Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > forms authentication ticket .userdata vanishing

Reply
Thread Tools

forms authentication ticket .userdata vanishing

 
 
e
Guest
Posts: n/a
 
      10-23-2003
I'm using forms authentication on a site. When the user logs in via the
login page, the entered creds are checked against AD, and if valid, an
encrypted forms authentication ticket is produced and stored in the forms
auth cookie (and written to the client), using this code:
____________________

'create the forms auth ticket

objAuthTicket = New FormsAuthenticationTicket(1, txtUsername.Text, _
DateTime.Now, DateTime.Now.AddMinutes(, False, _
"Data string I want to keep in the Ticket .UserData property")

'encrypt it

strEncryptedTicket = FormsAuthentication.Encrypt(objAuthTicket)

'stick it in the forms auth cookie

objAuthCookie = New HttpCookie(FormsAuthentication.FormsCookieName, _
strEncryptedTicket)

'place the cookie on the client

Response.Cookies.Add(objAuthCookie)
____________________

If I immediately retreive the cookie using this code:
____________________

'pick up the cookie from the client

objAuthCookie = Request.Cookies(FormsAuthentication.FormsCookieNam e)

'decrypt/extract the ticket object from the cookie

objAuthTicket = FormsAuthentication.Decrypt(objAuthCookie.Value)
____________________

....and examine the objAuthTicket.UserData, it contains the expected result:

"Data string I want to keep in the Ticket .UserData property"

However in Global.asax, in the Application_AuthenticateRequest event (which
is whre I need to read this ticket data for impersonation & security
purposes), I retreive the cookie (if it exists), decrypt the cookie.Value
into a ticket object using the exact same code as before:
____________________

'pick up the cookie

objAuthCookie = Request.Cookies(FormsAuthentication.FormsCookieNam e)

'decrypt/extract the ticket object from the cookie

objAuthTicket = FormsAuthentication.Decrypt(objAuthCookie.Value)
____________________

....and examine the objAuthTicket.Userdata, it now contains an unexpected
result:

""

Nothing. The issue date, expiration date, name, isPersistant, all other
aspects of the ticket have correct values, but the userData is now
nullstring. Does anyone have any ideas as to why that is? The login button
click handler and the Application_AuthenticateRequest event are the only 2
places I'm ever touching the cookie in the entire app.


 
Reply With Quote
 
 
 
 
John Saunders
Guest
Posts: n/a
 
      10-24-2003
"e" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> I'm using forms authentication on a site. When the user logs in via the
> login page, the entered creds are checked against AD, and if valid, an
> encrypted forms authentication ticket is produced and stored in the forms
> auth cookie (and written to the client), using this code:
> ____________________
>
> 'create the forms auth ticket
>
> objAuthTicket = New FormsAuthenticationTicket(1, txtUsername.Text, _
> DateTime.Now, DateTime.Now.AddMinutes(, False, _
> "Data string I want to keep in the Ticket .UserData property")
>
> 'encrypt it
>
> strEncryptedTicket = FormsAuthentication.Encrypt(objAuthTicket)
>
> 'stick it in the forms auth cookie
>
> objAuthCookie = New HttpCookie(FormsAuthentication.FormsCookieName, _
> strEncryptedTicket)
>
> 'place the cookie on the client
>
> Response.Cookies.Add(objAuthCookie)
> ____________________
>
> If I immediately retreive the cookie using this code:
> ____________________
>
> 'pick up the cookie from the client
>
> objAuthCookie = Request.Cookies(FormsAuthentication.FormsCookieNam e)
>
> 'decrypt/extract the ticket object from the cookie
>
> objAuthTicket = FormsAuthentication.Decrypt(objAuthCookie.Value)
> ____________________
>
> ...and examine the objAuthTicket.UserData, it contains the expected

result:
>
> "Data string I want to keep in the Ticket .UserData property"
>
> However in Global.asax, in the Application_AuthenticateRequest event

(which
> is whre I need to read this ticket data for impersonation & security
> purposes), I retreive the cookie (if it exists), decrypt the cookie.Value
> into a ticket object using the exact same code as before:
> ____________________
>
> 'pick up the cookie
>
> objAuthCookie = Request.Cookies(FormsAuthentication.FormsCookieNam e)
>
> 'decrypt/extract the ticket object from the cookie
>
> objAuthTicket = FormsAuthentication.Decrypt(objAuthCookie.Value)
> ____________________
>
> ...and examine the objAuthTicket.Userdata, it now contains an unexpected
> result:
>
> ""
>
> Nothing. The issue date, expiration date, name, isPersistant, all other
> aspects of the ticket have correct values, but the userData is now
> nullstring. Does anyone have any ideas as to why that is? The login

button
> click handler and the Application_AuthenticateRequest event are the only 2
> places I'm ever touching the cookie in the entire app.
>



I don't know why your code doesn't work, but in my code, I use the
FormsAuthenticationTicket directly:

if (!Request.IsAuthenticated) return;

FormsIdentity fi = (FormsIdentity) User.Identity;
FormsAuthenticationTicket ticket = fi.Ticket;
// You can now use ticket.UserData
--
John


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Forms authentication failed for the request. Reason: The ticket supplied has expired. Gibble ASP .Net 6 05-15-2007 02:23 PM
ASP.Net Forms Authentication - Storing Enrypted Ticket In HttpCookie Mythran ASP .Net 2 03-08-2007 04:50 PM
Forms Authentication Ticket Functionality With Windows Authentication jfer ASP .Net Security 3 09-16-2005 06:30 PM
Forms Authentication Ticket/Cookie values =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?= ASP .Net 3 05-19-2005 12:16 AM
Authentication ticket, cookieless, forms authentication? Lauchlan M ASP .Net Security 0 10-01-2003 12:23 AM



Advertisments