Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Funky FormsAuthentication Cookie Behavior.

Reply
Thread Tools

Funky FormsAuthentication Cookie Behavior.

 
 
E.M.Smith
Guest
Posts: n/a
 
      06-02-2004
We are having a problem where the HttpCookie.Value for FormsAuthentication is different between when it is created in Login.aspx.cs and when it is retrieved in Global.asax.cs. This problem happens whether the cookie is create with the encrypted authentication ticket or something as simple as "Hello World!". The code, web.config, and sample results are below. Does anyone please have any suggestions? Thank you

// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Login.aspx.cs code snippet
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
loAuthenticationTicket = new FormsAuthenticationTicket( 1, lsUserIdentity, DateTime.Now, DateTime.Now.AddMinutes(60), false, lsRoles )

lsEncryptedTicket = FormsAuthentication.Encrypt( loAuthenticationTicket )

//loAuthenticationCookie = new HttpCookie( FormsAuthentication.FormsCookieName, "Hello World!" )
loAuthenticationCookie = new HttpCookie( FormsAuthentication.FormsCookieName, lsEncryptedTicket )

Response.Cookies.Add( loAuthenticationCookie )
// ------------------------------------------------------------------------------------------------

// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Global.asax.cs Application_AuthenticateRequest code snippet
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
loAuthenticationCookie = Context.Request.Cookies[ FormsAuthentication.FormsCookieName ]
if (loAuthenticationCookie == null) return

lsEncryptedTicket = loAuthenticationCookie.Value

loAuthenticationTicket = FormsAuthentication.Decrypt( lsEncryptedTicket )
if (loAuthenticationTicket == null) return

lsUserIdentity = loAuthenticationTicket.Name
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------

// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Web.Config
// NOTE: We have try multiple values and combination
// for the <forms> and <sessionState> elements
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
<authentication mode="Forms"><forms name="EMSATC" loginUrl="Security/Login.aspx" protection="All" timeout="60" /></authentication><authorization><deny users="?" /><allow users="*" /></authorization><compilation defaultLanguage="C#" debug="true" /><customErrors mode="Off" /><globalization requestEncoding="utf-8" responseEncoding="utf-8" /><httpRuntime maxRequestLength="8192" /><identity impersonate="true" /><sessionState mode="Off
stateConnectionString="tcpip=127.0.0.1:42424
sqlConnectionString="data source=127.0.0.1;user id=sa;password=
cookieless="true" /><trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------

// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Sample results
// ------------------------------------------------------------------------------------------------
// -------------------------------------------------------------------------------------------------
<forms protection="None"> on the encrypted autentication ticket:

HttpCookie.Value in Login.aspx.cs:
3A9082793BDB20070131007C0031007C00650073006D006900 740068000000201FDD61C448C4010020EF6525D548C4014700 750065007300740000002F000000

HttpCookie.Value in Global.asax.cs:
AEDA5C4CD4A36A630100005038B971C448C4010050A07DD3CC 48C40100002F000000


// -------------------------------------------------------------------------------------------------
<forms protection="All"> on the encrypted autentication ticket:

HttpCookie.Value in Login.aspx.cs:
26D64226C9FC29FE9BAD4746FA13DC48D3618C282B8E7CAD47 F4AF9CBD1BFACDF0907A6123AD1E5224FF2F54D8146F3181F5 3789950385286F90B4B51AEDFBA1089049525C1F414C57B851 683C74F857693F3AAD5131E4EB

HttpCookie.Value in Global.asax.cs:
349FDDC5EAC1F2CBF0BA96DF0BFEF89FEEFB389496B6520039 025AD7D34654A915D2C75AE1CA9F2F0DEE49E7020FA8CA50AF 32FFF0984D5B


// -------------------------------------------------------------------------------------------------
<forms protection="None"> on "Hello World!":

HttpCookie.Value in Login.aspx.cs:
Hello World!

HttpCookie.Value in Global.asax.cs:
A3A41B382C89D931010000C0495C7EC548C40100C0B120E0CD 48C40100002F000000


// -------------------------------------------------------------------------------------------------
<forms protection="All"> on "Hello World!":

HttpCookie.Value in Login.aspx.cs:
Hello World!

HttpCookie.Value in Global.asax.cs:
58DE4EDF9A37E074BEDF2CCD148E642D2363C4C74C80E1BE6A FF5EF502CB50F6A1BD8FD337B8F865ACB63D990C9BA77E514F EB7E89163B78
// -------------------------------------------------------------------------------------------------
// -------------------------------------------------------------------------------------------------

 
Reply With Quote
 
 
 
 
Alex Kleyman
Guest
Posts: n/a
 
      06-03-2004
Are you using FormsAuthentication.RedirectFromLoginPage to redirect the user? If so, don't. It will create it's own authentication cookie with the same name as FormsAuthentication.FormsCookieName, therefore replacing the cookie YOU created. Just use Response.Redirect( FormsAuthentication.GetRedirectUrl( UserName, false ) ) instead

Ale

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I add my own data to a Web.FormsAuthentication cookie? Rof ASP .Net 0 12-07-2005 02:13 PM
ASP.NET 2.0 RTM breaks FormsAuthentication.SetAuthCookie cookie Bill Henning ASP .Net 8 11-09-2005 04:48 PM
Clearing FormsAuthentication cookie manually tshad ASP .Net 3 01-17-2005 05:45 PM
FormsAuthentication Expired Cookie Brian Shannon ASP .Net 0 08-18-2004 03:46 PM
FormsAuthentication Cookie Q George Durzi ASP .Net 2 10-16-2003 05:31 AM



Advertisments