Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net (http://www.velocityreviews.com/forums/f29-asp-net.html)
-   -   Forms Authentication Ticket/Cookie values (http://www.velocityreviews.com/forums/t102765-forms-authentication-ticket-cookie-values.html)

=?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?= 05-17-2005 04:10 AM

Forms Authentication Ticket/Cookie values
 
Folks, Can anyone confirm that my understading is correct and maybe shed some
light on why it's as it is. (I'm guessing security, but that seems weak to
me.)

The asp.net web application is using forms authentication.

If I create an FormsAuthTicket with userdata in the approprite place. Then
encode it and create a cookie, add it to the response.cookie collection and
use it all is well.

However if after I create the cookie I add some additional values to the
cookie, and then add it to the collection, asp.net no longer recognizes this
as a valid authentication ticket.

Thanks for the info...Chuck



Scott Allen 05-17-2005 11:43 PM

Re: Forms Authentication Ticket/Cookie values
 
Hi Chuck:

You can piggyback data in the cookie, but since the forms auth cookie
is encrypted and hashed to prevent tampering it takes some extra work.
There is a section in the following document to show you how:

http://www.pluralsight.com/articleco...entication.pdf

HTH,

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 16 May 2005 21:10:31 -0700, "chuck rudolph"
<chuckrudolph@discussions.microsoft.com> wrote:

>Folks, Can anyone confirm that my understading is correct and maybe shed some
>light on why it's as it is. (I'm guessing security, but that seems weak to
>me.)
>
>The asp.net web application is using forms authentication.
>
>If I create an FormsAuthTicket with userdata in the approprite place. Then
>encode it and create a cookie, add it to the response.cookie collection and
>use it all is well.
>
>However if after I create the cookie I add some additional values to the
>cookie, and then add it to the collection, asp.net no longer recognizes this
>as a valid authentication ticket.
>
>Thanks for the info...Chuck
>



=?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?= 05-18-2005 09:06 PM

Re: Forms Authentication Ticket/Cookie values
 
Scott, I get how to stuff items in the "userdata" area of the forms auth
ticket. The question I have is concerning the cookie values collection of the
encoded ticket.

I'll also quibble with the words in your resonse. If the cookie is hashed
and encrypted, why have a routine of
....GetAuthCookie(name,Ispersistent,path). Once I get the cookie I can set the
expiration can't I?

I know there are quirks in the system, I am just trying to confirm my belief
that FormsAuth cookies can NOT have members in the "values" collection.

"Scott Allen" wrote:

> Hi Chuck:
>
> You can piggyback data in the cookie, but since the forms auth cookie
> is encrypted and hashed to prevent tampering it takes some extra work.
> There is a section in the following document to show you how:
>
> http://www.pluralsight.com/articleco...entication.pdf
>
> HTH,
>
> --
> Scott
> http://www.OdeToCode.com/blogs/scott/
>
> On Mon, 16 May 2005 21:10:31 -0700, "chuck rudolph"
> <chuckrudolph@discussions.microsoft.com> wrote:
>
> >Folks, Can anyone confirm that my understading is correct and maybe shed some
> >light on why it's as it is. (I'm guessing security, but that seems weak to
> >me.)
> >
> >The asp.net web application is using forms authentication.
> >
> >If I create an FormsAuthTicket with userdata in the approprite place. Then
> >encode it and create a cookie, add it to the response.cookie collection and
> >use it all is well.
> >
> >However if after I create the cookie I add some additional values to the
> >cookie, and then add it to the collection, asp.net no longer recognizes this
> >as a valid authentication ticket.
> >
> >Thanks for the info...Chuck
> >

>
>


Brock Allen 05-19-2005 12:16 AM

Re: Forms Authentication Ticket/Cookie values
 
> You can piggyback data in the cookie, but since the forms auth cookie
> is encrypted and hashed to prevent tampering it takes some extra work.
> There is a section in the following document to show you how:
>
> http://www.pluralsight.com/articleco...asedAuthentica
> tion.pdf


I'd be wary of this approach, personally. My main complaint is that if the
roles are cached in the cookie, then it's difficult to remove the role from
the user while they have their browser active. I tend to cache the roles
on the server in the ASP.NET Cache. Of course, this has the same drawbacks
as the cookie if you're using a server farm. See, nothing's easy :)

-Brock
DevelopMentor
http://staff.develop.com/ballen






All times are GMT. The time now is 01:38 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.