Cookieless Forms Authentication and Roles


M

Mark Olbert

I'm building an ASPNET2 website which uses forms authentication but does not use the Microsoft-supplied membership providers (mostly
because I don't want to create my own provider at this point, and the supplied stuff comes with a lot of baggage I don't want/need).

In ASPNET1.1 what I would do was something like the following, after authenticating the user on the login form:

FormsAuthentication.SetAuthCookie(userInfo.UserID, false);

FormsAuthenticationTicket theTicket = new FormsAuthenticationTicket(1, userInfo.UserID, DateTime.Now, DateTime.Now.AddMinutes(30),
false, role);

string encryptedTicket = FormsAuthentication.Encrypt(theTicket);

HttpCookie cookie = new HttpCookie("role", encryptedTicket);
Response.Cookies.Add(cookie);

Then, in Global.asax I would do something like this:

void Application_AuthenticateRequest( Object sender, EventArgs e )
{
HttpApplication theApp = (HttpApplication) sender;

if (theApp.Request.IsAuthenticated && theApp.User.Identity is FormsIdentity)
{
FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity;

HttpCookie cookie = theApp.Request.Cookies["role"];
FormsAuthenticationTicket theTicket = FormsAuthentication.Decrypt(cookie.Value);

theApp.Context.User = new GenericPrincipal(theIdentity, new string[] { theTicket.UserData });
}
}

Under ASPNET2 with the new cookieless alternative, what will happen when I use code like this? It looks like
FormsAuthentication.SetAuthCookie() doesn't actually create a cookie in that case -- it mangles the URL to add a session ID
(actually, that behavior is just like ASPNET 1.1...although the session ID looks longer).

But what about the Response.Cookies.Add() call? Does that actually add a cookie when in cookieless mode? I can't tell if it's adding
cookies because Internet Explorer doesn't let me manage (i.e., prompt on) cookies coming from the local intranet zone or my
development machine (I'm using the builtin web server in VSNET 2005).

If cookies are in fact being created need to find a way to cache the role data on the server. I thought about putting it in the
Session object, but Session isn't available inside Application_AuthenticateRequest().

However, the Cache is...and it would make sense to store the encrypted role ticket in the Cache using the session ID. Only I can't
figure out where the session ID is accessible after the call to FormsAuthentication.SetAuthCookie().

Suggestions welcome!

- Mark
 
Ad

Advertisements

S

Steven Cheng[MSFT]

Hi Mark,

For the web based application such as ASP.NET, there has limited storage to
persist some status info between client and serverside, cookie is the most
common one, so generally sessionState , Forms based authentication's ticket
... are all stored in cookie by default. When cookie is not allowed, URL
string is the only alternative. There is no other place which can help
store info (specific to a certain client/browser) and can be accessed by
server .....

Also, as for Response.Cookies.Add(cookie), it always add the value into
the ASP.NET response's cookie collection (Forms Authentication or Session's
cookieless setting won't affect it). Also whether the Response.Cookies
collection's new values will be persisted at client depend on the
clientside browser's setting (browser support cookie or not , user allow
cookie or not....)

For general ASP.NET application user state management approaches, here is a
msdn article mentioned some common approaches:

#Nine Options for Managing Persistent User State in Your ASP.NET Application
http://msdn.microsoft.com/msdnmag/issues/03/04/aspnetuserstate/default.aspx

However, if we need to some info persisted at clientside and to associated
some serverside resources/data, cookie or url string will be the only
approaches so far we have....

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



--------------------
| NNTP-Posting-Date: Sat, 24 Dec 2005 15:49:08 -0600
| From: Mark Olbert <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Cookieless Forms Authentication and Roles
| Date: Sat, 24 Dec 2005 13:49:08 -0800
| Organization: Olbert & McHugh, LLC
| Reply-To: (e-mail address removed)
| Message-ID: <[email protected]>
| X-Newsreader: Forte Agent 3.1/32.783
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 50
| X-Trace:
sv3-0hlUljChrBiX5tVhGY7JlZ9L4IcNTKvoVwCWgaYgymgTsD+YOy/iXpnCjYrSQXyql1vALOyN
yfYy+ry!qK4EIOUNQ3m+HhFSb/luAzLVJWt+LxBO+vUk3RKhW8B4H2/uIJI9sphZvqB5JrI8lRgZ
Ig==
| X-Complaints-To: (e-mail address removed)
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:366954
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I'm building an ASPNET2 website which uses forms authentication but does
not use the Microsoft-supplied membership providers (mostly
| because I don't want to create my own provider at this point, and the
supplied stuff comes with a lot of baggage I don't want/need).
|
| In ASPNET1.1 what I would do was something like the following, after
authenticating the user on the login form:
|
| FormsAuthentication.SetAuthCookie(userInfo.UserID, false);
|
| FormsAuthenticationTicket theTicket = new FormsAuthenticationTicket(1,
userInfo.UserID, DateTime.Now, DateTime.Now.AddMinutes(30),
| false, role);
|
| string encryptedTicket = FormsAuthentication.Encrypt(theTicket);
|
| HttpCookie cookie = new HttpCookie("role", encryptedTicket);
| Response.Cookies.Add(cookie);
|
| Then, in Global.asax I would do something like this:
|
| void Application_AuthenticateRequest( Object sender, EventArgs e )
| {
| HttpApplication theApp = (HttpApplication) sender;
|
| if (theApp.Request.IsAuthenticated && theApp.User.Identity is
FormsIdentity)
| {
| FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity;
|
| HttpCookie cookie = theApp.Request.Cookies["role"];
| FormsAuthenticationTicket theTicket =
FormsAuthentication.Decrypt(cookie.Value);
|
| theApp.Context.User = new GenericPrincipal(theIdentity, new string[] {
theTicket.UserData });
| }
| }
|
| Under ASPNET2 with the new cookieless alternative, what will happen when
I use code like this? It looks like
| FormsAuthentication.SetAuthCookie() doesn't actually create a cookie in
that case -- it mangles the URL to add a session ID
| (actually, that behavior is just like ASPNET 1.1...although the session
ID looks longer).
|
| But what about the Response.Cookies.Add() call? Does that actually add a
cookie when in cookieless mode? I can't tell if it's adding
| cookies because Internet Explorer doesn't let me manage (i.e., prompt on)
cookies coming from the local intranet zone or my
| development machine (I'm using the builtin web server in VSNET 2005).
|
| If cookies are in fact being created need to find a way to cache the role
data on the server. I thought about putting it in the
| Session object, but Session isn't available inside
Application_AuthenticateRequest().
|
| However, the Cache is...and it would make sense to store the encrypted
role ticket in the Cache using the session ID. Only I can't
| figure out where the session ID is accessible after the call to
FormsAuthentication.SetAuthCookie().
|
| Suggestions welcome!
|
| - Mark
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top