would someone be kind enough to shed me some light on the following concepts? these aren't assignment or exam questions, just things i couldn't find in the book i am reading and unbingable.

* how would forms authentication be made to work if cookies aren't enabled?

* session state can be stored in a cookie or within a munged url. if latter, then for a 'busy' website, there would be a higher likelyhood that a naughty user can replace the session state portion of the url with some random value and 'steal' someone else's session?

* once a user has been authenticated (either via forms or windows), can session state be used from then onwards as a mechanism to identify if a user is who he says he is? at least until the session expires (is made to expire) and then the user has to login again?

* as I understand it, IIS and ASP.Net are both services running in a web server OS. As such they need a logon account to run as. For IIS it is IUSR_[ComputerName] while for ASP.NET (IIS7) it is 'whomever' is entered in the sites application pool. If impersonation is enabled, then it uses the said account to run the .Net codes behind the page. is this correct?

* where do I find it in MMC where to set the account to run IIS under? I couldn't even find the entry for the IIS service in administrative tools, services muchos gracias

swjam:

* how would forms authentication be made to work if cookies aren't enabled?

Form Authentication provides an authentication token in the form of a cookie if the client’s browser type supports/enable cookies. Otherwise, it stores the authentication token in the URI.

swjam:

IIS and ASP.Net are both services

ASP.NET is a type of development framwork for web application / website development.

swjam:

* as I understand it, IIS and ASP.Net are both services running in a web server OS. As such they need a logon account to run as. For IIS it is IUSR_[ComputerName] while for ASP.NET (IIS7) it is 'whomever' is entered in the sites application pool. If impersonation is enabled, then it uses the said account to run the .Net codes behind the page. is this correct?

when you publish an asp.net application to IIS  - The code will be executed under IUSR_[ComputerName] (ASPNET)  permission and rights. when you override the Identity of this account with some other valid username and password using Impersonation then code will be executed under the specified user's permission and rights.

swjam:

I couldn't even find the entry for the IIS service in administrative tools

go to > Start > run > type inetmgr > it will open IIS console > if not, then you need to install it from "Add Remove Windows Programs".

swjam:

where do I find it in MMC where to set the account to run IIS under?

Once, you have IIS installed correctly > you can find the current user account at > Open IIS > Right Click your website / Virtual Directory > properties > Directory Security Tab > Edit Button > Dialog will show you current user account being used to run the service under..

hope it helps./.

>can session state be used from then onwards as a mechanism to identify if a user is who he says he is?

Yes - store the Id of the user in a session variable.

kaushalparik27:

Form Authentication provides an authentication token in the form of a cookie if the client’s browser type supports/enable cookies. Otherwise, it stores the authentication token in the URI.

This means if I have cookies disabled and I am using forms authentication in conjunction with session state then the url will contain both of these information?

kaushalparik27:

ASP.NET is a type of development framwork for web application / website development.
 

It is, but this framework in order to be used needs to run in an active process right? This active process is IIS itself or does it use another host process as I understand the main ASP.Net component is a dll?  If it runs as its own service like the ASP state management aspnet_state.exe, then it needs its own logon

kaushalparik27:

when you publish an asp.net application to IIS  - The code will be executed under IUSR_[ComputerName] (ASPNET)  permission and rights. when you override the Identity of this account with some other valid username and password using Impersonation then code will be executed under the specified user's permission and rights.

so do we have 3 cases?

1) by default (anonymous users) the code is executed under the IUSR_[ComputerName] (ASPNET).

2) the code runs against the user set in the Application pools identity (ie IIS 7)

3) the page uses impersonation and the code runs against the identity set in the impersonation section within web.config.

4) the web application uses either forms or windows authentication  and

a) the code runs against either 1), 2) or 3).  The authentication is only used to match user specific data against a data store.

b) the web application uses impersonation programmatically to run code against the authenticated user.

kaushalparik27:

go to > Start > run > type inetmgr > it will open IIS console > if not, then you need to install it from "Add Remove Windows Programs".

i am aware of the IIS console, was just wondering why i couldn't seem to find the iis service from within the Services MMC? or maybe it is under another name

Thanks for taking time to answer my questions.

>i couldn't seem to find the iis service from within the Services MMC? or maybe it is under another name

Within the services Applet, you should see the "IIS Admin Service" and "World Wide Web Publishing Service", however the Internet Information Services (IIS) Manager is a completely different node of Computer Management.