I just checked in support for mixed anonymous/windows authentication. This
was tricky. It turns out that - unlike, say, Forms or Basic authentication -
when you use Windows authentication, the browser does not automatically
submit credentials on every request after the first one. Worse, IIS
considers you authenticated for the duration of the physical TCP connection,
which can last for several HTTP request. So before I fixed things up, the
behavior I would see is that I'd log in, and then randomly appear as logged
in or not depending on which connection my request came in on (browsers
generally use more than one connection).
The solution I hit on was to return a cookie during login if I detect that
the authentication mode set in web.config is Windows. The cookie is detected
by code in Global.asax at the beginning of each request, and - if the user
has not authenticated - returns a 401, which forces authentication. This has
the effect of allowing you to mix authenticated and anonymous users in
almost the same way you can with Forms authentication. The big difference is
what happens after you log out. Because the authentication is scoped to a
connection, users might still show up as authenticated for a while, or
intermittently, until all the connections are dropped. I don't think there's
anything I can do about this. My fix was to add verbiage to the logoff page
that explains what's happening and suggests that the user close their
browser. I don't think it's going to be a big problem in practice because
it's probably not a huge deal to access the wiki as authenticated when you
don't want to be.
I'm curious - is anyone using the new bits? Got anything good or bad to say
about them?
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Flexwiki-users mailing list
Flexwiki-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flexwiki-users
