Funky FormsAuthentication Cookie Behavior.

E

E.M.Smith

We are having a problem where the HttpCookie.Value for FormsAuthentication is different between when it is created in Login.aspx.cs and when it is retrieved in Global.asax.cs. This problem happens whether the cookie is create with the encrypted authentication ticket or something as simple as "Hello World!". The code, web.config, and sample results are below. Does anyone please have any suggestions? Thank you

// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Login.aspx.cs code snippet
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
loAuthenticationTicket = new FormsAuthenticationTicket( 1, lsUserIdentity, DateTime.Now, DateTime.Now.AddMinutes(60), false, lsRoles )

lsEncryptedTicket = FormsAuthentication.Encrypt( loAuthenticationTicket )

//loAuthenticationCookie = new HttpCookie( FormsAuthentication.FormsCookieName, "Hello World!" )
loAuthenticationCookie = new HttpCookie( FormsAuthentication.FormsCookieName, lsEncryptedTicket )

Response.Cookies.Add( loAuthenticationCookie )
// ------------------------------------------------------------------------------------------------

// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Global.asax.cs Application_AuthenticateRequest code snippet
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
loAuthenticationCookie = Context.Request.Cookies[ FormsAuthentication.FormsCookieName ]
if (loAuthenticationCookie == null) return

lsEncryptedTicket = loAuthenticationCookie.Value

loAuthenticationTicket = FormsAuthentication.Decrypt( lsEncryptedTicket )
if (loAuthenticationTicket == null) return

lsUserIdentity = loAuthenticationTicket.Name
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------

// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Web.Config
// NOTE: We have try multiple values and combination
// for the <forms> and <sessionState> elements
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
<authentication mode="Forms"><forms name="EMSATC" loginUrl="Security/Login.aspx" protection="All" timeout="60" /></authentication><authorization><deny users="?" /><allow users="*" /></authorization><compilation defaultLanguage="C#" debug="true" /><customErrors mode="Off" /><globalization requestEncoding="utf-8" responseEncoding="utf-8" /><httpRuntime maxRequestLength="8192" /><identity impersonate="true" /><sessionState mode="Off
stateConnectionString="tcpip=127.0.0.1:42424
sqlConnectionString="data source=127.0.0.1;user id=sa;password=
cookieless="true" /><trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------

// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Sample results
// ------------------------------------------------------------------------------------------------
// -------------------------------------------------------------------------------------------------
<forms protection="None"> on the encrypted autentication ticket:

HttpCookie.Value in Login.aspx.cs:
3A9082793BDB20070131007C0031007C00650073006D006900740068000000201FDD61C448C4010020EF6525D548C4014700750065007300740000002F000000

HttpCookie.Value in Global.asax.cs:
AEDA5C4CD4A36A630100005038B971C448C4010050A07DD3CC48C40100002F000000


// -------------------------------------------------------------------------------------------------
<forms protection="All"> on the encrypted autentication ticket:

HttpCookie.Value in Login.aspx.cs:
26D64226C9FC29FE9BAD4746FA13DC48D3618C282B8E7CAD47F4AF9CBD1BFACDF0907A6123AD1E5224FF2F54D8146F3181F53789950385286F90B4B51AEDFBA1089049525C1F414C57B851683C74F857693F3AAD5131E4EB

HttpCookie.Value in Global.asax.cs:
349FDDC5EAC1F2CBF0BA96DF0BFEF89FEEFB389496B6520039025AD7D34654A915D2C75AE1CA9F2F0DEE49E7020FA8CA50AF32FFF0984D5B


// -------------------------------------------------------------------------------------------------
<forms protection="None"> on "Hello World!":

HttpCookie.Value in Login.aspx.cs:
Hello World!

HttpCookie.Value in Global.asax.cs:
A3A41B382C89D931010000C0495C7EC548C40100C0B120E0CD48C40100002F000000


// -------------------------------------------------------------------------------------------------
<forms protection="All"> on "Hello World!":

HttpCookie.Value in Login.aspx.cs:
Hello World!

HttpCookie.Value in Global.asax.cs:
58DE4EDF9A37E074BEDF2CCD148E642D2363C4C74C80E1BE6AFF5EF502CB50F6A1BD8FD337B8F865ACB63D990C9BA77E514FEB7E89163B78
// -------------------------------------------------------------------------------------------------
// -------------------------------------------------------------------------------------------------
 
A

Alex Kleyman

Are you using FormsAuthentication.RedirectFromLoginPage to redirect the user? If so, don't. It will create it's own authentication cookie with the same name as FormsAuthentication.FormsCookieName, therefore replacing the cookie YOU created. Just use Response.Redirect( FormsAuthentication.GetRedirectUrl( UserName, false ) ) instead

Ale
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

FormsAuthentication Encrypt/Decrypt Problem/Issue 0
FormsAuthentication and Redirection fails 7
strange Formsauthentication behavior 1
Cookie Problems 1
problem with slidingExpiration 4
FormsAuthentication Cookie 2
forms based authentication - ticket not expiring 0
Session times out in less time than I set 9

Members online

Total: 34 (members: 2, guests: 32)
Robots: 436

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,049
Latest member
Allen00Reed

Latest Threads

Top