Funky FormsAuthentication Cookie Behavior.

Discussion in 'ASP .Net Security' started by E.M.Smith, Jun 2, 2004.

  1. E.M.Smith

    E.M.Smith Guest

    We are having a problem where the HttpCookie.Value for FormsAuthentication is different between when it is created in Login.aspx.cs and when it is retrieved in Global.asax.cs. This problem happens whether the cookie is create with the encrypted authentication ticket or something as simple as "Hello World!". The code, web.config, and sample results are below. Does anyone please have any suggestions? Thank you

    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------
    // Login.aspx.cs code snippet
    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------
    loAuthenticationTicket = new FormsAuthenticationTicket( 1, lsUserIdentity, DateTime.Now, DateTime.Now.AddMinutes(60), false, lsRoles )

    lsEncryptedTicket = FormsAuthentication.Encrypt( loAuthenticationTicket )

    //loAuthenticationCookie = new HttpCookie( FormsAuthentication.FormsCookieName, "Hello World!" )
    loAuthenticationCookie = new HttpCookie( FormsAuthentication.FormsCookieName, lsEncryptedTicket )

    Response.Cookies.Add( loAuthenticationCookie )
    // ------------------------------------------------------------------------------------------------

    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------
    // Global.asax.cs Application_AuthenticateRequest code snippet
    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------
    loAuthenticationCookie = Context.Request.Cookies[ FormsAuthentication.FormsCookieName ]
    if (loAuthenticationCookie == null) return

    lsEncryptedTicket = loAuthenticationCookie.Value

    loAuthenticationTicket = FormsAuthentication.Decrypt( lsEncryptedTicket )
    if (loAuthenticationTicket == null) return

    lsUserIdentity = loAuthenticationTicket.Name
    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------

    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------
    // Web.Config
    // NOTE: We have try multiple values and combination
    // for the <forms> and <sessionState> elements
    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------
    <authentication mode="Forms"><forms name="EMSATC" loginUrl="Security/Login.aspx" protection="All" timeout="60" /></authentication><authorization><deny users="?" /><allow users="*" /></authorization><compilation defaultLanguage="C#" debug="true" /><customErrors mode="Off" /><globalization requestEncoding="utf-8" responseEncoding="utf-8" /><httpRuntime maxRequestLength="8192" /><identity impersonate="true" /><sessionState mode="Off
    stateConnectionString="tcpip=127.0.0.1:42424
    sqlConnectionString="data source=127.0.0.1;user id=sa;password=
    cookieless="true" /><trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /
    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------

    // ------------------------------------------------------------------------------------------------
    // ------------------------------------------------------------------------------------------------
    // Sample results
    // ------------------------------------------------------------------------------------------------
    // -------------------------------------------------------------------------------------------------
    <forms protection="None"> on the encrypted autentication ticket:

    HttpCookie.Value in Login.aspx.cs:
    3A9082793BDB20070131007C0031007C00650073006D006900740068000000201FDD61C448C4010020EF6525D548C4014700750065007300740000002F000000

    HttpCookie.Value in Global.asax.cs:
    AEDA5C4CD4A36A630100005038B971C448C4010050A07DD3CC48C40100002F000000


    // -------------------------------------------------------------------------------------------------
    <forms protection="All"> on the encrypted autentication ticket:

    HttpCookie.Value in Login.aspx.cs:
    26D64226C9FC29FE9BAD4746FA13DC48D3618C282B8E7CAD47F4AF9CBD1BFACDF0907A6123AD1E5224FF2F54D8146F3181F53789950385286F90B4B51AEDFBA1089049525C1F414C57B851683C74F857693F3AAD5131E4EB

    HttpCookie.Value in Global.asax.cs:
    349FDDC5EAC1F2CBF0BA96DF0BFEF89FEEFB389496B6520039025AD7D34654A915D2C75AE1CA9F2F0DEE49E7020FA8CA50AF32FFF0984D5B


    // -------------------------------------------------------------------------------------------------
    <forms protection="None"> on "Hello World!":

    HttpCookie.Value in Login.aspx.cs:
    Hello World!

    HttpCookie.Value in Global.asax.cs:
    A3A41B382C89D931010000C0495C7EC548C40100C0B120E0CD48C40100002F000000


    // -------------------------------------------------------------------------------------------------
    <forms protection="All"> on "Hello World!":

    HttpCookie.Value in Login.aspx.cs:
    Hello World!

    HttpCookie.Value in Global.asax.cs:
    58DE4EDF9A37E074BEDF2CCD148E642D2363C4C74C80E1BE6AFF5EF502CB50F6A1BD8FD337B8F865ACB63D990C9BA77E514FEB7E89163B78
    // -------------------------------------------------------------------------------------------------
    // -------------------------------------------------------------------------------------------------
     
    E.M.Smith, Jun 2, 2004
    #1
    1. Advertising

  2. E.M.Smith

    Alex Kleyman Guest

    Are you using FormsAuthentication.RedirectFromLoginPage to redirect the user? If so, don't. It will create it's own authentication cookie with the same name as FormsAuthentication.FormsCookieName, therefore replacing the cookie YOU created. Just use Response.Redirect( FormsAuthentication.GetRedirectUrl( UserName, false ) ) instead

    Ale
     
    Alex Kleyman, Jun 3, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. George Durzi

    FormsAuthentication Cookie Q

    George Durzi, Oct 16, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    3,099
    George Durzi
    Oct 16, 2003
  2. Brian Shannon

    FormsAuthentication Expired Cookie

    Brian Shannon, Aug 18, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    373
    Brian Shannon
    Aug 18, 2004
  3. tshad
    Replies:
    3
    Views:
    1,250
    tshad
    Jan 17, 2005
  4. Bill Henning
    Replies:
    8
    Views:
    9,527
    King Adrock
    Nov 9, 2005
  5. Pete
    Replies:
    7
    Views:
    412
Loading...

Share This Page