Form Authentication Ticket

Discussion in 'ASP .Net Security' started by wrytat, Apr 11, 2005.

  1. wrytat

    wrytat Guest

    I've read some books and online articles on how to implement form
    authentication. Some taught me just to do
    FormsAuthentication.RedirectFromLoginPage(username.Value, false) after the
    user is validated. While others include more steps, like generating
    authentication ticket, encrypt it, create a cookie, and add it to the
    response, before redirecting the user. Both way should work, but why do I
    need to generate an authentication ticket, when it still works if I don't
    generate one?

    What's an authentication ticket for? Why do I need it?

    Thank you.
     
    wrytat, Apr 11, 2005
    #1
    1. Advertising

  2. wrytat

    Brock Allen Guest

    The auth ticket is in essence the user's name encrypted in the cookie. This
    is how ASP.NET knows who the user is when the browser makes requests into
    your app. For simplicity, I'd suggest not messing with it. The only time
    you'd want to do something with the Ticket/Cookie is if you wanted to put
    other sensitive data into a cookie so the browser passes it back every time.
    Usually since it's putting the username then all other sensitive data can
    be fetched from the database on the server, meaning there's no need to put
    anything else into the cookie.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > I've read some books and online articles on how to implement form
    > authentication. Some taught me just to do
    > FormsAuthentication.RedirectFromLoginPage(username.Value, false) after
    > the user is validated. While others include more steps, like
    > generating authentication ticket, encrypt it, create a cookie, and add
    > it to the response, before redirecting the user. Both way should work,
    > but why do I need to generate an authentication ticket, when it still
    > works if I don't generate one?
    >
    > What's an authentication ticket for? Why do I need it?
    >
    > Thank you.
    >
     
    Brock Allen, Apr 11, 2005
    #2
    1. Advertising

  3. wrytat

    wrytat Guest

    Does that mean if I am only going to need the cookie to store the user name,
    I just need to do a FormsAuthentication.RedirectFromLoginPage(username.Value,
    false) or FormsAuthentication.SetAuthCookie and Response.Redirect(somewhere,
    True) after validation? But if I need to store other data in the same cookie,
    I have to do something like this:

    Dim tkt As FormsAuthenticationTicket
    Dim cookiestr As String
    Dim ck As HttpCookie

    tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(),
    dateTime.Now.AddMinutes(30), false, "other data")
    cookiestr = FormsAuthentication.Encrypt(tkt)
    ck = new HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
    ck.Path = FormsAuthentication.FormsCookiePath()
    Response.Cookies.Add(ck)
    Response.Redirect(somewhere,True)

    Am I right?

    Then if I need to store more than 1 data do I just do:
    tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(),
    dateTime.Now.AddMinutes(30), false, "data1", "data2", "data3", ..., "dataN") ?

    And how do I retrieve the data?

    Sorry, a lot of questions...

    "Brock Allen" wrote:

    > The auth ticket is in essence the user's name encrypted in the cookie. This
    > is how ASP.NET knows who the user is when the browser makes requests into
    > your app. For simplicity, I'd suggest not messing with it. The only time
    > you'd want to do something with the Ticket/Cookie is if you wanted to put
    > other sensitive data into a cookie so the browser passes it back every time.
    > Usually since it's putting the username then all other sensitive data can
    > be fetched from the database on the server, meaning there's no need to put
    > anything else into the cookie.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    > > I've read some books and online articles on how to implement form
    > > authentication. Some taught me just to do
    > > FormsAuthentication.RedirectFromLoginPage(username.Value, false) after
    > > the user is validated. While others include more steps, like
    > > generating authentication ticket, encrypt it, create a cookie, and add
    > > it to the response, before redirecting the user. Both way should work,
    > > but why do I need to generate an authentication ticket, when it still
    > > works if I don't generate one?
    > >
    > > What's an authentication ticket for? Why do I need it?
    > >
    > > Thank you.
    > >

    >
    >
    >
    >
     
    wrytat, Apr 12, 2005
    #3
  4. For your first question, it's basically right your approach, though I would
    recommend not to depend on harcoded values but to use the configured in
    Forms settings.
    Take a look at this sample:

    http://weblogs.asp.net/hernandl/archive/2004/07/30/FormsAuthRolesRev.aspx

    For your second question, the way to add more data to your ticket is simply
    storing a single string with all the information in there. In that case you
    shoud be aware of your string lenght because of the limitation of the cookie
    size.
    Notice that the above link give you an advice on this issue. You may take a
    look at this link as well:

    http://weblogs.asp.net/hernandl/archive/2004/08/05/FormsAuthRoles2.aspx

    Regards,
    Hernan de Lahitte.
    http://clariusconsulting.net/hdl


    "wrytat" <> wrote in message
    news:...
    > Does that mean if I am only going to need the cookie to store the user
    > name,
    > I just need to do a
    > FormsAuthentication.RedirectFromLoginPage(username.Value,
    > false) or FormsAuthentication.SetAuthCookie and
    > Response.Redirect(somewhere,
    > True) after validation? But if I need to store other data in the same
    > cookie,
    > I have to do something like this:
    >
    > Dim tkt As FormsAuthenticationTicket
    > Dim cookiestr As String
    > Dim ck As HttpCookie
    >
    > tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(),
    > dateTime.Now.AddMinutes(30), false, "other data")
    > cookiestr = FormsAuthentication.Encrypt(tkt)
    > ck = new HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
    > ck.Path = FormsAuthentication.FormsCookiePath()
    > Response.Cookies.Add(ck)
    > Response.Redirect(somewhere,True)
    >
    > Am I right?
    >
    > Then if I need to store more than 1 data do I just do:
    > tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(),
    > dateTime.Now.AddMinutes(30), false, "data1", "data2", "data3", ...,
    > "dataN") ?
    >
    > And how do I retrieve the data?
    >
    > Sorry, a lot of questions...
    >
    > "Brock Allen" wrote:
    >
    >> The auth ticket is in essence the user's name encrypted in the cookie.
    >> This
    >> is how ASP.NET knows who the user is when the browser makes requests into
    >> your app. For simplicity, I'd suggest not messing with it. The only time
    >> you'd want to do something with the Ticket/Cookie is if you wanted to put
    >> other sensitive data into a cookie so the browser passes it back every
    >> time.
    >> Usually since it's putting the username then all other sensitive data can
    >> be fetched from the database on the server, meaning there's no need to
    >> put
    >> anything else into the cookie.
    >>
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
    >>
    >>
    >>
    >> > I've read some books and online articles on how to implement form
    >> > authentication. Some taught me just to do
    >> > FormsAuthentication.RedirectFromLoginPage(username.Value, false) after
    >> > the user is validated. While others include more steps, like
    >> > generating authentication ticket, encrypt it, create a cookie, and add
    >> > it to the response, before redirecting the user. Both way should work,
    >> > but why do I need to generate an authentication ticket, when it still
    >> > works if I don't generate one?
    >> >
    >> > What's an authentication ticket for? Why do I need it?
    >> >
    >> > Thank you.
    >> >

    >>
    >>
    >>
    >>
     
    Hernan de Lahitte, Apr 12, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. e
    Replies:
    1
    Views:
    3,582
    John Saunders
    Oct 24, 2003
  2. Roel

    authentication ticket

    Roel, Jul 19, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    470
    John Saunders
    Jul 19, 2004
  3. =?Utf-8?B?QmlsbCBCb3Jn?=

    Error decrypting authentication ticket

    =?Utf-8?B?QmlsbCBCb3Jn?=, Oct 11, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    399
    =?Utf-8?B?QmlsbCBCb3Jn?=
    Oct 11, 2004
  4. Lauchlan M
    Replies:
    0
    Views:
    226
    Lauchlan M
    Oct 1, 2003
  5. jfer
    Replies:
    3
    Views:
    559
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
Loading...

Share This Page