https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/

https://docs.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/security/authenticating-users-with-windows-authentication-cs

authentication Element (ASP.NET Settings Schema)

Configures an ASP.NET application for custom forms–based authentication.

<authentication mode="Windows">
<forms
name=".ASPXAUTH"
loginUrl="login.aspx"
defaultUrl="default.aspx"
protection="All"
timeout=""
path="/"
requireSSL="false"
slidingExpiration="true"
cookieless="UseDeviceProfile" domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="SHA1" />
</forms>
<passport redirectUrl="internal" />
</authentication>

<forms> Element

loginUrl  Specifies the URL to which the request is redirected for logon if no valid authentication cookie is found. The default value is default.aspx.

name  Specifies the HTTP cookie to use for authentication. By default, the value of name is .ASPXAUTH. If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each application's Web.config file.

timeout  Specifies the amount of time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed. This might result in a loss of precision. Persistent cookies do not time out.

slidingExpiration  Specifies whether sliding expiration is enabled. Sliding expiration resets an active authentication cookie's time to expiration upon each request during a single session.

true  Specifies that sliding expiration is enabled. The authentication cookie is refreshed and the time to expiration is reset on subsequent requests during a single session. The default for version 1.0 of ASP.NET was true.

false  Specifies that sliding expiration is not enabled and the cookie expires at a set interval from the time it was originally issued. The default is false.

defaultUrl  

Optional attribute.

Defines the default URL that is used for redirection after authentication.

This attribute is new in the .NET Framework version 2.0.

The default is "default.aspx".

path 

Optional attribute.

Specifies the path for cookies that are issued by the application.

The default is a slash (/), because most browsers are case-sensitive and will not send cookies back, if there is a path case mismatch.

上面的部分属性可以在IIS中进行配置

<authentication mode="Forms">
<forms loginUrl="member_login.aspx"
cookieless="UseCookies"
path="/MyApplication" />
</authentication> FormsAuthentication类中的静态字段

https://stackoverflow.com/questions/879321/formsauthentication-formscookiepath

https://www.quirksmode.org/js/cookies.html

Domain and path

Each cookie also has a domain and a path. The domain tells the browser to which domain the cookie should be sent. If you don't specify it, it becomes the domain of the page that sets the cookie, in the case of this page www.quirksmode.org.
Please note that the purpose of the domain is to allow cookies to cross sub-domains. My cookie
will not be read by search.quirksmode.org because its domain is www.quirksmode.org . When I set the
domain to quirksmode.org, the search sub-domain may also read the cookie.
I cannot set the cookie domain to a domain I'm not in, I cannot make the domain www.microsoft.com .
Only quirksmode.org is allowed, in this case.

The path gives you the chance to specify a directory where the cookie is active.
So if you want the cookie to be only sent to pages in the directory cgi-bin, set the
path to /cgi-bin. Usually the path is set to /, which means the cookie is
valid throughout the entire domain.
This script does so, so the cookies you can set on this page will be sent to any page in the
www.quirksmode.org domain (though only this page has a script that searches for the
cookies and does something with them).

https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_path

 

HttpCookie

Provides a type-safe way to create and manipulate individual HTTP cookies.

The HttpCookie class gets and sets properties of individual cookies. The HttpCookieCollection class provides methods to store, retrieve, and manage multiple cookies.

ASP.NET includes two intrinsic cookie collections. The collection accessed through the Cookies collection of the HttpRequest object contains cookies transmitted by the client to the server in the Cookie header. The collection accessed through the Cookies collection of the HttpResponse object contains new cookies created on the server and transmitted to the client in the Set-Cookie HTTP response header.

HttpCookie.Path

Gets or sets the virtual path to transmit with the current cookie.

The virtual path to transmit with the cookie. The default is /, which is the server root.

The Path property extends the Domain property to completely describe the specific URL to which the cookie applies.

For example, in the URL http:/www.microsoft.com/asp, the domain is www.microsoft.com and the path is /asp.

HttpCookie.Domain

Gets or sets the domain to associate the cookie with.

The name of the domain to associate the cookie with. The default value is the current domain.

Setting the Domain attribute limits transmission of the cookie to clients requesting a resource from that domain.

启用windows 授权的话,需要在IIS中打开,参考https://docs.kentico.com/k10/managing-users/user-registration-and-authentication/configuring-windows-ad-authentication

sessionState Element (ASP.NET Settings Schema)

https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.100).aspx

timeout

Optional TimeSpan attribute.

Specifies the number of minutes a session can be idle before it is abandoned. The timeout attribute cannot be set to a value that is greater than 525,600 minutes (1 year) for the in-process and state-server modes.

The session timeout configuration setting applies only to ASP.NET pages. Changing the session timeout value does not affect the session time-out for ASP pages. Similarly, changing the session time-out for ASP pages does not affect the session time-out for ASP.NET pages.

The default is 20 minutes.

https://msdn.microsoft.com/en-us/library/ms178581.aspx

Authentication in asp.net的更多相关文章

  1. Forms Authentication in ASP.NET MVC 4

    原文:Forms Authentication in ASP.NET MVC 4 Contents: Introduction Implement a custom membership provid ...

  2. Cookies, Claims and Authentication in ASP.NET Core(转载)

    Most of the literature concerning the theme of authentication in ASP.NET Core focuses on the use of ...

  3. Implement JSON Web Tokens Authentication in ASP.NET Web API and Identity 2.1 Part 3 (by TAISEER)

    http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-an ...

  4. [转]Implementing User Authentication in ASP.NET MVC 6

    本文转自:http://www.dotnetcurry.com/aspnet-mvc/1229/user-authentication-aspnet-mvc-6-identity In this ar ...

  5. Active Directory Authentication in ASP.NET MVC 5 with Forms Authentication and Group-Based Authorization

    I know that blog post title is sure a mouth-full, but it describes the whole problem I was trying to ...

  6. Basic Authentication in ASP.NET Web API

    Basic authentication is defined in RFC 2617, HTTP Authentication: Basic and Digest Access Authentica ...

  7. ASP.NET MVC:Form Authentication 相关的学习资源

    看完此图就懂了 看完下面文章必须精通 Form authentication and authorization in ASP.NET Explained: Forms Authentication ...

  8. ASP.NET Core Authentication系列(一)理解Claim, ClaimsIdentity, ClaimsPrincipal

    前言 首先我们来看一下在ASP.NET时代,Authentication是如何使用的.下面介绍的是System.Web.Security.FormsAuthentication: // 登录 Syst ...

  9. ASP.NET Core Authentication系列(二)实现认证、登录和注销

    前言 在上一篇文章介绍ASP.NET Core Authentication的三个重要概念,分别是Claim, ClaimsIdentity, ClaimsPrincipal,以及claims-bas ...

随机推荐

  1. BZOJ 1790: [Ahoi2008]Rectangle 矩形藏宝地

    BZOJ 1790: [Ahoi2008]Rectangle 矩形藏宝地 题目传送门 [题目大意] 游戏的主办方把这块开阔地当作第一象限,将所有可能埋藏宝藏的地方划成一个个矩形的土地,并把这些矩形土地 ...

  2. Xcode的一些控制台命令

    命令 解释 break NUM 在指定的行上设置断点 bt 显示所有的调用栈帧,该命令可用来显示函数的调用顺序 clear 删除设置在特定源文件.特定行上的断点,其用法为:clear FILENAME ...

  3. [makefile]如何设置不同目录的代码(.c),生成到指定目录下(./debug/.o))

    部分代码跟makefile不在同一目录,有没有好的方法来设置依赖关系,我找到三种方法,但感觉都不完美,下面我会把他列出来并加以说明,不知有没有更好的方法,makefile本身也不是很熟,请大家指教: ...

  4. Excel—— [导入到数据库] or 将数据 [导入到Excel]

    将Excel导入到数据库实现如下: 前台代码: @model IEnumerable<Model.Student> @{ Layout = null; } <!DOCTYPE htm ...

  5. sql server 启用数据库的 Service Broker

    使用SqlDependency时要开启Service Broker ,那么SqlDependency是什么 https://www.cnblogs.com/zhaoyihao/p/5663258.ht ...

  6. 什么是 Dropout

    为了应对神经网络很容易过拟合的问题,2014年 Hinton 提出了一个神器, **Dropout: A Simple Way to Prevent Neural Networks from Over ...

  7. jQuery在多个div中,删除指定项

    之前工作中有一个需求,就是在一堆图片列表中,点击具体的图片,并从界面移除:点击具体的图片,下载:这是一个思路 <style type="text/css" media=&qu ...

  8. javascript中全屏滑动效果实现

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  9. DirectUI界面编程(一)创建第一个应用

    1.获取Duilib库文件 通过上一节大家对DirectUI界面设计有了初步的了解,本节开始我们一起学习Duilib界面库的使用. 首先我们需要获取Duilib库,目前最新版本为2.0,最新版本源码托 ...

  10. Android设计模式——抽象工厂方法模式

    1.抽象工厂方法模式:为了创建一组或相互依赖的对象提供一个接口,而不需要指定它们是具体类……无语 2.找个代码看看: 抽象工厂类<成员为接口> /** * 抽象工厂 * */ public ...