Thursday 24 February 2011

Understanding Forms Authentication Ticket and Cookie

What is forms authentication ticket and forms authentication cookie? How are they related?

Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed as the value of the forms authentication cookie with each request and is used by forms authentication, on the server, to identify an authenticated user.

However, if we choose to use cookieless forms authentication, the ticket will be passed in the URL in an encrypted format. Cookieless forms authentication is used because sometimes the client browsers block cookies. This feature is introduced in the Microsoft .NET Framework 2.0.

What is the role of a ticket in Forms Authentication?

The forms authentication ticket is used to tell the ASP.NET application who you are. Thus, ticket is building block of Forms Authentication's security.

The ticket is encrypted and signed using the <machineKey> configuration element of the server's Machine.config file. ASP.NET 2.0 uses the decryptionKey and the new decryption attribute of the <machineKey> element to encrypt forms authentication tickets. The decryption attribute lets you specify the encryption algorithm to use. ASP.NET 1.1 and 1.0 use 3DES encryption, which is not configurable. Tampering with the ticket value is determined by a failure to decrypt the ticket on the server. As a result, the user will be redirected to the logon page.

If the application is deployed in a Web farm, you must make sure that the configuration files on each server share the same value for the validationKey and decryptionKey attributes in the <machineKey> tag, which are used for hashing and decryption of the ticket respectively. You must do this because you cannot guarantee which server will handle successive requests.

How are cookie expiration and ticket expiration related?

In case of non-persistent cookie, if the ticket is expired, cookie will also expire, and the user will be redirected to the logon page. On the other side, if the ticket is marked as persistent, where the cookie is stored on the client box, browsers can use the same authentication cookie to log on to the Web site any time. However, we can use the FormsAuthentication.SignOut method to delete persistent or non-persistent cookies explicitly.

How does sliding expiration work in the context of forms authentication ticket and forms authentication cookie?

Let us take an example: If the logon page is accessed at 5:00 00:00:00 PM, it should expire at 5:10 00:00:00 PM if the timeout attribute is 10 and the slidingExpiration attribute is set to TRUE. Now, if any Web page is browsed again at 5:05 00:00:00 PM, the cookies and ticket time-out period will be reset to 5:15 00:00:00 PM.

If the Web page is accessed before half of the expiration time passes, the ticket expiration time will not be reset. Fore example, if any Web page is accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout period will not be reset.

Where can the time-out value of the forms authentication cookie and forms authentication ticket be set?

The only setting that you can make is in the Web.config file or the Machine.config file, in the tag. This change will determine the time-out period of forms authentication in the context of a ticket or cookie unless the ticket is generated manually.

If the ticket is generated manually by using the FormsAuthenticationTicket class, the time-out can be set through the Expiration attribute. This value will override the timeout attribute value specified in configuration files.

The forms authentication may time out before the timeout attribute value that is set in the configuration file.
If the forms authentication ticket is manually generated, the time-out property of the ticket will override the value that is set in the configuration file. Therefore, if that value is less than the value in the configuration file, the forms authentication ticket will expire before the configuration file timeout attribute value and vice-versa.

FormsAuthenticationTicket.IsPersistent Property

true if a durable cookie (a cookie that is saved across browser sessions) was issued; otherwise, false.

FormsIdentity id = (FormsIdentity)User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;

If there is no logged-on user, the Identity property will be null and you will receive a compiler exception when attempting to cast the Identity property as a FormsIdentity object.


more>>

more >>

Sliding Expiration

Inside the FormsAuthentication class we find the method that renews the ticket only if the time left till expiration is greater than the time since the current ticket was issued.

Public Shared Function RenewTicketIfOld(
 ByVal tOld As FormsAuthenticationTicket) As FormsAuthenticationTicket
If (tOld Is Nothing) Then
Return Nothing
End If

Dim time1 As DateTime = DateTime.Now
Dim span1 As TimeSpan = DirectCast((time1 - tOld.IssueDate), TimeSpan)
Dim span2 As TimeSpan = DirectCast((tOld.Expiration - time1), TimeSpan
      
If (span2 > span1) Then
        Return tOld
End If
  
Return New FormsAuthenticationTicket(tOld.Version, tOld.Name, time1, _
                      (time1 + (tOld.Expiration - tOld.IssueDate)), _
                      tOld.IsPersistent, tOld.UserData, tOld.CookiePath)
End Function

Wednesday 16 February 2011

Empty Cache vs. Primed Cache

Using a far future Expires header affects page views only after a user has already visited your site. It has no effect on the number of HTTP requests when a user visits your site for the first time and the browser's cache is empty. Therefore, the impact of this performance improvement depends on how often users hit your pages with a primed cache. It is likely that a majority of your traffic comes from users with a primed cache. Making your components cacheable improves the response time for these users.

When I say "empty cache" or "primed cache", I mean the state of the browsers cache relative to your page. The cache is "empty" if none of your page's components are in the cache. The browser's cache might contain components from other web sites, but that doesn't help your page. Conversely, the cache is "primed" if all of your page's cacheable components are in the cache.

The number of empty versus primed cache page views depends on the nature of the web application. A site like "word of the day" might only get one page view per session from the typical user. There are several reasons why the "word of the day" components might not be in the cache the next time a user visits the site:

a. Despite her desire for a better vocabulary, a user may visit the page only weekly or monthly, rather than daily.

b. A user may have manually cleared her cache since her last visit.

c. A user may have visited so many other web sites that her cache is filled up, and the "word of the day" components were pushed out.

d. The browser or an antivirus application may have cleared the cache when the browser was closed

With only one page view per session, it is not very likely that "word of the day" components are in the cache, so the percentage of primed cache page views is low.

Click here to read more about improving Web Site performance.

More>>

More>>

Tuesday 8 February 2011

Enable JavaScript in your browser

Internet Explorer (6.0) and above

1. Select 'Tools' from the top menu
2. Choose 'Internet Options'
3. Click on the 'Security' tab
4. Click on 'Custom Level'
5. Scroll down until you see section labled 'Scripting'
6. Under 'Active Scripting', select 'Enable' and click OK

Mozilla Firefox (1.5) and above

1. Select 'Tools' from the top menu
2. Choose 'Options'
3. Choose 'Content' from the top navigation
4. Select the checkbox next to 'Enable JavaScript' and click OK

Apple Safari

1. Select 'Safari' from the top menu
2. Choose 'Preferences'
3. Choose 'Security'
4. Select the checkbox next to 'Enable JavaScript'

Thursday 3 February 2011

jQuery .scrollTop()

Get the current vertical position of the scroll bar for the first element in the set of matched elements.

The vertical scroll position is the same as the number of pixels that are hidden from view above the scrollable area. If the scroll bar is at the very top, or if the element is not scrollable, this number will be 0.

For example the following line gets the scrollTop of current window.

$(window).scrollTop();