Forms authentication & frames

  • Thread starter Thread starter Martin
  • Start date Start date
M

Martin

Hi,

After I gave up on tracking user sessions through the session object
(Session_OnEnd is still not triggered by Abandon() even with mode=InProc and
me manipulating session variables; in a new test project it is only
triggered the first time, it really sucks pretty bad) I started looking at
alternatives and I found FormsAuthentication. I just implemened it and it
seems very nice. But, of course, there is a problem with it (it wouldn't be
fun if it all just worked straight away, right?).

My entry-page is a frame set. Now the trouble is that the login page to
which I am automatically redirected before I get to this page with the frame
set does not embed nicely into the targeted frame. It is a matter of
sequence I guess, I do have

<base target="RightPane" />

in mij login.aspx file but there is no RightPane until I am authenticated
and the frame set gets executed in the browser.

After the second redirect (when I have been authenticated) it gets worse.
The frame set embeds my home page as it should, but any subsequent pages I
navigatye to appear "full screen", disregarding the frame set where they
used to be embedded in because of the base tag. Does anyone how to handle
this nicely?

I think what I want is authentication to ignore my frame set page (to allow
anonymous visitors to it). I read something about location tags in
web.config. Could these be helpful? This would all be work-arounds though, I
am interested to head about your ideas on the matter.

Regards, Martin.
 
Hi,

I am beginning to like ASP.NET. The problem with frame sets and forms
authentication is actually accomodated quite nicely by the configuration
framework. Let me illustrate.

This is the way to activate forms authentication. You need to add this to
the System.Web section in web.config:

<authentication mode="Forms">
<forms name=".MWTE_Cookie" loginUrl="aanmelden.aspx" protection="All"
timeout="30" path="/">
<credentials passwordFormat="Clear">
<user name="Anoniem" password="Anoniem" />
</credentials>
</forms>
</authentication>

<authorization>
<!--
<allow users="*" />
-->
<deny users="?" />
</authorization>

The above is a first effort, I am still to use some sort of encryption of
passwords, which can also be done declaratively using the passwordFormat
attribute. Now if you leave it there you'll be disappointed, it messes up
the use of your frame set as I described earlier. In the back of my mind I
remembered something about a way to apply separate configurations to
different parts of your site. So I looked it up and used a <location> tag to
exclude my frame set from authentication like this:

<!-- exclude supporting frame set from forms authentication -->
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

You need to place this outside the System.Web tag. This did make a
difference and the result made me laugh. My frame set comprises 5 different
target windows and I got my login page in each and everyone of them.

Adding a location tag like the one above for each frame window but the main
content window got me the behavior I was after.

Martin.
 
Back
Top