Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Role Manager Cookies

Reply
Thread Tools

Role Manager Cookies

 
 
Chuck
Guest
Posts: n/a
 
      09-21-2009
When using Forms Authentication the cookie's value contains an authentication
ticket and the ticket has a timeout.
When using Role Manager, does the roles cookie have a ticket and a time out
too.
If so when and where does it get the value?

Thanks,

 
Reply With Quote
 
 
 
 
Allen Chen [MSFT]
Guest
Posts: n/a
 
      09-21-2009
Hi,

>When using Forms Authentication the cookie's value contains an

authentication
> ticket and the ticket has a timeout.
>When using Role Manager, does the roles cookie have a ticket and a time

out
>too.
>If so when and where does it get the value?


>Thanks,



It depends on the provider of Role Manager. If you're using
SqlRoleProvider, when you call Roles API such as Roles.IsUserInRole(string
username, string rolename), the IsUserInRole(string username, string
rolename) method of the SqlRoleProvider will be called, which queries
database to check if the user is in the role. In the IsUserInRole(string
username, string rolename) method, a stored procedure will be called, see
below:

public override bool IsUserInRole(string username, string roleName)
{
bool flag;
SecUtility.CheckParameter(ref roleName, true, true, true, 0x100,
"roleName");
SecUtility.CheckParameter(ref username, true, false, true, 0x100,
"username");
if (username.Length < 1)
{
return false;
}
try
{
SqlConnectionHolder connection = null;
try
{
connection =
SqlConnectionHelper.GetConnection(this._sqlConnect ionString, true);
this.CheckSchemaVersion(connection.Connection);
SqlCommand cmd = new
SqlCommand("dbo.aspnet_UsersInRoles_IsUserInRole", connection.Connection);
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandTimeout = this.CommandTimeout;
SqlParameter parameter = new SqlParameter("@ReturnValue",
SqlDbType.Int);
parameter.Direction = ParameterDirection.ReturnValue;
cmd.Parameters.Add(parameter);
cmd.Parameters.Add(this.CreateInputParam("@Applica tionName",
SqlDbType.NVarChar, this.ApplicationName));
cmd.Parameters.Add(this.CreateInputParam("@UserNam e",
SqlDbType.NVarChar, username));
cmd.Parameters.Add(this.CreateInputParam("@RoleNam e",
SqlDbType.NVarChar, roleName));
cmd.ExecuteNonQuery();
switch (this.GetReturnValue(cmd))
{
case 0:
return false;

case 1:
return true;

case 2:
return false;

case 3:
return false;
}
throw new
ProviderException(SR.GetString("Provider_unknown_f ailure"));
}
finally
{
if (connection != null)
{
connection.Close();
connection = null;
}
}
}
catch
{
throw;
}
return flag;
}


This should address your question "where does it get the value". As to
"when does it get the value", it depends on when you call the Role Manager
API. You may intentionally call it or use other APIs that implicitly call
it.

Hope above information helpful. If you have additional questions please
don't hesitate to let me know. I'll do my best to follow up.


Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
http://www.velocityreviews.com/forums/(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


 
Reply With Quote
 
 
 
 
Chuck
Guest
Posts: n/a
 
      09-22-2009
My understanding was that the if you were using the SQL role provider it
would query the database and then put the roles into a cookie.
<roleManager
cacheRolesInCookie="true" >
</roleManager>

So when using the Role Manager and cookie caching, does the roles cookie
have a ticket and a time out.
If so when and where does it get the cookie timeout value?
Is there a way I can read the roles cookie and see what the time out is?



"Allen Chen [MSFT]" wrote:

> Hi,
>
> >When using Forms Authentication the cookie's value contains an

> authentication
> > ticket and the ticket has a timeout.
> >When using Role Manager, does the roles cookie have a ticket and a time

> out
> >too.
> >If so when and where does it get the value?

>
> >Thanks,

>
>
> It depends on the provider of Role Manager. If you're using
> SqlRoleProvider, when you call Roles API such as Roles.IsUserInRole(string
> username, string rolename), the IsUserInRole(string username, string
> rolename) method of the SqlRoleProvider will be called, which queries
> database to check if the user is in the role. In the IsUserInRole(string
> username, string rolename) method, a stored procedure will be called, see
> below:
>
> public override bool IsUserInRole(string username, string roleName)
> {
> bool flag;
> SecUtility.CheckParameter(ref roleName, true, true, true, 0x100,
> "roleName");
> SecUtility.CheckParameter(ref username, true, false, true, 0x100,
> "username");
> if (username.Length < 1)
> {
> return false;
> }
> try
> {
> SqlConnectionHolder connection = null;
> try
> {
> connection =
> SqlConnectionHelper.GetConnection(this._sqlConnect ionString, true);
> this.CheckSchemaVersion(connection.Connection);
> SqlCommand cmd = new
> SqlCommand("dbo.aspnet_UsersInRoles_IsUserInRole", connection.Connection);
> cmd.CommandType = CommandType.StoredProcedure;
> cmd.CommandTimeout = this.CommandTimeout;
> SqlParameter parameter = new SqlParameter("@ReturnValue",
> SqlDbType.Int);
> parameter.Direction = ParameterDirection.ReturnValue;
> cmd.Parameters.Add(parameter);
> cmd.Parameters.Add(this.CreateInputParam("@Applica tionName",
> SqlDbType.NVarChar, this.ApplicationName));
> cmd.Parameters.Add(this.CreateInputParam("@UserNam e",
> SqlDbType.NVarChar, username));
> cmd.Parameters.Add(this.CreateInputParam("@RoleNam e",
> SqlDbType.NVarChar, roleName));
> cmd.ExecuteNonQuery();
> switch (this.GetReturnValue(cmd))
> {
> case 0:
> return false;
>
> case 1:
> return true;
>
> case 2:
> return false;
>
> case 3:
> return false;
> }
> throw new
> ProviderException(SR.GetString("Provider_unknown_f ailure"));
> }
> finally
> {
> if (connection != null)
> {
> connection.Close();
> connection = null;
> }
> }
> }
> catch
> {
> throw;
> }
> return flag;
> }
>
>
> This should address your question "where does it get the value". As to
> "when does it get the value", it depends on when you call the Role Manager
> API. You may intentionally call it or use other APIs that implicitly call
> it.
>
> Hope above information helpful. If you have additional questions please
> don't hesitate to let me know. I'll do my best to follow up.
>
>
> Regards,
> Allen Chen
> Microsoft Online Support
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> (E-Mail Removed).
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/en-us/subs...#notifications.
>
> Note: MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 2 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions. Issues of this
> nature are best handled working with a dedicated Microsoft Support Engineer
> by contacting Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>

 
Reply With Quote
 
Allen Chen [MSFT]
Guest
Posts: n/a
 
      09-22-2009
Hi,

>So when using the Role Manager and cookie caching, does the roles cookie
>have a ticket and a time out.
>If so when and where does it get the cookie timeout value?
>Is there a way I can read the roles cookie and see what the time out is?


Thanks for the clarification. The code that sets/gets the roles cookie is
in the RoleManagerModule class. In its OnEnter() and OnLeave() method the
cookie is get/set. OnEnter fires on PostAuthenticateRequest event of
HttpApplication and OnLeave fires on EndRequest event of HttpApplication:

public void Init(HttpApplication app)
{
if (Roles.Enabled)
{
app.PostAuthenticateRequest += new EventHandler(this.OnEnter);
app.EndRequest += new EventHandler(this.OnLeave);
}
}


To get the roles cookie, you can try:

HttpCookie cookie = context.Request.Cookies[Roles.CookieName];

private void OnLeave(object source, EventArgs eventArgs)
{
HttpApplication application = (HttpApplication) source;
HttpContext context = application.Context;
if (((Roles.Enabled && Roles.CacheRolesInCookie) &&
!context.Response.HeadersWritten) && (((context.User != null) &&
(context.User is RolePrincipal)) && context.User.Identity.IsAuthenticated))
{
if (Roles.CookieRequireSSL && !context.Request.IsSecureConnection)
{
if (context.Request.Cookies[Roles.CookieName] != null)
{
Roles.DeleteCookie();
}
}
else
{
RolePrincipal user = (RolePrincipal) context.User;
if (user.CachedListChanged && context.Request.Browser.Cookies)
{
string str = user.ToEncryptedTicket();
if (string.IsNullOrEmpty(str) || (str.Length > 0x1000))
{
Roles.DeleteCookie();
}
else
{
HttpCookie cookie = new HttpCookie(Roles.CookieName,
str);
cookie.HttpOnly = true;
cookie.Path = Roles.CookiePath;
cookie.Domain = Roles.Domain;
if (Roles.CreatePersistentCookie)
{
cookie.Expires = user.ExpireDate;
}
cookie.Secure = Roles.CookieRequireSSL;
context.Response.Cookies.Add(cookie);
}
}
}
}
}



But to read the detailed information of the cookie you can simply try this:

RolePrincipal rp = (RolePrincipal)HttpContext.Current.User;
rp.

 
Reply With Quote
 
Allen Chen [MSFT]
Guest
Posts: n/a
 
      09-22-2009
Hi,

>So when using the Role Manager and cookie caching, does the roles cookie
>have a ticket and a time out.
>If so when and where does it get the cookie timeout value?
>Is there a way I can read the roles cookie and see what the time out is?


<Sorry I posted incomplete post by mistake.>

Thanks for the clarification. Yes it has timeout and cookie. The code that
sets/gets the roles cookie is
in the RoleManagerModule class. In its OnEnter() and OnLeave() method the
cookie is get/set. OnEnter fires on PostAuthenticateRequest event of
HttpApplication and OnLeave fires on EndRequest event of HttpApplication:

public void Init(HttpApplication app)
{
if (Roles.Enabled)
{
app.PostAuthenticateRequest += new EventHandler(this.OnEnter);
app.EndRequest += new EventHandler(this.OnLeave);
}
}


To get the roles cookie, you can try:

HttpCookie cookie = context.Request.Cookies[Roles.CookieName];


But to read the detailed information of the cookie you can simply try
following code because the data in roles cookie will be decoded and
assigned to RolePrincipal:

RolePrincipal rp = (RolePrincipal)HttpContext.Current.User;
//rp.ExpireDate

If you have interest, you can view the source code for more details:

private void OnEnter(object source, EventArgs eventArgs)
{
if (!Roles.Enabled)
{
if (HttpRuntime.UseIntegratedPipeline)
{
((HttpApplication)
source).Context.DisableNotifications(RequestNotifi cation.EndRequest, 0);
}
}
else
{
HttpApplication application = (HttpApplication) source;
HttpContext context = application.Context;
if (this._eventHandler != null)
{
RoleManagerEventArgs e = new RoleManagerEventArgs(context);
this._eventHandler(this, e);
if (e.RolesPopulated)
{
return;
}
}
if (Roles.CacheRolesInCookie)
{
if (context.User.Identity.IsAuthenticated &&
(!Roles.CookieRequireSSL || context.Request.IsSecureConnection))
{
try
{
HttpCookie cookie =
context.Request.Cookies[Roles.CookieName];
if (cookie != null)
{
string encryptedTicket = cookie.Value;
if ((encryptedTicket != null) &&
(encryptedTicket.Length > 0x1000))
{
Roles.DeleteCookie();
}
else
{
if (!string.IsNullOrEmpty(Roles.CookiePath) &&
(Roles.CookiePath != "/"))
{
cookie.Path = Roles.CookiePath;
}
cookie.Domain = Roles.Domain;
context.User = new
RolePrincipal(context.User.Identity, encryptedTicket);
}
}
}
catch
{
}
}
else
{
if (context.Request.Cookies[Roles.CookieName] != null)
{
Roles.DeleteCookie();
}
if (HttpRuntime.UseIntegratedPipeline)
{

context.DisableNotifications(RequestNotification.E ndRequest, 0);
}
}
}
if (!(context.User is RolePrincipal))
{
context.User = new RolePrincipal(context.User.Identity);
}
Thread.CurrentPrincipal = context.User;
}
}




private void OnLeave(object source, EventArgs eventArgs)
{
HttpApplication application = (HttpApplication) source;
HttpContext context = application.Context;
if (((Roles.Enabled && Roles.CacheRolesInCookie) &&
!context.Response.HeadersWritten) && (((context.User != null) &&
(context.User is RolePrincipal)) && context.User.Identity.IsAuthenticated))
{
if (Roles.CookieRequireSSL && !context.Request.IsSecureConnection)
{
if (context.Request.Cookies[Roles.CookieName] != null)
{
Roles.DeleteCookie();
}
}
else
{
RolePrincipal user = (RolePrincipal) context.User;
if (user.CachedListChanged && context.Request.Browser.Cookies)
{
string str = user.ToEncryptedTicket();
if (string.IsNullOrEmpty(str) || (str.Length > 0x1000))
{
Roles.DeleteCookie();
}
else
{
HttpCookie cookie = new HttpCookie(Roles.CookieName,
str);
cookie.HttpOnly = true;
cookie.Path = Roles.CookiePath;
cookie.Domain = Roles.Domain;
if (Roles.CreatePersistentCookie)
{
cookie.Expires = user.ExpireDate;
}
cookie.Secure = Roles.CookieRequireSSL;
context.Response.Cookies.Add(cookie);
}
}
}
}
}

Regards,
Allen Chen
Microsoft Online Support

 
Reply With Quote
 
Allen Chen [MSFT]
Guest
Posts: n/a
 
      09-29-2009
Hi,

>quote from (E-Mail Removed)
>So when using the Role Manager and cookie caching, does the roles cookie
>have a ticket and a time out.
>If so when and where does it get the cookie timeout value?
>Is there a way I can read the roles cookie and see what the time out is?


Do you have additional questions?

Regards,
Allen Chen
Microsoft Online Support

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Give Request.Cookies and Response.Cookies is there any reason to use another method to use cookies? _Who ASP .Net 7 09-18-2008 07:49 PM
Role-based security: Access the role of current user Jesper Stocholm ASP .Net 2 08-23-2003 06:59 PM



Advertisments