https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/

https://docs.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/security/authenticating-users-with-windows-authentication-cs

authentication Element (ASP.NET Settings Schema)

Configures an ASP.NET application for custom forms–based authentication.

<authentication mode="Windows">
<forms
name=".ASPXAUTH"
loginUrl="login.aspx"
defaultUrl="default.aspx"
protection="All"
timeout=""
path="/"
requireSSL="false"
slidingExpiration="true"
cookieless="UseDeviceProfile" domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="SHA1" />
</forms>
<passport redirectUrl="internal" />
</authentication>

<forms> Element

loginUrl  Specifies the URL to which the request is redirected for logon if no valid authentication cookie is found. The default value is default.aspx.

name  Specifies the HTTP cookie to use for authentication. By default, the value of name is .ASPXAUTH. If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each application's Web.config file.

timeout  Specifies the amount of time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed. This might result in a loss of precision. Persistent cookies do not time out.

slidingExpiration  Specifies whether sliding expiration is enabled. Sliding expiration resets an active authentication cookie's time to expiration upon each request during a single session.

true  Specifies that sliding expiration is enabled. The authentication cookie is refreshed and the time to expiration is reset on subsequent requests during a single session. The default for version 1.0 of ASP.NET was true.

false  Specifies that sliding expiration is not enabled and the cookie expires at a set interval from the time it was originally issued. The default is false.

defaultUrl  

Optional attribute.

Defines the default URL that is used for redirection after authentication.

This attribute is new in the .NET Framework version 2.0.

The default is "default.aspx".

path 

Optional attribute.

Specifies the path for cookies that are issued by the application.

The default is a slash (/), because most browsers are case-sensitive and will not send cookies back, if there is a path case mismatch.

上面的部分属性可以在IIS中进行配置

<authentication mode="Forms">
<forms loginUrl="member_login.aspx"
cookieless="UseCookies"
path="/MyApplication" />
</authentication> FormsAuthentication类中的静态字段

https://stackoverflow.com/questions/879321/formsauthentication-formscookiepath

https://www.quirksmode.org/js/cookies.html

Domain and path

Each cookie also has a domain and a path. The domain tells the browser to which domain the cookie should be sent. If you don't specify it, it becomes the domain of the page that sets the cookie, in the case of this page www.quirksmode.org.
Please note that the purpose of the domain is to allow cookies to cross sub-domains. My cookie
will not be read by search.quirksmode.org because its domain is www.quirksmode.org . When I set the
domain to quirksmode.org, the search sub-domain may also read the cookie.
I cannot set the cookie domain to a domain I'm not in, I cannot make the domain www.microsoft.com .
Only quirksmode.org is allowed, in this case.

The path gives you the chance to specify a directory where the cookie is active.
So if you want the cookie to be only sent to pages in the directory cgi-bin, set the
path to /cgi-bin. Usually the path is set to /, which means the cookie is
valid throughout the entire domain.
This script does so, so the cookies you can set on this page will be sent to any page in the
www.quirksmode.org domain (though only this page has a script that searches for the
cookies and does something with them).

https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_path

 

HttpCookie

Provides a type-safe way to create and manipulate individual HTTP cookies.

The HttpCookie class gets and sets properties of individual cookies. The HttpCookieCollection class provides methods to store, retrieve, and manage multiple cookies.

ASP.NET includes two intrinsic cookie collections. The collection accessed through the Cookies collection of the HttpRequest object contains cookies transmitted by the client to the server in the Cookie header. The collection accessed through the Cookies collection of the HttpResponse object contains new cookies created on the server and transmitted to the client in the Set-Cookie HTTP response header.

HttpCookie.Path

Gets or sets the virtual path to transmit with the current cookie.

The virtual path to transmit with the cookie. The default is /, which is the server root.

The Path property extends the Domain property to completely describe the specific URL to which the cookie applies.

For example, in the URL http:/www.microsoft.com/asp, the domain is www.microsoft.com and the path is /asp.

HttpCookie.Domain

Gets or sets the domain to associate the cookie with.

The name of the domain to associate the cookie with. The default value is the current domain.

Setting the Domain attribute limits transmission of the cookie to clients requesting a resource from that domain.

启用windows 授权的话,需要在IIS中打开,参考https://docs.kentico.com/k10/managing-users/user-registration-and-authentication/configuring-windows-ad-authentication

sessionState Element (ASP.NET Settings Schema)

https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.100).aspx

timeout

Optional TimeSpan attribute.

Specifies the number of minutes a session can be idle before it is abandoned. The timeout attribute cannot be set to a value that is greater than 525,600 minutes (1 year) for the in-process and state-server modes.

The session timeout configuration setting applies only to ASP.NET pages. Changing the session timeout value does not affect the session time-out for ASP pages. Similarly, changing the session time-out for ASP pages does not affect the session time-out for ASP.NET pages.

The default is 20 minutes.

https://msdn.microsoft.com/en-us/library/ms178581.aspx

Authentication in asp.net的更多相关文章

  1. Forms Authentication in ASP.NET MVC 4

    原文:Forms Authentication in ASP.NET MVC 4 Contents: Introduction Implement a custom membership provid ...

  2. Cookies, Claims and Authentication in ASP.NET Core(转载)

    Most of the literature concerning the theme of authentication in ASP.NET Core focuses on the use of ...

  3. Implement JSON Web Tokens Authentication in ASP.NET Web API and Identity 2.1 Part 3 (by TAISEER)

    http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-an ...

  4. [转]Implementing User Authentication in ASP.NET MVC 6

    本文转自:http://www.dotnetcurry.com/aspnet-mvc/1229/user-authentication-aspnet-mvc-6-identity In this ar ...

  5. Active Directory Authentication in ASP.NET MVC 5 with Forms Authentication and Group-Based Authorization

    I know that blog post title is sure a mouth-full, but it describes the whole problem I was trying to ...

  6. Basic Authentication in ASP.NET Web API

    Basic authentication is defined in RFC 2617, HTTP Authentication: Basic and Digest Access Authentica ...

  7. ASP.NET MVC:Form Authentication 相关的学习资源

    看完此图就懂了 看完下面文章必须精通 Form authentication and authorization in ASP.NET Explained: Forms Authentication ...

  8. ASP.NET Core Authentication系列(一)理解Claim, ClaimsIdentity, ClaimsPrincipal

    前言 首先我们来看一下在ASP.NET时代,Authentication是如何使用的.下面介绍的是System.Web.Security.FormsAuthentication: // 登录 Syst ...

  9. ASP.NET Core Authentication系列(二)实现认证、登录和注销

    前言 在上一篇文章介绍ASP.NET Core Authentication的三个重要概念,分别是Claim, ClaimsIdentity, ClaimsPrincipal,以及claims-bas ...

随机推荐

  1. Android Handler 具体解释

    Android开发中常常使用Handler来实现"跨越线程(Activity)更新UI".本文将从源代码角度回答:为什么使用Handler可以跨线程更新UI?为什么跨线程更新UI一 ...

  2. 2014.04.16,读书,读书笔记-《Matlab R2014a完全自学一本通》-第17章 图形用户界面

    界面对象分三类: 用户控件对象(uicontrol) 下拉式菜单对象(uimenu) 内容式菜单对象(uicontextmenu) 创建用户界面: 1.命令行方式 采用uicontrol来创建控件对象 ...

  3. UVA 10127- Ones 数学

    Given any integer 0 ≤ n ≤ 10000 not divisibleby 2 or 5, some multiple of n is a number whichin decim ...

  4. Python笔记(八)

    #-*-coding:utf-8-*- # Python内置函数 print abs(-45) # 绝对值函数 print divmod(7,2) # 返回一个包含商和余数的元组 # input(&q ...

  5. QT-简介

    前言:Qt是一款强大的跨平台gui(图形界面开发)开发工具. 一.安装说明 Qt安装包: qt-opensource-windows-x86-mingw492-5.6.1-1.exe -------- ...

  6. mybatis的二级缓存的使用

    1.引入ehcache的jar包和mybatis整合ehcache的jar包: <!-- ehchache --> <dependency> <groupId>ne ...

  7. Asp.net mvc中使用配置Unity

    第一步:添加unity.mvc 第二步:在添加之后会在app_start中生成UnityConfig.cs,UnityMvcActivator.cs 第三步:使用 第四步:效果展示

  8. vue中使用Ueditor编辑器 -- 1

    一.   下载包: 从Ueditor的官网下载1.4.3.3jsp版本的Ueditor编辑器,官网地址为:http://ueditor.baidu.com/website/download.html ...

  9. IntelliJ Idea使用代码折叠

    VS风格: //region    xxxxxxxxxxxxxx ............. //endregion 快捷键: Ctrl+Shift+”+/-”,全部展开.折叠

  10. JDBC程序实例

    实例 ( Statement ): public class JDBC { public static void main(String[] args) throws Exception { Conn ...