When exactly are you logged in? (Forms authentication)

Discussion in 'ASP .Net Security' started by Lauchlan M, Oct 2, 2003.

  1. Lauchlan M

    Lauchlan M Guest

    Hi.

    For forms authentication, the standard way to go would be something like

    <<

    1. Get user name and password

    2. Look it up against database store

    3. Create an authentication ticket

    4. Create an authentication cookie (based on the ticket)

    5. Redirect as required/appropriate

    6. In the Global_AuthenticateRequest event handler, code it something like:

    <<

    // private void Global_AuthenticateRequest(object sender, System.EventArgs
    e)

    // (if authentication ticket is recovered from a cookie or session
    variable then:)

    // pipe delimited string of role names.
    string[] roles = authTicket.UserData.Split(new char[]{'|'});

    // Create an Identity object
    FormsIdentity id = new FormsIdentity( authTicket );

    // This principal will flow throughout the request.
    GenericPrincipal principal = new GenericPrincipal(id, roles);

    // Attach the new principal object to the current HttpContext object
    Context.User = principal;

    // (else bounce them back to the login page)

    >>


    >>


    Now, I don't want to use cookies (ie operate cookieless). If I created an
    authentication ticket in my login.aspx, encrypted it (ie to a string) and
    put it in a session variable and caught this session variable, decrypted it
    and recreated the Context.user principal in in the
    Global_AuthenticateRequest handler, would it be logged in at that point
    (regardless of the fact that I never created any cookie)?

    Thanks!

    Lauchlan M
     
    Lauchlan M, Oct 2, 2003
    #1
    1. Advertising

  2. You can't use FormsAuthentication without cookie.
    What you can do is to create your own Authentication
    module, read this site:

    http://support.microsoft.com/default.aspx?scid=kb;en-us%
    3B318786

    /Fredrik Normén NSQUARED2
    http://www.nsquared2.net


    >-----Original Message-----
    >Hi.
    >
    >For forms authentication, the standard way to go would

    be something like
    >
    ><<
    >
    >1. Get user name and password
    >
    >2. Look it up against database store
    >
    >3. Create an authentication ticket
    >
    >4. Create an authentication cookie (based on the ticket)
    >
    >5. Redirect as required/appropriate
    >
    >6. In the Global_AuthenticateRequest event handler, code

    it something like:
    >
    ><<
    >
    > // private void Global_AuthenticateRequest(object

    sender, System.EventArgs
    >e)
    >
    > // (if authentication ticket is recovered from a

    cookie or session
    >variable then:)
    >
    > // pipe delimited string of role names.
    > string[] roles = authTicket.UserData.Split(new char[]

    {'|'});
    >
    > // Create an Identity object
    > FormsIdentity id = new FormsIdentity( authTicket );
    >
    > // This principal will flow throughout the request.
    > GenericPrincipal principal = new GenericPrincipal

    (id, roles);
    >
    > // Attach the new principal object to the current

    HttpContext object
    > Context.User = principal;
    >
    > // (else bounce them back to the login page)
    >
    >>>

    >
    >>>

    >
    >Now, I don't want to use cookies (ie operate

    cookieless). If I created an
    >authentication ticket in my login.aspx, encrypted it (ie

    to a string) and
    >put it in a session variable and caught this session

    variable, decrypted it
    >and recreated the Context.user principal in in the
    >Global_AuthenticateRequest handler, would it be logged

    in at that point
    >(regardless of the fact that I never created any cookie)?
    >
    >Thanks!
    >
    >Lauchlan M
    >
    >
    >.
    >
     
    Fredrik Normén NSQUARED2, Oct 2, 2003
    #2
    1. Advertising

  3. Lauchlan M

    Lauchlan M Guest

    Hi,

    thanks for the response.

    > You can't use FormsAuthentication without cookie.


    Well, how feeble is that?

    Actually, I think you can, eg using the mobile internet stuff

    http://msdn.microsoft.com/library/d...wconauthenticationoptionsformobiledevices.asp
    and
    http://support.microsoft.com/default.aspx?scid=kb;[LN];Q311568

    It's just that it's not easy, convenient, or a path I want to spend time
    pursuing. For example, using the MobileFormsAuthentication instead of
    FormsAuthentication doesn't let you just redirect with the authentication
    ticket cookie taken care of (passed in the url query string), this is only
    done when using RedirectFromLoginPage.

    > What you can do is to create your own Authentication
    > module, read this site:


    > http://support.microsoft.com/default.aspx?scid=kb;en-us;318786


    Thanks for this. I've looked over it and it looks like too much overhead
    getitng my head around another overly-complicated MS approach as a hack for
    getting around their poorly thought out (in this regard) framework. But if
    you have a link on the philosophy/idea behind this so I can make more sense
    of this, I'll put it back in the list of options . . .

    It's reached the point where I've spent too much time trying to fit in to
    MS's authorisation schema, and just need to move ahead.

    So I figure I'll try:

    <<
    (i) blowing away the web.config authorisation and authentication elements

    (ii) In my login.aspx page, creating an "authenticated" session variable,
    and checking for it in the global.asax "Global_AcquireRequestState" handler
    and bouncing people back to Login.aspx if it's not there or not valid

    (iii) when logging in in login.aspx, create another session variable for
    userrole, and in the Global_AcquireRequestState handler, check the path
    explicitly for secure directory names (eg "private", "admin" or whatever I
    call them and check these manually against the relevant permissions defined
    by the roles and bounce them if they dont meet the criteria.

    At least I'll then implement the security I want, even if I can't manage to
    do it Microsoft's way. The 'cost' would be two session variables per user -
    "authenticated" and "role".
    >>


    If you see any problems with this approach, please let me know . . .

    Lauchlan M
     
    Lauchlan M, Oct 2, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul W
    Replies:
    1
    Views:
    5,807
    Mark Fitzpatrick
    Nov 3, 2004
  2. keithb
    Replies:
    0
    Views:
    637
    keithb
    Feb 16, 2006
  3. mrw
    Replies:
    4
    Views:
    4,544
    Nils Petter Vaskinn
    Dec 15, 2003
  4. Replies:
    1
    Views:
    951
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Apr 12, 2007
  5. ThaYoung1!
    Replies:
    0
    Views:
    172
    ThaYoung1!
    Aug 7, 2003
Loading...

Share This Page