Role Manager Cookies

Discussion in 'ASP .Net Security' started by Chuck, Sep 21, 2009.

  1. Chuck

    Chuck Guest

    When using Forms Authentication the cookie's value contains an authentication
    ticket and the ticket has a timeout.
    When using Role Manager, does the roles cookie have a ticket and a time out
    too.
    If so when and where does it get the value?

    Thanks,
    Chuck, Sep 21, 2009
    #1
    1. Advertising

  2. Hi,

    >When using Forms Authentication the cookie's value contains an

    authentication
    > ticket and the ticket has a timeout.
    >When using Role Manager, does the roles cookie have a ticket and a time

    out
    >too.
    >If so when and where does it get the value?


    >Thanks,



    It depends on the provider of Role Manager. If you're using
    SqlRoleProvider, when you call Roles API such as Roles.IsUserInRole(string
    username, string rolename), the IsUserInRole(string username, string
    rolename) method of the SqlRoleProvider will be called, which queries
    database to check if the user is in the role. In the IsUserInRole(string
    username, string rolename) method, a stored procedure will be called, see
    below:

    public override bool IsUserInRole(string username, string roleName)
    {
    bool flag;
    SecUtility.CheckParameter(ref roleName, true, true, true, 0x100,
    "roleName");
    SecUtility.CheckParameter(ref username, true, false, true, 0x100,
    "username");
    if (username.Length < 1)
    {
    return false;
    }
    try
    {
    SqlConnectionHolder connection = null;
    try
    {
    connection =
    SqlConnectionHelper.GetConnection(this._sqlConnectionString, true);
    this.CheckSchemaVersion(connection.Connection);
    SqlCommand cmd = new
    SqlCommand("dbo.aspnet_UsersInRoles_IsUserInRole", connection.Connection);
    cmd.CommandType = CommandType.StoredProcedure;
    cmd.CommandTimeout = this.CommandTimeout;
    SqlParameter parameter = new SqlParameter("@ReturnValue",
    SqlDbType.Int);
    parameter.Direction = ParameterDirection.ReturnValue;
    cmd.Parameters.Add(parameter);
    cmd.Parameters.Add(this.CreateInputParam("@ApplicationName",
    SqlDbType.NVarChar, this.ApplicationName));
    cmd.Parameters.Add(this.CreateInputParam("@UserName",
    SqlDbType.NVarChar, username));
    cmd.Parameters.Add(this.CreateInputParam("@RoleName",
    SqlDbType.NVarChar, roleName));
    cmd.ExecuteNonQuery();
    switch (this.GetReturnValue(cmd))
    {
    case 0:
    return false;

    case 1:
    return true;

    case 2:
    return false;

    case 3:
    return false;
    }
    throw new
    ProviderException(SR.GetString("Provider_unknown_failure"));
    }
    finally
    {
    if (connection != null)
    {
    connection.Close();
    connection = null;
    }
    }
    }
    catch
    {
    throw;
    }
    return flag;
    }


    This should address your question "where does it get the value". As to
    "when does it get the value", it depends on when you call the Role Manager
    API. You may intentionally call it or use other APIs that implicitly call
    it.

    Hope above information helpful. If you have additional questions please
    don't hesitate to let me know. I'll do my best to follow up.


    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Allen Chen [MSFT], Sep 21, 2009
    #2
    1. Advertising

  3. Chuck

    Chuck Guest

    My understanding was that the if you were using the SQL role provider it
    would query the database and then put the roles into a cookie.
    <roleManager
    cacheRolesInCookie="true" >
    </roleManager>

    So when using the Role Manager and cookie caching, does the roles cookie
    have a ticket and a time out.
    If so when and where does it get the cookie timeout value?
    Is there a way I can read the roles cookie and see what the time out is?



    "Allen Chen [MSFT]" wrote:

    > Hi,
    >
    > >When using Forms Authentication the cookie's value contains an

    > authentication
    > > ticket and the ticket has a timeout.
    > >When using Role Manager, does the roles cookie have a ticket and a time

    > out
    > >too.
    > >If so when and where does it get the value?

    >
    > >Thanks,

    >
    >
    > It depends on the provider of Role Manager. If you're using
    > SqlRoleProvider, when you call Roles API such as Roles.IsUserInRole(string
    > username, string rolename), the IsUserInRole(string username, string
    > rolename) method of the SqlRoleProvider will be called, which queries
    > database to check if the user is in the role. In the IsUserInRole(string
    > username, string rolename) method, a stored procedure will be called, see
    > below:
    >
    > public override bool IsUserInRole(string username, string roleName)
    > {
    > bool flag;
    > SecUtility.CheckParameter(ref roleName, true, true, true, 0x100,
    > "roleName");
    > SecUtility.CheckParameter(ref username, true, false, true, 0x100,
    > "username");
    > if (username.Length < 1)
    > {
    > return false;
    > }
    > try
    > {
    > SqlConnectionHolder connection = null;
    > try
    > {
    > connection =
    > SqlConnectionHelper.GetConnection(this._sqlConnectionString, true);
    > this.CheckSchemaVersion(connection.Connection);
    > SqlCommand cmd = new
    > SqlCommand("dbo.aspnet_UsersInRoles_IsUserInRole", connection.Connection);
    > cmd.CommandType = CommandType.StoredProcedure;
    > cmd.CommandTimeout = this.CommandTimeout;
    > SqlParameter parameter = new SqlParameter("@ReturnValue",
    > SqlDbType.Int);
    > parameter.Direction = ParameterDirection.ReturnValue;
    > cmd.Parameters.Add(parameter);
    > cmd.Parameters.Add(this.CreateInputParam("@ApplicationName",
    > SqlDbType.NVarChar, this.ApplicationName));
    > cmd.Parameters.Add(this.CreateInputParam("@UserName",
    > SqlDbType.NVarChar, username));
    > cmd.Parameters.Add(this.CreateInputParam("@RoleName",
    > SqlDbType.NVarChar, roleName));
    > cmd.ExecuteNonQuery();
    > switch (this.GetReturnValue(cmd))
    > {
    > case 0:
    > return false;
    >
    > case 1:
    > return true;
    >
    > case 2:
    > return false;
    >
    > case 3:
    > return false;
    > }
    > throw new
    > ProviderException(SR.GetString("Provider_unknown_failure"));
    > }
    > finally
    > {
    > if (connection != null)
    > {
    > connection.Close();
    > connection = null;
    > }
    > }
    > }
    > catch
    > {
    > throw;
    > }
    > return flag;
    > }
    >
    >
    > This should address your question "where does it get the value". As to
    > "when does it get the value", it depends on when you call the Role Manager
    > API. You may intentionally call it or use other APIs that implicitly call
    > it.
    >
    > Hope above information helpful. If you have additional questions please
    > don't hesitate to let me know. I'll do my best to follow up.
    >
    >
    > Regards,
    > Allen Chen
    > Microsoft Online Support
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    > Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 2 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions. Issues of this
    > nature are best handled working with a dedicated Microsoft Support Engineer
    > by contacting Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    > ==================================================
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
    Chuck, Sep 22, 2009
    #3
  4. Hi,

    >So when using the Role Manager and cookie caching, does the roles cookie
    >have a ticket and a time out.
    >If so when and where does it get the cookie timeout value?
    >Is there a way I can read the roles cookie and see what the time out is?


    Thanks for the clarification. The code that sets/gets the roles cookie is
    in the RoleManagerModule class. In its OnEnter() and OnLeave() method the
    cookie is get/set. OnEnter fires on PostAuthenticateRequest event of
    HttpApplication and OnLeave fires on EndRequest event of HttpApplication:

    public void Init(HttpApplication app)
    {
    if (Roles.Enabled)
    {
    app.PostAuthenticateRequest += new EventHandler(this.OnEnter);
    app.EndRequest += new EventHandler(this.OnLeave);
    }
    }


    To get the roles cookie, you can try:

    HttpCookie cookie = context.Request.Cookies[Roles.CookieName];

    private void OnLeave(object source, EventArgs eventArgs)
    {
    HttpApplication application = (HttpApplication) source;
    HttpContext context = application.Context;
    if (((Roles.Enabled && Roles.CacheRolesInCookie) &&
    !context.Response.HeadersWritten) && (((context.User != null) &&
    (context.User is RolePrincipal)) && context.User.Identity.IsAuthenticated))
    {
    if (Roles.CookieRequireSSL && !context.Request.IsSecureConnection)
    {
    if (context.Request.Cookies[Roles.CookieName] != null)
    {
    Roles.DeleteCookie();
    }
    }
    else
    {
    RolePrincipal user = (RolePrincipal) context.User;
    if (user.CachedListChanged && context.Request.Browser.Cookies)
    {
    string str = user.ToEncryptedTicket();
    if (string.IsNullOrEmpty(str) || (str.Length > 0x1000))
    {
    Roles.DeleteCookie();
    }
    else
    {
    HttpCookie cookie = new HttpCookie(Roles.CookieName,
    str);
    cookie.HttpOnly = true;
    cookie.Path = Roles.CookiePath;
    cookie.Domain = Roles.Domain;
    if (Roles.CreatePersistentCookie)
    {
    cookie.Expires = user.ExpireDate;
    }
    cookie.Secure = Roles.CookieRequireSSL;
    context.Response.Cookies.Add(cookie);
    }
    }
    }
    }
    }



    But to read the detailed information of the cookie you can simply try this:

    RolePrincipal rp = (RolePrincipal)HttpContext.Current.User;
    rp.
    Allen Chen [MSFT], Sep 22, 2009
    #4
  5. Hi,

    >So when using the Role Manager and cookie caching, does the roles cookie
    >have a ticket and a time out.
    >If so when and where does it get the cookie timeout value?
    >Is there a way I can read the roles cookie and see what the time out is?


    <Sorry I posted incomplete post by mistake.>

    Thanks for the clarification. Yes it has timeout and cookie. The code that
    sets/gets the roles cookie is
    in the RoleManagerModule class. In its OnEnter() and OnLeave() method the
    cookie is get/set. OnEnter fires on PostAuthenticateRequest event of
    HttpApplication and OnLeave fires on EndRequest event of HttpApplication:

    public void Init(HttpApplication app)
    {
    if (Roles.Enabled)
    {
    app.PostAuthenticateRequest += new EventHandler(this.OnEnter);
    app.EndRequest += new EventHandler(this.OnLeave);
    }
    }


    To get the roles cookie, you can try:

    HttpCookie cookie = context.Request.Cookies[Roles.CookieName];


    But to read the detailed information of the cookie you can simply try
    following code because the data in roles cookie will be decoded and
    assigned to RolePrincipal:

    RolePrincipal rp = (RolePrincipal)HttpContext.Current.User;
    //rp.ExpireDate

    If you have interest, you can view the source code for more details:

    private void OnEnter(object source, EventArgs eventArgs)
    {
    if (!Roles.Enabled)
    {
    if (HttpRuntime.UseIntegratedPipeline)
    {
    ((HttpApplication)
    source).Context.DisableNotifications(RequestNotification.EndRequest, 0);
    }
    }
    else
    {
    HttpApplication application = (HttpApplication) source;
    HttpContext context = application.Context;
    if (this._eventHandler != null)
    {
    RoleManagerEventArgs e = new RoleManagerEventArgs(context);
    this._eventHandler(this, e);
    if (e.RolesPopulated)
    {
    return;
    }
    }
    if (Roles.CacheRolesInCookie)
    {
    if (context.User.Identity.IsAuthenticated &&
    (!Roles.CookieRequireSSL || context.Request.IsSecureConnection))
    {
    try
    {
    HttpCookie cookie =
    context.Request.Cookies[Roles.CookieName];
    if (cookie != null)
    {
    string encryptedTicket = cookie.Value;
    if ((encryptedTicket != null) &&
    (encryptedTicket.Length > 0x1000))
    {
    Roles.DeleteCookie();
    }
    else
    {
    if (!string.IsNullOrEmpty(Roles.CookiePath) &&
    (Roles.CookiePath != "/"))
    {
    cookie.Path = Roles.CookiePath;
    }
    cookie.Domain = Roles.Domain;
    context.User = new
    RolePrincipal(context.User.Identity, encryptedTicket);
    }
    }
    }
    catch
    {
    }
    }
    else
    {
    if (context.Request.Cookies[Roles.CookieName] != null)
    {
    Roles.DeleteCookie();
    }
    if (HttpRuntime.UseIntegratedPipeline)
    {

    context.DisableNotifications(RequestNotification.EndRequest, 0);
    }
    }
    }
    if (!(context.User is RolePrincipal))
    {
    context.User = new RolePrincipal(context.User.Identity);
    }
    Thread.CurrentPrincipal = context.User;
    }
    }




    private void OnLeave(object source, EventArgs eventArgs)
    {
    HttpApplication application = (HttpApplication) source;
    HttpContext context = application.Context;
    if (((Roles.Enabled && Roles.CacheRolesInCookie) &&
    !context.Response.HeadersWritten) && (((context.User != null) &&
    (context.User is RolePrincipal)) && context.User.Identity.IsAuthenticated))
    {
    if (Roles.CookieRequireSSL && !context.Request.IsSecureConnection)
    {
    if (context.Request.Cookies[Roles.CookieName] != null)
    {
    Roles.DeleteCookie();
    }
    }
    else
    {
    RolePrincipal user = (RolePrincipal) context.User;
    if (user.CachedListChanged && context.Request.Browser.Cookies)
    {
    string str = user.ToEncryptedTicket();
    if (string.IsNullOrEmpty(str) || (str.Length > 0x1000))
    {
    Roles.DeleteCookie();
    }
    else
    {
    HttpCookie cookie = new HttpCookie(Roles.CookieName,
    str);
    cookie.HttpOnly = true;
    cookie.Path = Roles.CookiePath;
    cookie.Domain = Roles.Domain;
    if (Roles.CreatePersistentCookie)
    {
    cookie.Expires = user.ExpireDate;
    }
    cookie.Secure = Roles.CookieRequireSSL;
    context.Response.Cookies.Add(cookie);
    }
    }
    }
    }
    }

    Regards,
    Allen Chen
    Microsoft Online Support
    Allen Chen [MSFT], Sep 22, 2009
    #5
  6. Hi,

    >quote from
    >So when using the Role Manager and cookie caching, does the roles cookie
    >have a ticket and a time out.
    >If so when and where does it get the cookie timeout value?
    >Is there a way I can read the roles cookie and see what the time out is?


    Do you have additional questions?

    Regards,
    Allen Chen
    Microsoft Online Support
    Allen Chen [MSFT], Sep 29, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,097
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    487
    Liet Kynes
    Nov 26, 2003
  3. Sami

    use role manager

    Sami, Aug 5, 2008, in forum: ASP .Net
    Replies:
    4
    Views:
    299
    HillBilly
    Aug 5, 2008
  4. _Who
    Replies:
    7
    Views:
    2,652
  5. Kursat
    Replies:
    1
    Views:
    311
    Dominick Baier
    May 7, 2007
Loading...

Share This Page