Forms Authentication Ticket/Cookie values

Discussion in 'ASP .Net' started by =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=, May 17, 2005.

  1. Folks, Can anyone confirm that my understading is correct and maybe shed some
    light on why it's as it is. (I'm guessing security, but that seems weak to
    me.)

    The asp.net web application is using forms authentication.

    If I create an FormsAuthTicket with userdata in the approprite place. Then
    encode it and create a cookie, add it to the response.cookie collection and
    use it all is well.

    However if after I create the cookie I add some additional values to the
    cookie, and then add it to the collection, asp.net no longer recognizes this
    as a valid authentication ticket.

    Thanks for the info...Chuck
     
    =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=, May 17, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=

    Scott Allen Guest

    Hi Chuck:

    You can piggyback data in the cookie, but since the forms auth cookie
    is encrypted and hashed to prevent tampering it takes some extra work.
    There is a section in the following document to show you how:

    http://www.pluralsight.com/articlecontent/efficientRoleBasedAuthentication.pdf

    HTH,

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Mon, 16 May 2005 21:10:31 -0700, "chuck rudolph"
    <> wrote:

    >Folks, Can anyone confirm that my understading is correct and maybe shed some
    >light on why it's as it is. (I'm guessing security, but that seems weak to
    >me.)
    >
    >The asp.net web application is using forms authentication.
    >
    >If I create an FormsAuthTicket with userdata in the approprite place. Then
    >encode it and create a cookie, add it to the response.cookie collection and
    >use it all is well.
    >
    >However if after I create the cookie I add some additional values to the
    >cookie, and then add it to the collection, asp.net no longer recognizes this
    >as a valid authentication ticket.
    >
    >Thanks for the info...Chuck
    >
     
    Scott Allen, May 18, 2005
    #2
    1. Advertising

  3. Scott, I get how to stuff items in the "userdata" area of the forms auth
    ticket. The question I have is concerning the cookie values collection of the
    encoded ticket.

    I'll also quibble with the words in your resonse. If the cookie is hashed
    and encrypted, why have a routine of
    ....GetAuthCookie(name,Ispersistent,path). Once I get the cookie I can set the
    expiration can't I?

    I know there are quirks in the system, I am just trying to confirm my belief
    that FormsAuth cookies can NOT have members in the "values" collection.

    "Scott Allen" wrote:

    > Hi Chuck:
    >
    > You can piggyback data in the cookie, but since the forms auth cookie
    > is encrypted and hashed to prevent tampering it takes some extra work.
    > There is a section in the following document to show you how:
    >
    > http://www.pluralsight.com/articlecontent/efficientRoleBasedAuthentication.pdf
    >
    > HTH,
    >
    > --
    > Scott
    > http://www.OdeToCode.com/blogs/scott/
    >
    > On Mon, 16 May 2005 21:10:31 -0700, "chuck rudolph"
    > <> wrote:
    >
    > >Folks, Can anyone confirm that my understading is correct and maybe shed some
    > >light on why it's as it is. (I'm guessing security, but that seems weak to
    > >me.)
    > >
    > >The asp.net web application is using forms authentication.
    > >
    > >If I create an FormsAuthTicket with userdata in the approprite place. Then
    > >encode it and create a cookie, add it to the response.cookie collection and
    > >use it all is well.
    > >
    > >However if after I create the cookie I add some additional values to the
    > >cookie, and then add it to the collection, asp.net no longer recognizes this
    > >as a valid authentication ticket.
    > >
    > >Thanks for the info...Chuck
    > >

    >
    >
     
    =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=, May 18, 2005
    #3
  4. =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=

    Brock Allen Guest

    > You can piggyback data in the cookie, but since the forms auth cookie
    > is encrypted and hashed to prevent tampering it takes some extra work.
    > There is a section in the following document to show you how:
    >
    > http://www.pluralsight.com/articlecontent/efficientRoleBasedAuthentica
    > tion.pdf


    I'd be wary of this approach, personally. My main complaint is that if the
    roles are cached in the cookie, then it's difficult to remove the role from
    the user while they have their browser active. I tend to cache the roles
    on the server in the ASP.NET Cache. Of course, this has the same drawbacks
    as the cookie if you're using a server farm. See, nothing's easy :)

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
     
    Brock Allen, May 19, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. e
    Replies:
    1
    Views:
    3,657
    John Saunders
    Oct 24, 2003
  2. Mythran
    Replies:
    2
    Views:
    423
    Mythran
    Mar 8, 2007
  3. Lauchlan M
    Replies:
    0
    Views:
    256
    Lauchlan M
    Oct 1, 2003
  4. jfer
    Replies:
    3
    Views:
    609
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
  5. Eric
    Replies:
    2
    Views:
    671
Loading...

Share This Page