forms authentication woes

H

Hermit Dave

i am having a wierd problem with forms authentication... it doesnt the way
its supposed to but i work around does the job. would be thankful if anyone
can see what i might be doing wrong

this is how i create the ticket, add it to the cookie and pass it on to the
Response stream

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
lu.ToString(),
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
userinfo.Roles,
FormsAuthentication.FormsCookiePath);

string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
hash);
HttpContext.Current.Response.Cookies.Add(cookie);

this is how i read it up in application_authenticaterequest

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
IPrincipal user = HttpContext.Current.User;
if(user != null && user.Identity.IsAuthenticated && (user.Identity is
FormsIdentity))
{
FormsIdentity id = (FormsIdentity)user.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
string[] roles = ticket.UserData.Split(',');
user = new GenericPrincipal(id, roles);
}
}

now on my page if i use
if(this.Context.User.Identity.IsInRole("authors") == true)
{
// having logged on with a user with this role
// it should come in here but it doesnt
}

the IsInRole for some reason flakes out...
however i can do this
FormsIdentity id = (FormsIdentity)user.Identity;
string userRole = id.Ticket.UserData;
if(userRole == "authors")
{
// its all fine now
}

first i was using multiple roles... didnt work.. so i used got around using
!= false for IsInRole and checking for all roles but that and that did it..
then i modified each user to only have one role. even there the problem
remains...

I look forward to your thoughts on this one.

--

Regards,

Hermit Dave
(http://hdave.blogspot.com)
 
S

Steven Cheng[MSFT]

Hi Hermit,

From the detailed code snippet you provided, there seems have two things we
need to correct in the code:

1. In the "Application_AuthenticateRequest" event handler, after we created
the "GenericPrincipal" object, we should assign it to the
HttpContext.Current.User rather our local refernce variable. So the code
should be something like:

FormsIdentity id = (FormsIdentity)user.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
string[] roles = ticket.UserData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);

2. the "IsInRole" method belongs to the "IPrincipal" interface rather than
the "IIdentity" so we should call the IsInRole on HttpContext.Current.User
rather than HttpContext.Current.User.Identity

In addition ,here are two related tech articles which may also be helpful.
Thanks.

#FormsAuthentication, Identities and Role - based Security with a database
http://www.eggheadcafe.com/articles/20020906.asp

How To: Implement Iprincipal
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/SecNetHT06.asp

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
H

Hermit Dave

Thank you Steven.

Setting the generic principal to HttpContext.Current.User did the job.
I for some reason thought that being a reference type, the
HttpContext.CurrentUser if assigned to IPrincipal would actually reference
the HttpContext.Current.User instead of creating a copy of it locally. Point
taken.

About IsInRole. Sorry it was a typo and i am using User.IsRole and not
trying to do Identity.IsInRole.. VS.net would never let me recompile with
such a obvious mistake :).. i had it removed from code previously and i
mentioned it just for the heck of it. :)

Thank you once again.

--

Regards,

Hermit Dave
(http://hdave.blogspot.com)
 
S

Steven Cheng[MSFT]

Hi Hermit,

Thanks for the followup and I'm glad that everything is going well now.
Happy programming!:)

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top