Change authentication ticket value at run time?

Discussion in 'ASP .Net Security' started by Tony, Dec 3, 2003.

  1. Tony

    Tony Guest

    Hi,
    what am I doing wrong ?

    there is 2 levels of user accessing the
    application:'Admin' and 'NoneAdmin'.
    I'm using role based authentication.

    some 'Admin' user need to manipulate data on behalf of
    some 'NoneAdmin' user, which means that I have an option
    where the 'Admin' user, after he is logged in, would
    view,save, update,delete other user data) and in order to
    allow this "Admin' to manipulate the 'NoneAdmin' data, I
    need to change his authentication ticket at runtime
    temporarily to let him act as the owner of this data.

    here is the code:
    Dim tempTicket As New FormsAuthenticationTicket(1,
    NoneAdmin_Name, _
    DateTime.Today,
    DateTime.Today.AddMinutes(180), _
    True, "xxxx")

    Dim hashTempTicket As String = FormsAuthentication.Encrypt
    (tempTicket)
    Dim tempCookie As HttpCookie = New HttpCookie
    (FormsAuthentication.FormsCookieName(), tempTicket)
    tempCookie.Expires = DateTime.Today.AddMinutes(60)
    Response.Cookies.Add(tempCookie)


    I suppose that this temporary ticket will overwrite the
    original one that I saved somewhere before it get
    overwritten.

    the problem is, that the next request to any page the user
    is redirected to the the login page

    thank you for any help.
     
    Tony, Dec 3, 2003
    #1
    1. Advertising

  2. Tony

    MSFT Guest

    Hi Tony,

    How about SignOut the Admin user first and then assign him a noneadmin
    FormsAuthenticationTicket?

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Dec 4, 2003
    #2
    1. Advertising

  3. Tony

    Tony Guest

    hi Lucke,
    I tried that too (SignOut the 'Admin' then assign him a
    new ticket as 'NoneAdmin') but it keep redirecting the
    user to the login page.

    and I even tried to delete the old cookie on the client
    side (Response.cookie("cookieName")=Nothing
    Response.cookie("cookieName")="/"
    Response.cookie("cookieName").expires=new DateTime
    (19661,1) )
    but it didn't work either.

    any more idea ??
     
    Tony, Dec 4, 2003
    #3
  4. Tony

    MSFT Guest

    Hi Tony,

    I am working on this issue to make sure if this is possible and will update
    you as soon as possible.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Dec 8, 2003
    #4
  5. Tony

    MSFT Guest

    Hi Tony,

    Based on my test, following code seem to be workable:

    Dim tempTicket As New FormsAuthenticationTicket(1, "NoneAdmin",
    DateTime.Now, DateTime.Now.AddMinutes(60), True, "xxxx")

    Dim hashTempTicket As String =
    FormsAuthentication.Encrypt(tempTicket)
    Dim tempCookie As HttpCookie = New
    HttpCookie(FormsAuthentication.FormsCookieName(), hashTempTicket)
    tempCookie.Expires = tempTicket.Expiration
    tempCookie.Path = FormsAuthentication.FormsCookiePath
    Response.Cookies.Add(tempCookie)


    Compared with your code, I set the cookie's Expire and Path. I put above
    code in a button's click event. In another button's CLick event, I have
    following code:

    Response.Write(User.Identity.Name)

    It output "NoneAdmin" instead of "Admin"

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Dec 9, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. e
    Replies:
    1
    Views:
    3,632
    John Saunders
    Oct 24, 2003
  2. Roel

    authentication ticket

    Roel, Jul 19, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    479
    John Saunders
    Jul 19, 2004
  3. Pierre Yves
    Replies:
    2
    Views:
    524
    Pierre Yves
    Jan 10, 2008
  4. Lauchlan M
    Replies:
    0
    Views:
    245
    Lauchlan M
    Oct 1, 2003
  5. jfer
    Replies:
    3
    Views:
    583
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
Loading...

Share This Page