Create Forms Authentication Ticket with MachineKeys

Discussion in 'ASP .Net Security' started by Chuck, Jan 19, 2010.

  1. Chuck

    Chuck Guest

    I'm using Selenium to test a web application.
    I need to create a Forms Authentication Cookie and let Selenium load it into
    the browser instance.

    I'm having a problem because my nUnit class does not have access to the
    web.config file.
    The website uses MachineKey valdationKey and decryptionKey.
    I know these values and can put them in the nUnit class.
    However, I usually create Forms Cookies by doing

    tkt = new FormsAuthenticationTicket(1, txtNewIdentity.Text, DateTime.Now,
    DateTime.Now.AddMinutes(TimeOut_Get()), bPersistent,
    HttpContext.Current.Request.UserHostAddress);

    CookieValue= FormsAuthentication.Encrypt(tkt)

    I don't believe the cookie will properly encrypted because when I run
    ..Encrypt(tkt), it won't find the encryption key to use.

    Any way to manually make the forms authentication cookie without assuming
    the .net methods have access to the web.config file?
    Chuck, Jan 19, 2010
    #1
    1. Advertising

  2. Hi Chuck,

    The FormsAuthentication.Encrypt method internally uses the algorithm and
    key specified by the decryption and decryptionKey attributes on the
    machineKey element of your web.config.

    I am not using Selenium. If it cannot access web.config, you can try to set
    decryptionKey property programmatically.
    For example:
    =====================================

    MachineKeySection m = new MachineKeySection();
    m.DecryptionKey = "your decryptionKey";

    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
    "userName",
    DateTime.Now,
    DateTime.Now.AddMinutes(20),
    false,
    String.Empty,
    FormsAuthentication.FormsCookiePath);

    string encryptedTicket = FormsAuthentication.Encrypt(ticket);

    =====================================

    For more information about MachineKeySection.DecryptionKey Property, See
    http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeys
    ection.decryptionkey.aspx



    I look forward to receiving your test results.


    Best Regards,
    Thomas Sun

    Microsoft Online Partner Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
    to the limited number of phone-based technical support incidents. Complex
    issues or server-down situations are not recommended for the newsgroups.
    Issues of this nature are best handled working with a Microsoft Support
    Engineer using one of your phone-based incidents.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    |
    | I'm using Selenium to test a web application.
    | I need to create a Forms Authentication Cookie and let Selenium load it
    into
    | the browser instance.
    |
    | I'm having a problem because my nUnit class does not have access to the
    | web.config file.
    | The website uses MachineKey valdationKey and decryptionKey.
    | I know these values and can put them in the nUnit class.
    | However, I usually create Forms Cookies by doing
    |
    | tkt = new FormsAuthenticationTicket(1, txtNewIdentity.Text,
    DateTime.Now,
    | DateTime.Now.AddMinutes(TimeOut_Get()), bPersistent,
    | HttpContext.Current.Request.UserHostAddress);
    |
    | CookieValue= FormsAuthentication.Encrypt(tkt)
    |
    | I don't believe the cookie will properly encrypted because when I run
    | .Encrypt(tkt), it won't find the encryption key to use.
    |
    | Any way to manually make the forms authentication cookie without assuming
    | the .net methods have access to the web.config file?
    |
    |
    |
    |
    Thomas Sun [MSFT], Jan 21, 2010
    #2
    1. Advertising

  3. Chuck

    Chuck Guest

    I'm pretty sure that won't work because the MachineKeySection m never gets
    used by anything.

    You don't really need selenium any C# class that runs without access to the
    HttpContext will do.


    "Thomas Sun [MSFT]" wrote:

    > Hi Chuck,
    >
    > The FormsAuthentication.Encrypt method internally uses the algorithm and
    > key specified by the decryption and decryptionKey attributes on the
    > machineKey element of your web.config.
    >
    > I am not using Selenium. If it cannot access web.config, you can try to set
    > decryptionKey property programmatically.
    > For example:
    > =====================================
    >
    > MachineKeySection m = new MachineKeySection();
    > m.DecryptionKey = "your decryptionKey";
    >
    > FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
    > "userName",
    > DateTime.Now,
    > DateTime.Now.AddMinutes(20),
    > false,
    > String.Empty,
    > FormsAuthentication.FormsCookiePath);
    >
    > string encryptedTicket = FormsAuthentication.Encrypt(ticket);
    >
    > =====================================
    >
    > For more information about MachineKeySection.DecryptionKey Property, See
    > http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeys
    > ection.decryptionkey.aspx
    >
    >
    >
    > I look forward to receiving your test results.
    >
    >
    > Best Regards,
    > Thomas Sun
    >
    > Microsoft Online Partner Support
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    > With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
    > to the limited number of phone-based technical support incidents. Complex
    > issues or server-down situations are not recommended for the newsgroups.
    > Issues of this nature are best handled working with a Microsoft Support
    > Engineer using one of your phone-based incidents.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    > --------------------
    > |
    > | I'm using Selenium to test a web application.
    > | I need to create a Forms Authentication Cookie and let Selenium load it
    > into
    > | the browser instance.
    > |
    > | I'm having a problem because my nUnit class does not have access to the
    > | web.config file.
    > | The website uses MachineKey valdationKey and decryptionKey.
    > | I know these values and can put them in the nUnit class.
    > | However, I usually create Forms Cookies by doing
    > |
    > | tkt = new FormsAuthenticationTicket(1, txtNewIdentity.Text,
    > DateTime.Now,
    > | DateTime.Now.AddMinutes(TimeOut_Get()), bPersistent,
    > | HttpContext.Current.Request.UserHostAddress);
    > |
    > | CookieValue= FormsAuthentication.Encrypt(tkt)
    > |
    > | I don't believe the cookie will properly encrypted because when I run
    > | .Encrypt(tkt), it won't find the encryption key to use.
    > |
    > | Any way to manually make the forms authentication cookie without assuming
    > | the .net methods have access to the web.config file?
    > |
    > |
    > |
    > |
    >
    > .
    >
    Chuck, Jan 21, 2010
    #3
  4. Hi Chuck,

    Thanks for your response.

    The code should be as follow
    ===========================
    //MachineKeySection m = new MachineKeySection();
    //m.DecryptionKey = "your decryptionKey";
    Configuration configuration =
    WebConfigurationManager.OpenWebConfiguration("~");
    MachineKeySection m=
    (MachineKeySection)configuration.GetSectionGroup("system.web").Sections["mac
    hineKey"];
    m.DecryptionKey = "your decryptionKey";
    ===========================

    The FormsAuthentication.Encrypt method internally uses the specified in
    web.config. As far as I know, we cannot change it to read value from
    another file instead of the configuration in web.config. This is by design.

    To test ASP.NET web application, you can also consider using Visual Studio
    Team System. For the introduce, you can refer to
    http://www.asp.net/Learn/vsts-videos/video-128.aspx

    I look forward to receiving your test results.

    --
    Best Regards,
    Thomas Sun

    Microsoft Online Partner Support

    --------------------

    |
    | I'm pretty sure that won't work because the MachineKeySection m never
    gets
    | used by anything.
    |
    | You don't really need selenium any C# class that runs without access to
    the
    | HttpContext will do.
    |
    |
    | "Thomas Sun [MSFT]" wrote:
    |
    | > Hi Chuck,
    | >
    | > The FormsAuthentication.Encrypt method internally uses the algorithm
    and
    | > key specified by the decryption and decryptionKey attributes on the
    | > machineKey element of your web.config.
    | >
    | > I am not using Selenium. If it cannot access web.config, you can try to
    set
    | > decryptionKey property programmatically.
    | > For example:
    | > =====================================
    | >
    | > MachineKeySection m = new MachineKeySection();
    | > m.DecryptionKey = "your decryptionKey";
    | >
    | > FormsAuthenticationTicket ticket = new
    FormsAuthenticationTicket(1,
    | > "userName",
    | > DateTime.Now,
    | > DateTime.Now.AddMinutes(20),
    | > false,
    | > String.Empty,
    | > FormsAuthentication.FormsCookiePath);
    | >
    | > string encryptedTicket = FormsAuthentication.Encrypt(ticket);
    | >
    | > =====================================
    | >
    | > For more information about MachineKeySection.DecryptionKey Property,
    See
    | >
    http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeys
    | > ection.decryptionkey.aspx
    | >
    | >
    | >
    | > I look forward to receiving your test results.
    | >
    | >
    | > Best Regards,
    | > Thomas Sun
    | >
    | > Microsoft Online Partner Support
    | >
    | > ==================================================
    | > Get notification to my posts through email? Please refer to
    | >
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    | > ications.
    | >
    | > With newsgroups, MSDN subscribers enjoy unlimited, free support as
    opposed
    | > to the limited number of phone-based technical support incidents.
    Complex
    | > issues or server-down situations are not recommended for the
    newsgroups.
    | > Issues of this nature are best handled working with a Microsoft Support
    | > Engineer using one of your phone-based incidents.
    | > ==================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | >
    | > --------------------
    | > |
    | > | I'm using Selenium to test a web application.
    | > | I need to create a Forms Authentication Cookie and let Selenium load
    it
    | > into
    | > | the browser instance.
    | > |
    | > | I'm having a problem because my nUnit class does not have access to
    the
    | > | web.config file.
    | > | The website uses MachineKey valdationKey and decryptionKey.
    | > | I know these values and can put them in the nUnit class.
    | > | However, I usually create Forms Cookies by doing
    | > |
    | > | tkt = new FormsAuthenticationTicket(1, txtNewIdentity.Text,
    | > DateTime.Now,
    | > | DateTime.Now.AddMinutes(TimeOut_Get()),
    bPersistent,
    | > | HttpContext.Current.Request.UserHostAddress);
    | > |
    | > | CookieValue= FormsAuthentication.Encrypt(tkt)
    | > |
    | > | I don't believe the cookie will properly encrypted because when I run

    | > | .Encrypt(tkt), it won't find the encryption key to use.
    | > |
    | > | Any way to manually make the forms authentication cookie without
    assuming
    | > | the .net methods have access to the web.config file?
    | > |
    | > |
    | > |
    | > |
    | >
    | > .
    | >
    |
    Thomas Sun [MSFT], Jan 22, 2010
    #4
  5. Chuck

    Chuck Guest

    That won't work either because the machine key is never applied to anything.
    Also can't use that because web.config is not accessible.
    Chuck, Jan 22, 2010
    #5
  6. Chuck

    Joe Kaplan Guest

    I don't understand the execution scenario here. In my experience with nUnit,
    I didn't try to use for testing the web front end. It doesn't excel at this.
    I would typically use it for testing logic in the layers of the application
    below the "view" layer.

    So, can you explain how your execution environment is configured here and
    how it is that you are needing forms authentication in the context of an
    nUnit test? There may or may not be a good solution here, but I'd need more
    details to comment.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Chuck" <> wrote in message
    news:...
    >
    > That won't work either because the machine key is never applied to
    > anything.
    > Also can't use that because web.config is not accessible.
    >
    >
    >
    Joe Kaplan, Jan 22, 2010
    #6
  7. Chuck

    Chuck Guest

    Selenium is a tool that allows you to automatically test web application from
    the UI. You can write selenium test scripts in a number of languages. I'm
    using C# to write the scripts/methods.

    Once the scripts are coded in C#, I replay them using nUnit.
    The nUnit tests start the Selenium components, test the webpages and give me
    the results.

    Since you are testing in a C# dll, the none of the Request or Response
    objects are available to you. So you can't do something like examine any of
    the .Net objects in there. However, Selenium does let you inject cookies
    into the browser. So if my test code could create a valid FormsAuthenication
    cookie, I could place it in the browser.

    This has proven problematic because the System.Web.Security class does an
    initialization that expects to find the web.config. So, if you try to
    encrypt an authentication ticket when the HttpContext is not available, such
    as in a standalone dll, it will fail. Lots of static variables haven't been
    initialized with the web.config values (e.g. the MachineKey)






    "Joe Kaplan" wrote:

    > I don't understand the execution scenario here. In my experience with nUnit,
    > I didn't try to use for testing the web front end. It doesn't excel at this.
    > I would typically use it for testing logic in the layers of the application
    > below the "view" layer.
    >
    > So, can you explain how your execution environment is configured here and
    > how it is that you are needing forms authentication in the context of an
    > nUnit test? There may or may not be a good solution here, but I'd need more
    > details to comment.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Chuck" <> wrote in message
    > news:...
    > >
    > > That won't work either because the machine key is never applied to
    > > anything.
    > > Also can't use that because web.config is not accessible.
    > >
    > >
    > >

    >
    > .
    >
    Chuck, Jan 22, 2010
    #7
  8. Chuck

    Joe Kaplan Guest

    Ok, I read about Selenium a few years ago but never spent any time with it.
    I think I understand the issue here.

    What I would expect you to do in a case like this would be to use the
    web-based tool to script the forms login so you could effectively "scrape"
    the cookie and replay it that way. The infrastructure is not really designed
    to support the way you are trying to do this (as you've seen).

    You could do something a bit crazier like using reflector to reverse
    engineer some of the forms auth stuff and try to refactor it so that you can
    insert a machine key from your own config source. Another thing you might
    consider is creating an API/web service on the app that allows you to
    programmatically get a forms auth cookie by supplying plaintext credentials.
    That might make the screen scraping a little easier.

    Going in through the interface provided by the app you are testing sounds
    like an overall cleaner approach to me.

    Not sure if I'm helpful or not. :) Best of luck either way.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Chuck" <> wrote in message
    news:...
    > Selenium is a tool that allows you to automatically test web application
    > from
    > the UI. You can write selenium test scripts in a number of languages.
    > I'm
    > using C# to write the scripts/methods.
    >
    > Once the scripts are coded in C#, I replay them using nUnit.
    > The nUnit tests start the Selenium components, test the webpages and give
    > me
    > the results.
    >
    > Since you are testing in a C# dll, the none of the Request or Response
    > objects are available to you. So you can't do something like examine any
    > of
    > the .Net objects in there. However, Selenium does let you inject cookies
    > into the browser. So if my test code could create a valid
    > FormsAuthenication
    > cookie, I could place it in the browser.
    >
    > This has proven problematic because the System.Web.Security class does an
    > initialization that expects to find the web.config. So, if you try to
    > encrypt an authentication ticket when the HttpContext is not available,
    > such
    > as in a standalone dll, it will fail. Lots of static variables haven't
    > been
    > initialized with the web.config values (e.g. the MachineKey)
    >
    >
    >
    >
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> I don't understand the execution scenario here. In my experience with
    >> nUnit,
    >> I didn't try to use for testing the web front end. It doesn't excel at
    >> this.
    >> I would typically use it for testing logic in the layers of the
    >> application
    >> below the "view" layer.
    >>
    >> So, can you explain how your execution environment is configured here and
    >> how it is that you are needing forms authentication in the context of an
    >> nUnit test? There may or may not be a good solution here, but I'd need
    >> more
    >> details to comment.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Chuck" <> wrote in message
    >> news:...
    >> >
    >> > That won't work either because the machine key is never applied to
    >> > anything.
    >> > Also can't use that because web.config is not accessible.
    >> >
    >> >
    >> >

    >>
    >> .
    >>
    Joe Kaplan, Jan 23, 2010
    #8
  9. Chuck

    Chuck Guest

    I started messing with Reflector with
    System.Web.Security.FormsAuthentication, but after about 4 pages of code I
    stopped. They way they initialized static classes and had global members
    being set in the middle of functions, just did not inspire confidence.
    Chuck, Jan 23, 2010
    #9
  10. Hi Chuck,

    Sorry for late responding.

    With Reflector, we can see that the FormsAuthentication.Encrypt method
    invokes MachineKeySection.EnsureConfig method which is used to load
    MachineKeySection from config file when it is null. The follow code is from
    .Net Framework:
    ============================
    private static void EnsureConfig()
    {
    if (s_config == null)
    {
    lock (s_initLock)
    {
    if (s_config == null)
    {
    MachineKeySection machineKey =
    RuntimeConfig.GetAppConfig().MachineKey;
    machineKey.ConfigureEncryptionObject();
    s_config = machineKey;
    s_compatMode = machineKey.CompatibilityMode;
    }
    }
    }
    }
    ==========================


    Without accessing web.config file, I think we cannot set its value.


    -
    Best Regards,
    Thomas Sun

    Microsoft Online Partner Support
    --------------------
    |
    | I started messing with Reflector with
    | System.Web.Security.FormsAuthentication, but after about 4 pages of code
    I
    | stopped. They way they initialized static classes and had global members
    | being set in the middle of functions, just did not inspire confidence.
    |
    |
    Thomas Sun [MSFT], Jan 29, 2010
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. e
    Replies:
    1
    Views:
    3,559
    John Saunders
    Oct 24, 2003
  2. =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=

    Forms Authentication Ticket/Cookie values

    =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=, May 17, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    631
    Brock Allen
    May 19, 2005
  3. Lauchlan M
    Replies:
    0
    Views:
    217
    Lauchlan M
    Oct 1, 2003
  4. jfer
    Replies:
    3
    Views:
    545
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
  5. Chuck
    Replies:
    1
    Views:
    1,565
    Steven Cheng
    Feb 12, 2010
Loading...

Share This Page