G
Guest
Hello, friends,
I am implementing a role based authentication (Forms authentication) for our
web app using .net 1.1. I read the paper:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT04.asp
However, what I could not understand was: After adding a new cookie with
user's roles,
string encryptedTicket = FormsAuthentication.Encrypt(authTicketWithRoleInfo);
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Cookies.Add(authCookie);
Response.Redirect( FormsAuthentication.GetRedirectUrl(
txtUserName.Text,
false ));
why one still should "Construct GenericPrincipal and FormsIdentity Objects"
in Application_AuthenticateRequest(), like the follows?
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
string[] roles = authTicket.UserData.Split(new char[]{'|'});
FormsIdentity id = new FormsIdentity( authTicket );
GenericPrincipal principal = new GenericPrincipal(id, roles);
Context.User = principal;
I thought Response.Cookies.Add(authCookie) already included all info for IIS
to check. Can we skip the above source code in
Application_AuthenticateRequest()? Why?
Thanks a lot for your help.
I am implementing a role based authentication (Forms authentication) for our
web app using .net 1.1. I read the paper:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT04.asp
However, what I could not understand was: After adding a new cookie with
user's roles,
string encryptedTicket = FormsAuthentication.Encrypt(authTicketWithRoleInfo);
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Cookies.Add(authCookie);
Response.Redirect( FormsAuthentication.GetRedirectUrl(
txtUserName.Text,
false ));
why one still should "Construct GenericPrincipal and FormsIdentity Objects"
in Application_AuthenticateRequest(), like the follows?
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
string[] roles = authTicket.UserData.Split(new char[]{'|'});
FormsIdentity id = new FormsIdentity( authTicket );
GenericPrincipal principal = new GenericPrincipal(id, roles);
Context.User = principal;
I thought Response.Cookies.Add(authCookie) already included all info for IIS
to check. Can we skip the above source code in
Application_AuthenticateRequest()? Why?
Thanks a lot for your help.