strange Formsauthentication behavior

Discussion in 'ASP .Net Security' started by Kevin Yu, Apr 19, 2006.

  1. Kevin Yu

    Kevin Yu Guest

    hi all,

    in formsauthentication, the global.asax event
    Application_Authenticationrequest() event should run once before the page
    httphandler runs, correct?
    because the global.asax inherites the HttpModule class, but I am see some
    odd behabivor when using formsauthentication in 2.0.

    on the same level as the login.aspx page, I have a folder called Admin with
    some aspx pages inside. the pages that are on the same level as the login
    page seems to work find - the Application_Authenticationrequest() run once
    before the page_load, but when accssing the page inside of the Admin
    folder, the Application_Authenticationrequest() is fired twice after the
    page_load event. am I missing something here?


    Kevin

    here's the code for login:

    protected void btnLogin_Click(object sender, EventArgs e)

    {

    if (IsAuthenticated(this.txtUserName.Text.Trim(),
    this.txtPassword.Text.Trim()))

    {

    // Create the authentication ticket

    FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, //
    version

    this.txtUserName.Text.Trim(),// user name

    DateTime.Now, // creation

    DateTime.Now.AddMinutes(60),// Expiration

    false, // Persistent

    string.Empty); // User data



    // Now encrypt the ticket.

    string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

    // Create a cookie and add the encrypted ticket to the

    // cookie as data.

    HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
    encryptedTicket);

    // Add the cookie to the outgoing cookies collection.

    Response.Cookies.Add(authCookie);

    // Redirect the user to the originally requested page

    FormsAuthentication.RedirectFromLoginPage(this.txtUserName.Text, false);

    }

    else

    {

    this.lblMsg.Text = "Login failed.";

    }

    }



    and the code in the

    void Application_AuthenticateRequest(Object sender, EventArgs e)

    {

    // Extract the forms authentication cookie

    string cookieName = FormsAuthentication.FormsCookieName;

    HttpCookie authCookie = Context.Request.Cookies[cookieName];

    if (null == authCookie)

    {

    // There is no authentication cookie.

    return;

    }

    string userName = HttpContext.Current.User.Identity.Name;

    if (userName != null && userName != string.Empty)

    {

    //custom user object that implements IPrincipla interface

    UserContext user = UserData.GetUserByUserName(userName);

    HttpContext.Current.User = user;

    }

    }
     
    Kevin Yu, Apr 19, 2006
    #1
    1. Advertising

  2. it runs several times because of the redirects that are done during authentication

    use a tool like www.fiddlertool.com to visualize the HTTP traffic

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > hi all,
    >
    > in formsauthentication, the global.asax event
    > Application_Authenticationrequest() event should run once before the
    > page
    > httphandler runs, correct?
    > because the global.asax inherites the HttpModule class, but I am see
    > some
    > odd behabivor when using formsauthentication in 2.0.
    > on the same level as the login.aspx page, I have a folder called Admin
    > with
    > some aspx pages inside. the pages that are on the same level as the
    > login
    > page seems to work find - the Application_Authenticationrequest() run
    > once
    > before the page_load, but when accssing the page inside of the Admin
    > folder, the Application_Authenticationrequest() is fired twice after
    > the
    > page_load event. am I missing something here?
    > Kevin
    >
    > here's the code for login:
    >
    > protected void btnLogin_Click(object sender, EventArgs e)
    >
    > {
    >
    > if (IsAuthenticated(this.txtUserName.Text.Trim(),
    > this.txtPassword.Text.Trim()))
    >
    > {
    >
    > // Create the authentication ticket
    >
    > FormsAuthenticationTicket authTicket = new
    > FormsAuthenticationTicket(1, // version
    >
    > this.txtUserName.Text.Trim(),// user name
    >
    > DateTime.Now, // creation
    >
    > DateTime.Now.AddMinutes(60),// Expiration
    >
    > false, // Persistent
    >
    > string.Empty); // User data
    >
    > // Now encrypt the ticket.
    >
    > string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
    >
    > // Create a cookie and add the encrypted ticket to the
    >
    > // cookie as data.
    >
    > HttpCookie authCookie = new
    > HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
    >
    > // Add the cookie to the outgoing cookies collection.
    >
    > Response.Cookies.Add(authCookie);
    >
    > // Redirect the user to the originally requested page
    >
    > FormsAuthentication.RedirectFromLoginPage(this.txtUserName.Text,
    > false);
    >
    > }
    >
    > else
    >
    > {
    >
    > this.lblMsg.Text = "Login failed.";
    >
    > }
    >
    > }
    >
    > and the code in the
    >
    > void Application_AuthenticateRequest(Object sender, EventArgs e)
    >
    > {
    >
    > // Extract the forms authentication cookie
    >
    > string cookieName = FormsAuthentication.FormsCookieName;
    >
    > HttpCookie authCookie = Context.Request.Cookies[cookieName];
    >
    > if (null == authCookie)
    >
    > {
    >
    > // There is no authentication cookie.
    >
    > return;
    >
    > }
    >
    > string userName = HttpContext.Current.User.Identity.Name;
    >
    > if (userName != null && userName != string.Empty)
    >
    > {
    >
    > //custom user object that implements IPrincipla interface
    >
    > UserContext user = UserData.GetUserByUserName(userName);
    >
    > HttpContext.Current.User = user;
    >
    > }
    >
    > }
    >
     
    Dominick Baier [DevelopMentor], Apr 21, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. sstark
    Replies:
    0
    Views:
    468
    sstark
    Mar 6, 2005
  2. ryang
    Replies:
    1
    Views:
    959
    Wes Groleau
    Apr 11, 2005
  3. Apogee

    Strange Behavior with ViewState

    Apogee, Jul 3, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    331
    Apogee
    Jul 3, 2003
  4. Mantorok Redgormor
    Replies:
    70
    Views:
    1,795
    Dan Pop
    Feb 17, 2004
  5. E.M.Smith

    Funky FormsAuthentication Cookie Behavior.

    E.M.Smith, Jun 2, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    215
    Alex Kleyman
    Jun 3, 2004
Loading...

Share This Page