MBR IT/.NET 247 : Mobile Appl Login Question on ASPFriends.com 'aspngmob' list

Mobile Appl Login Question

Messages

Related Types

This message was discovered on ASPFriends.com 'aspngmob' list.

Peter Ma

1. I used Forms Authentication in my first mobile application, I want to ask
will I be redirected to the main login page if I idle the emulator over
timeout period. (e.g. 2 mins)
<authentication mode="Forms">
<forms name="AuthCookie" path="/" loginUrl="MobileDefault.aspx"
timeout="2" />
</authentication>

2. Moreover, after I login my application, i used SetAuthCookie method,
while I will be redirected to the login page again when I press refresh
button on the PocketPC emulator. (I just want to refresh the current page
only.)

3. Lastly, can I write a Session("var")="testing" in Mobile Application?

Thanks,
Peter

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

Reply to this message...

Anil John

Peter,

Have you looked through the Mobile Quickstart Tutorials?

The Sections on Security and Managing Application State talk about these
specific issues.

Anil

-----Original Message-----
From: Peter Ma [mailto:Click here to reveal e-mail address]
Sent: Monday, February 25, 2002 11:18 AM
To: aspngmob
Subject: [aspngmob] Mobile Appl Login Question

1. I used Forms Authentication in my first mobile application, I want to ask
will I be redirected to the main login page if I idle the emulator over
timeout period. (e.g. 2 mins)
<authentication mode="Forms">
<forms name="AuthCookie" path="/" loginUrl="MobileDefault.aspx"
timeout="2" />
</authentication>

2. Moreover, after I login my application, i used SetAuthCookie method,
while I will be redirected to the login page again when I press refresh
button on the PocketPC emulator. (I just want to refresh the current page
only.)

3. Lastly, can I write a Session("var")="testing" in Mobile Application?

Thanks,
Peter

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

| [aspngmob] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngmob.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Shanku Niyogi

Peter,

The way forms auth works is rougly as follows:

1. When the user accesses a secured page, the forms auth package
examines the URL and the cookies, to see if there's an authentication
ticket.
2. If there's a ticket, but it has expired, it is discarded.
3. If there's no auth ticket, or it has expired, the user is redirected
to the login page.
4. Once the user logs in, the ticket is written out in a cookie, and the
user is redirected to the originally requested page. If cookieless forms
authentication is enabled, URLs are also modified to include the ticket.

So, to answer your first question, yes, they'll get the login page
again, because the ticket will have expired. To answer the second
question: when you login, it immediately redirects you to the original
page you requested. When you refresh, the Pocket PC sends the new auth
cookie - so you shouldn't get redirected to the login page.

Regarding session state, yes, you can use session state the same way as
in a desktop app. However, if you plan to support a broad set of
devices, be sure to turn on cookieless session management, since a lot
of devices don't support cookies.=20

Shanku

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

Reply to this message...

Anil John

Shanku,

If you are using a combination of form based authentication and cookieless
sessions, where the session id (and I assume the authentication ticket) is
part of the url, Is there any way that someone can hijack the session id and
use it to impersonate you?

If memory serves me correctly, there is a way to encrypt the cookie (even
though there is a performace penalty associated with it), is there not?

Anil

-----Original Message-----
From: Shanku Niyogi [mailto:Click here to reveal e-mail address]
Sent: Tuesday, February 26, 2002 1:07 PM
To: aspngmob
Subject: [aspngmob] RE: Mobile Appl Login Question

Peter,

The way forms auth works is rougly as follows:

1. When the user accesses a secured page, the forms auth package
examines the URL and the cookies, to see if there's an authentication
ticket.
2. If there's a ticket, but it has expired, it is discarded.
3. If there's no auth ticket, or it has expired, the user is redirected
to the login page.
4. Once the user logs in, the ticket is written out in a cookie, and the
user is redirected to the originally requested page. If cookieless forms
authentication is enabled, URLs are also modified to include the ticket.

So, to answer your first question, yes, they'll get the login page
again, because the ticket will have expired. To answer the second
question: when you login, it immediately redirects you to the original
page you requested. When you refresh, the Pocket PC sends the new auth
cookie - so you shouldn't get redirected to the login page.

Regarding session state, yes, you can use session state the same way as
in a desktop app. However, if you plan to support a broad set of
devices, be sure to turn on cookieless session management, since a lot
of devices don't support cookies.

Shanku

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

| [aspngmob] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngmob.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

George Yan

If session id is appended on the url, i.e. like a querystring, then yes,
using a sniffer can easily grab the session. "encryption" won't do you
any good, because most of the so-called encryption is nothing but a
hashing algorithm. =20

You can encrypt a ticket by doing this...
Dim cookieStr As String =3D FormsAuthentication.Encrypt(ticket)

George.=20

-----Original Message-----
From: Anil John [mailto:Click here to reveal e-mail address]=20
Sent: Tuesday, February 26, 2002 7:10 PM
To: aspngmob
Subject: [aspngmob] RE: Mobile Appl Login Question

Shanku,

If you are using a combination of form based authentication and
cookieless
sessions, where the session id (and I assume the authentication ticket)
is
part of the url, Is there any way that someone can hijack the session id
and
use it to impersonate you?

If memory serves me correctly, there is a way to encrypt the cookie
(even
though there is a performace penalty associated with it), is there not?

Anil

-----Original Message-----
From: Shanku Niyogi [mailto:Click here to reveal e-mail address]
Sent: Tuesday, February 26, 2002 1:07 PM
To: aspngmob
Subject: [aspngmob] RE: Mobile Appl Login Question

Peter,

The way forms auth works is rougly as follows:

1. When the user accesses a secured page, the forms auth package
examines the URL and the cookies, to see if there's an authentication
ticket.
2. If there's a ticket, but it has expired, it is discarded.
3. If there's no auth ticket, or it has expired, the user is redirected
to the login page.
4. Once the user logs in, the ticket is written out in a cookie, and the
user is redirected to the originally requested page. If cookieless forms
authentication is enabled, URLs are also modified to include the ticket.

So, to answer your first question, yes, they'll get the login page
again, because the ticket will have expired. To answer the second
question: when you login, it immediately redirects you to the original
page you requested. When you refresh, the Pocket PC sends the new auth
cookie - so you shouldn't get redirected to the login page.

Regarding session state, yes, you can use session state the same way as
in a desktop app. However, if you plan to support a broad set of
devices, be sure to turn on cookieless session management, since a lot
of devices don't support cookies.

Shanku

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

| [aspngmob] member Click here to reveal e-mail address =3D YOUR ID
| http://www.asplists.com/asplists/aspngmob.asp =3D JOIN/QUIT
| http://www.asplists.com/search =3D SEARCH Archives

| [aspngmob] member Click here to reveal e-mail address =3D YOUR ID
| http://www.asplists.com/asplists/aspngmob.asp =3D JOIN/QUIT
| http://www.asplists.com/search =3D SEARCH Archives

Reply to this message...

System.Web.Security.FormsAuthentication

MBR BootFX
Best-of-breed application framework for .NET projects, developed by Matthew Baxter-Reynolds and MBR IT

	Copyright © Matthew Baxter-Reynolds 2001-2008. '.NET 247 Software Development Services' is a trading style of MBR IT Solutions Ltd.
	Contact Us - Terms of Use - Privacy Policy - www.dotnet247.com