FormsAuthentication & createPersistentCookie

Discussion in 'ASP .Net Security' started by Alex Maghen, Jun 3, 2006.

  1. Alex Maghen

    Alex Maghen Guest

    I'm a little confused about how to work with the "createPersistentCookie"
    feature of FormsAuthentication.RedirectFromLoginPage().

    1. There are various things that I need my application to do when a user
    successfully logs in. I do that stuff inside the code of my Login.aspx page
    after I am sure the user is authentic but before I call
    FormsAuthentication.RedirectFromLoginPage(). If I pass TRUE to the second
    parameter, what actually happens when the user comes back in? They seem to
    get authenticated, but is my code actually getting called? How do I hook into
    it so that I can do things when authentication occurs?

    2. Once the user is cookied for auto-login, is there a function I can call
    to clear that cookie should the user want to stop doing auto-login? Or do I
    have to delete the cookie myself?

    Alex
     
    Alex Maghen, Jun 3, 2006
    #1
    1. Advertising

  2. Alex Maghen

    Brock Allen Guest

    > 1. There are various things that I need my application to do when a
    > user successfully logs in. I do that stuff inside the code of my
    > Login.aspx page after I am sure the user is authentic but before I
    > call FormsAuthentication.RedirectFromLoginPage(). If I pass TRUE to
    > the second parameter, what actually happens when the user comes back
    > in? They seem to get authenticated, but is my code actually getting
    > called? How do I hook into it so that I can do things when
    > authentication occurs?


    True sets a persistent cookie, thus subsequent requests are as if the user
    had just logged on. What is it you need to do when the user authenticates?

    > 2. Once the user is cookied for auto-login, is there a function I can
    > call to clear that cookie should the user want to stop doing
    > auto-login? Or do I have to delete the cookie myself?


    FormsAuthentication.SignOut()

    -Brock
    http://staff.develop.com/ballen
     
    Brock Allen, Jun 4, 2006
    #2
    1. Advertising

  3. Alex Maghen

    Alex Maghen Guest

    Here's what I mean: When the user FIRST logs in on the site, I have a form
    that provides me a Username and a Password. I use my OWN code (which checks a
    database and also writes a record indicating that a login has ocurred) and
    then, if all's well MY code calls
    FormsAuthentication.RedirectFromLoginPage()

    But what I don't get is this: The next time that user comes in, assuming
    that he had checked the Persist box, what code gets executed to the log the
    user back in? Does the persistent cookie on the user's machine contain the
    username and password and then pass that information back in for
    authentication? Despite the fact that the user has asked for this auto-login
    functionality, I still need to authenticate the user with MY code beofre
    they're allowed back into the site.

    See what I mean?

    Alex

    "Brock Allen" wrote:

    > > 1. There are various things that I need my application to do when a
    > > user successfully logs in. I do that stuff inside the code of my
    > > Login.aspx page after I am sure the user is authentic but before I
    > > call FormsAuthentication.RedirectFromLoginPage(). If I pass TRUE to
    > > the second parameter, what actually happens when the user comes back
    > > in? They seem to get authenticated, but is my code actually getting
    > > called? How do I hook into it so that I can do things when
    > > authentication occurs?

    >
    > True sets a persistent cookie, thus subsequent requests are as if the user
    > had just logged on. What is it you need to do when the user authenticates?
    >
    > > 2. Once the user is cookied for auto-login, is there a function I can
    > > call to clear that cookie should the user want to stop doing
    > > auto-login? Or do I have to delete the cookie myself?

    >
    > FormsAuthentication.SignOut()
    >
    > -Brock
    > http://staff.develop.com/ballen
    >
    >
    >
     
    Alex Maghen, Jun 4, 2006
    #3
  4. Hi,

    the authentication cookie is encrypted with a key - the machine key - by
    default this is a auto-generated per app key - but you can specify it explicitly
    using the <machineKey> element.

    The fact that the application can decrypt the cookie using the machine key
    is the proof that the user has been authenticated by this application. You
    don't re-authenticate the user.

    The cookie contains the user's name to regenerate Context.User on each request.


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Here's what I mean: When the user FIRST logs in on the site, I have a
    > form
    > that provides me a Username and a Password. I use my OWN code (which
    > checks a
    > database and also writes a record indicating that a login has ocurred)
    > and
    > then, if all's well MY code calls
    > FormsAuthentication.RedirectFromLoginPage()
    > But what I don't get is this: The next time that user comes in,
    > assuming that he had checked the Persist box, what code gets executed
    > to the log the user back in? Does the persistent cookie on the user's
    > machine contain the username and password and then pass that
    > information back in for authentication? Despite the fact that the user
    > has asked for this auto-login functionality, I still need to
    > authenticate the user with MY code beofre they're allowed back into
    > the site.
    >
    > See what I mean?
    >
    > Alex
    >
    > "Brock Allen" wrote:
    >
    >>> 1. There are various things that I need my application to do when a
    >>> user successfully logs in. I do that stuff inside the code of my
    >>> Login.aspx page after I am sure the user is authentic but before I
    >>> call FormsAuthentication.RedirectFromLoginPage(). If I pass TRUE to
    >>> the second parameter, what actually happens when the user comes back
    >>> in? They seem to get authenticated, but is my code actually getting
    >>> called? How do I hook into it so that I can do things when
    >>> authentication occurs?
    >>>

    >> True sets a persistent cookie, thus subsequent requests are as if the
    >> user had just logged on. What is it you need to do when the user
    >> authenticates?
    >>
    >>> 2. Once the user is cookied for auto-login, is there a function I
    >>> can call to clear that cookie should the user want to stop doing
    >>> auto-login? Or do I have to delete the cookie myself?
    >>>

    >> FormsAuthentication.SignOut()
    >>
    >> -Brock
    >> http://staff.develop.com/ballen
     
    Dominick Baier [DevelopMentor], Jun 4, 2006
    #4
  5. Hi Alex,

    The "createPersistentCookie" parameter in the
    FormsAuthentication.RedirectFromLoginPage() method controls whether the
    ASP.NET will create a persistent cookie or session cookie for the
    authentication ticket of the current login user. Forms authentication's
    authentication ticket is stored in client-side cookie by default. There are
    two kinds of cookies, session cookie and persistent cookie. Session cookie
    is only available during its lifecycle(before it expires), however, if the
    client user close the browser, the session cookie will also be no longer
    available. While persistent cookie is always available as long as it
    hasn't expired (even if the client user close the browser). So using
    "persistent cookie" can provide a "remember me " function like many
    websites do.

    Also, the username/password is required only when the user is
    authenticating against the login page. After he has logedIn, an
    authentication ticket is produced and cached in the user's client-side
    cookie(the default behavior). And all the sequential requests from the user
    will use this ticket(from cookie) to perform the authentication (rather
    than username/password credentials) as long as the ticket hasn't expired.

    Hope this helps clarify some. If there is still anything unclear, please
    feel free to post here.

    Regards,

    Steven Cheng
    Microsoft Online Community Support


    ==================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.



    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Jun 5, 2006
    #5
  6. Hello Alex,

    Does our suggestion help you some? If there is still anything we can help,
    please feel free to post here.

    Regards,

    Steven Cheng
    Microsoft Online Community Support


    ==================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.



    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Jun 6, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. fadi
    Replies:
    1
    Views:
    514
  2. TaeHo Yoo
    Replies:
    1
    Views:
    534
    Teemu Keiski
    Jul 9, 2003
  3. Jeff Johnson
    Replies:
    6
    Views:
    3,776
    tharadk
    Jul 24, 2009
  4. Tommy
    Replies:
    1
    Views:
    2,081
    S. Justin Gengo
    Aug 7, 2003
  5. Imran Aziz
    Replies:
    0
    Views:
    2,277
    Imran Aziz
    Jul 27, 2006
Loading...

Share This Page