asp.net security: When are the FormsAuthentication class' configuration settings read? -- asp.net security

When are the FormsAuthentication class' configuration settings read?

matt
9/25/2006 3:52:48 AM

asp.net security: Hi,

I'm writing a HttpModule which is going to require certain settings in
the FormsAuthentication configuration (for example, I need to ensure
enableCrossAppRedirects = true).

Now my best effort so far has been to run through the configuration
settings I require and raise exceptions if the web.config hasn't been
set up correctly. Ideally though, I'd like the sites this module will
go into not to have to paste boilerplate settings into web.config, and
instead just fix the settings from within my HttpModule's code at
Init().

Is this possible?

Obviously just changing the FormsAuthentication class' properties
doesn't work as they're read only (though I guess using a reflection
hack might be an option..?).

I've tried opening the config file using WebConfigurationManager,
changing settings and doing Save(), but these new values don't seem to
be reflected on the FormsAuthentication class' properties

Can anyone with some inside / in-depth knowledge of the
FormsAuthentication class give me some clues as to how this hangs
together?

thanks,
Matt

Re: When are the FormsAuthentication class' configuration settings read?

Dominick Baier
9/25/2006 11:10:35 AM

Hi,

when you Save the changed config file - the appdomain will recycle and has
the changed settings on the next restart.

But you will need a) write access to web.config and b) the add files ACL
for the web root for the worker process account - nothing i would recommend
from a security perspective.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]