FormsAuthentication Cookie

[rn5a]

A web.config file has the following code:

<configuration>
<system.web>
<authentication mode="Forms">
<forms name="NETConnectCookie" loginUrl="Login.aspx">
<credentials passwordFormat="SHA1"/>
</forms>
</authentication>
</system.web>

<location path=".">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>

Assuming that the local m/c does not have the cookie named
NETConnectCookie, the above code ensures that if a user tries to
navigate to any ASPX files in the directory that the above web.config
file exists in, then the user will be first redirected to Login.aspx.
Assume that the directory in which the above web.config file exists has
a ASPX file named Products.aspx.

When a user tries to navigate to Products.aspx without logging in,
web.config directs him to Login.aspx. Assume that a user with the
username bobby is a valid user (which I am validating against a SQL
Server 2005 DB table). This is how I tried it (this is the code in
Login.aspx which communicates with web.config when the user directly
tries to navigate to Products.aspx without logging in):

<script runat="server">
Sub LoginUser(ByVal obj As Object, ByVal ea As EventArgs)
..........
..........
'user has been validated; so take him to Products.aspx
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text,
True)
Response.Cookies("NETConnectCookie")("UserName") =
txtUserName.Text
End Sub
</script>

This does create the persistent cookie named NETConnectCookie which
when opened, also shows the text 'UserName=bobby' but the user doesn't
get redirected to Products.aspx though he has been logged in
successfully. In fact, the user remains at Login.aspx with the URL
getting appended by the querystring 'ReturnUrl=Products.aspx'. Why
isn't the user getting redirected to Products.aspx after successfully
logging in? Note that if I remove the Response.Cookies line in
Login.aspx, then the user gets redirected to Products.aspx after
logging in.

There's another problem. Next suppose the user closes the browser
window which he had used to log in. He opens a new browser window &
navigates to Products.aspx. Under such circumstances, I want to show
him a welcome message with his username in Products.aspx without taking
him to Login.aspx since the cookie NETConnectCookie is a persistent
cookie but the user still gets redirected to Login.aspx. Why? This is
the code in Products.aspx:

<script runat="server">
Sub Page_Load(ByVal obj As Object, ByVal ea As EventArgs)
Response.Write("Welcome " &
Request.Cookies("NETConnectCookie")("UserName"))
End Sub
</script>

If I change the name of the cookie to, say, 'Details', in Login.aspx
i.e.

Response.Cookies("Details")("UserName") = txtUserName.Text

& make the corresponding change in Products.aspx, then after
successfully logging in Login.aspx, the user is taken to Products.aspx
which shows the message

Welcome bobby

But when the user closes this window, opens a new browser window &
navigates to Products.aspx, then, as expected, the user is not taken to
Login.aspx but Products.aspx generates this error:

Object reference not set to an instance of an object.

pointing to the Response.Write line in Products.aspx! When I open the
cookie from the Temporary Internet Files folder, this time the cookie
doesn't show the text 'UserName=bobby'! Why?

What's the difference between a normal cookie & a cookie created by the
FormsAuthentication object?

 

[Guest]

storing in cookies etc is taken care by asp.net .
dont add it explicitly.
but if you want to make it persistent.
as u had said use another cookie with diff name to make it persistent

 

[rn5a]

I got your point but have encountered another problem. Keeping the
web.config file shown in post #1 as it is, I am adding the following
setting so that any user can access HomePage.aspx:

<location path="HomePage.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

Suppose a user comes to HomePage.aspx. From the home page, he tries to
navigate to another ASPX page, say, MyPage.aspx by clicking a link in
the home page. But the web.config file redirects the user to
Login.aspx. Assuming that the user has been validated successfully, he
is then directed to MyPage.aspx. Also assume that the username of the
user is bobby. When this user finally goes to MyPage.aspx, I want to
display a welcome message to him with his username i.e. MyPage.aspx
should display 'Welcome bobby'. To get the username in MyPage.aspx, I
am using the Name & Value properties of the HttpCookie object in
Login.aspx. This is the code in Login.aspx:

Sub LoginUser(obj As Object, ea As EventArgs)
'after successful login
Dim hCookie As HttpCookie

FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, True)
hCookie = FormsAuthentication.GetAuthCookie(txtUserName.Text, True)
hCookie.Name = "MyCookie"
hCookie.Value = txtUserName.Text
hCookie.Expires = DateTime.Now.AddMinutes(2)
Response.Cookies.Add(hCookie)
End Sub

This is the simple code in MyPage.aspx:

Sub Page_Load(ByVal obj As Object, ByVal ea As EventArgs)
lblMessage.Text = "Welcome " & Request.Cookies("MyCookie").Value
End Sub

When this user finally comes to MyPage.aspx, he is shown the message

Welcome bobby

Note that in Login.aspx, I have set the cookie to expire after 2
minutes which means that the user sees the welcome message along with
his username if he closes the browser he used to login & opens a new
browser within the next 2 minutes. But when I go to the Temporary
Internet Files folder & click the cookie, I find that the cookie has
been set to expire after 30 minutes though I have set it to expire
after 2 minutes. Why so?

What I found is if I get rid of the lines

hCookie.Name = "MyCookie"
hCookie.Value = txtUserName.Text

in Login.aspx, then the cookie gets set to expire after 2 minutes in
the Temporary Internet Files folder but if I get rid of these 2 lines
in Login.aspx, how do I retrieve the username of the user in
MyPage.aspx?

Also is there any way by which MyPage.aspx can access the first
parameter of the methods RedirectFromLoginPage & GetAuthCookie (which
is txtUserName.Text in this case)? If no, then what's the use of the
first parameter in the methods RedirectFromLoginPage & GetAuthCookie?