Programming Microsoft ASP.NET 4 - Dino Esposito [417]
slidingExpiration
Indicates whether sliding expiration is enabled. The default is false, meaning that the cookie expires at a set interval from the time it was originally issued. The interval is determined by the timeout attribute.
timeout
Specifies the amount of time, in minutes, after which the authentication cookie expires. The default value is 30.
The defaultUrl attribute lets you set the default name of the page to return after a request has been successfully authenticated. This URL is configurable. But isn’t the URL of the return page embedded in the query string, in the ReturnUrl parameter? So when is defaultUrl useful?
If a user is redirected to the login page by the authentication module, the ReturnUrl variable is always correctly set and the value of defaultUrl is blissfully ignored. However, if your page contains a link to the login page, or if it needs to transfer programmatically to the login page (for example, after the current user has logged off), you are responsible for setting the ReturnUrl variable. If it is not set, the URL stored in the defaultUrl attribute will be used.
Cookie-Based Forms Authentication
By default, a cookie used for authentication lasts 30 minutes and is protected using both data validation and encryption. Data validation ensures that the contents of the cookie have not been tampered with along the way. Encryption uses the Rijndael encryption algorithm (also known as AES) to scramble the content. You can force it to use DES or 3DES if you like, however. When validation is turned on, the cookie is created by concatenating a validation key with the cookie data, computing a Machine Authentication Code (MAC) and appending the MAC to the outgoing cookie. The validation key, as well as the hash algorithm to use for the MAC, are read out of the Cookieless Forms Authentication When cookieless authentication is on, the ticket it is incorporated into the URL in much the same way as for cookieless sessions. The URL of the page served to an authenticated user follows the pattern shown here: http://YourApp/(F(XYZ...1234))/samples/default.aspx The ticket, properly encoded to a URL-compliant alphabet, is inserted in the URL right after the server name. Note No matter which settings you might have for validation and encryption, or whether your authentication scheme is cookied or cookieless, the information stored in the authentication ticket is encoded so that it is not immediately human-readable. Forms authentication uses a URI-safe derivative of the Base64 encoding that carries six bits of encoding per character. Cookieless authentication requires an ISAPI filter to intercept the request, extract the ticket, and rewrite the correct path to the application. The filter also exposes the authentication ticket as another request header. The same aspnet_filter.dll component that we saw in Chapter 17, for cookieless sessions is used to parse the URL when cookieless authentication is used. To avoid confusion, each extra piece of information stuffed in the URL is wrapped by unique delimiters: S(…) for a session ID and F(…) for an authentication ticket. The filter extracts the information, removes URL adornments, and places the ticket information in a header named AspAuthenticationTicket. Options for Cookieless Authentication
The default way of putting Forms authentication at work is through cookies. The content of the authentication ticket is stored in a cookie named after the value of the name attribute in the
Cookies are not the only way of putting Forms authentication to work. ASP.NET can offer an alternative API that exposes a nearly identical programming interface but makes no use of cookies.
To enable cookieless authentication, you set the cookieless attribute in the