Change authentication ticket value at run time?

[Tony]

Hi,
what am I doing wrong ?

there is 2 levels of user accessing the
application:'Admin' and 'NoneAdmin'.
I'm using role based authentication.

some 'Admin' user need to manipulate data on behalf of
some 'NoneAdmin' user, which means that I have an option
where the 'Admin' user, after he is logged in, would
view,save, update,delete other user data) and in order to
allow this "Admin' to manipulate the 'NoneAdmin' data, I
need to change his authentication ticket at runtime
temporarily to let him act as the owner of this data.

here is the code:
Dim tempTicket As New FormsAuthenticationTicket(1,
NoneAdmin_Name, _
DateTime.Today,
DateTime.Today.AddMinutes(180), _
True, "xxxx")

Dim hashTempTicket As String = FormsAuthentication.Encrypt
(tempTicket)
Dim tempCookie As HttpCookie = New HttpCookie
(FormsAuthentication.FormsCookieName(), tempTicket)
tempCookie.Expires = DateTime.Today.AddMinutes(60)
Response.Cookies.Add(tempCookie)


I suppose that this temporary ticket will overwrite the
original one that I saved somewhere before it get
overwritten.

the problem is, that the next request to any page the user
is redirected to the the login page

thank you for any help.

 

[MSFT]

Hi Tony,

How about SignOut the Admin user first and then assign him a noneadmin
FormsAuthenticationTicket?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Tony]

hi Lucke,
I tried that too (SignOut the 'Admin' then assign him a
new ticket as 'NoneAdmin') but it keep redirecting the
user to the login page.

and I even tried to delete the old cookie on the client
side (Response.cookie("cookieName")=Nothing
Response.cookie("cookieName")="/"
Response.cookie("cookieName").expires=new DateTime
(19661,1) )
but it didn't work either.

any more idea ??

 

[MSFT]

Hi Tony,

I am working on this issue to make sure if this is possible and will update
you as soon as possible.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[MSFT]

Hi Tony,

Based on my test, following code seem to be workable:

Dim tempTicket As New FormsAuthenticationTicket(1, "NoneAdmin",
DateTime.Now, DateTime.Now.AddMinutes(60), True, "xxxx")

Dim hashTempTicket As String =
FormsAuthentication.Encrypt(tempTicket)
Dim tempCookie As HttpCookie = New
HttpCookie(FormsAuthentication.FormsCookieName(), hashTempTicket)
tempCookie.Expires = tempTicket.Expiration
tempCookie.Path = FormsAuthentication.FormsCookiePath
Response.Cookies.Add(tempCookie)


Compared with your code, I set the cookie's Expire and Path. I put above
code in a button's click event. In another button's CLick event, I have
following code:

Response.Write(User.Identity.Name)

It output "NoneAdmin" instead of "Admin"

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)