymous user first tries to access non-ASP.NET content (i.e. foo.asp) - and wildcard mapping is in effect - and ASP.NET has UrlAuthorization turned on - the redirect triggered by authorization failure immediately ends the request. At that point ASP.NET sends a redirect the response ends. So the request never gets passed back out of ASP.NET and over to classic ASP.

Similar Threads
Thread Thread Starter Forum Replies Last Post
Throwing Security Exception Error Manoj Bisht ASP.NET 3.5 Professionals 2 March 28th, 2009 01:52 AM
SelectSingleNode throwing exception: anup_daware .NET Framework 2.0 1 February 3rd, 2008 12:04 PM
Forms Auth and Roles ~Bean~ ASP.NET 2.0 Professional 1 August 22nd, 2006 11:35 AM
Axis client throwing exception sometimes chandootechie J2EE 0 March 17th, 2006 07:51 AM
RangeValidaor throwing exception anup_daware .NET Framework 1.x 0 March 16th, 2006 07:54 AM

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.