Trying to figure out forms authentication

[Randall Parker]

Some questions on forms authentication:

1) Can one do one's own checking of username and password and totally bypass calling
FormsAuthentication.Authenticate?

2) does the "new FormsAuthenticationTicket" create a cookie?

3) Can one send the cookie back to the browser just by doing the new call on the
FormsAuthenticationTicket?

4) Does a session object contain nothing more than what is in the browser cookie?

5) Does the session object get created fresh from every forms submit using the
browser's cookie that ASP.Net requests from the browser on every page submit?

http://msdn.microsoft.com/library/d.../html/cpconformsauthenticationcredentials.asp

void SubmitBtn_Click(Object Source, EventArgs e)
{
// Pull credentials from form fields and try to authenticate.
if (FormsAuthentication.Authenticate(UserName.Value,
UserPassword.Value))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(UserName.Value, false, 5000);

FormsAuthentication.RedirectFromLoginPage(UserName.Value,
Persist.Checked);
}
}

 

[Steve C. Orr [MVP, MCSD]]

Y can do your own checking and then use SetAuthCookie and then do a regular
Response.Redirect to wherever you'd like.
Here's more information:
http://authors.aspalliance.com/aspxtreme/sys/Web/Security/FormsAuthenticationClassSetAuthCookie.aspx

 

[Guest]

Hi Dear Randall Parker

1) Can one do one's own checking of username and password and totally bypass calling FormsAuthentication.Authenticate?

Yes , you can . You will be using the FormsAuthentication.Authenticate only
when you are giving the user information like name & password in web.config.
for example:
<authentication mode="Forms">
<forms loginUrl="login.aspx">
<credentials passwordFormat="SHA1">
<user name="Venkat" password="venkat_password /
my_hashed_password">
<user name="Randall" password="your password /
your_hashed_password">

</credentials>
</forms>
</authenticaton>

<authorization>
<deny users="?" />
</authorization>

In the above case you will be using
FormsAuthentication.RedirectfromLoginPage(usernametextBox.text,false)

Note: the second parameter will be normally false but it can take true or
false depending on the user's choice like if the user is browsing from the
browsing center, it is not advisable to use "True" , since it creates a
cookie and anybody can take advantage of it.

Otherwise you can retrieve both user_name & password from the database and
match with the user entered values and authenticate

and finally redirect him to the relevent page using Response.Redirect.

2) does the "new FormsAuthenticationTicket" create a cookie?

Provides a means of creating and reading the values of a forms
authentication cookie (containing an authentication ticket) as used by
FormsAuthenticationModule.

http://msdn.microsoft.com/library/d...curityformsauthenticationticketclasstopic.asp

3) Can one send the cookie back to the browser just by doing the new call on the
FormsAuthenticationTicket?

It has A set of read-only properties of an authentication cookie

http://dotnet.org.za/thea/archive/2004/07/27/3010.aspx
http://blogs.msdn.com/tmeston/archive/2003/07/24/10505.aspx

4) Does a session object contain nothing more than what is in the browser cookie?

ASP.NET gives you a better way(compared to other types of storing session
state) to store state for each user on the server with the Session object.

You can store data in the Session object, and it will be available from hit
to hit for the same Web browser. Sessions expire after 20 minutes of
inactivity by default, although you can change this behavior, as we'll show
shortly.

5) Does the session object get created fresh from every forms submit using the
browser's cookie that ASP.Net requests from the browser on every page submit?

Every time a new browser hits your ASP.NET application, a new Session object
is created for that Web browser.

A new session is created once for each new browser that hits your ASP.NET
Web site. If a user stops hitting your Web site, his Session will time out
after 20 minutes of inactivity, by default.

Bye
Venkat_KL