M
Mark Olbert
I'm building an ASPNET2 website which uses forms authentication but does not use the Microsoft-supplied membership providers (mostly
because I don't want to create my own provider at this point, and the supplied stuff comes with a lot of baggage I don't want/need).
In ASPNET1.1 what I would do was something like the following, after authenticating the user on the login form:
FormsAuthentication.SetAuthCookie(userInfo.UserID, false);
FormsAuthenticationTicket theTicket = new FormsAuthenticationTicket(1, userInfo.UserID, DateTime.Now, DateTime.Now.AddMinutes(30),
false, role);
string encryptedTicket = FormsAuthentication.Encrypt(theTicket);
HttpCookie cookie = new HttpCookie("role", encryptedTicket);
Response.Cookies.Add(cookie);
Then, in Global.asax I would do something like this:
void Application_AuthenticateRequest( Object sender, EventArgs e )
{
HttpApplication theApp = (HttpApplication) sender;
if (theApp.Request.IsAuthenticated && theApp.User.Identity is FormsIdentity)
{
FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity;
HttpCookie cookie = theApp.Request.Cookies["role"];
FormsAuthenticationTicket theTicket = FormsAuthentication.Decrypt(cookie.Value);
theApp.Context.User = new GenericPrincipal(theIdentity, new string[] { theTicket.UserData });
}
}
Under ASPNET2 with the new cookieless alternative, what will happen when I use code like this? It looks like
FormsAuthentication.SetAuthCookie() doesn't actually create a cookie in that case -- it mangles the URL to add a session ID
(actually, that behavior is just like ASPNET 1.1...although the session ID looks longer).
But what about the Response.Cookies.Add() call? Does that actually add a cookie when in cookieless mode? I can't tell if it's adding
cookies because Internet Explorer doesn't let me manage (i.e., prompt on) cookies coming from the local intranet zone or my
development machine (I'm using the builtin web server in VSNET 2005).
If cookies are in fact being created need to find a way to cache the role data on the server. I thought about putting it in the
Session object, but Session isn't available inside Application_AuthenticateRequest().
However, the Cache is...and it would make sense to store the encrypted role ticket in the Cache using the session ID. Only I can't
figure out where the session ID is accessible after the call to FormsAuthentication.SetAuthCookie().
Suggestions welcome!
- Mark
because I don't want to create my own provider at this point, and the supplied stuff comes with a lot of baggage I don't want/need).
In ASPNET1.1 what I would do was something like the following, after authenticating the user on the login form:
FormsAuthentication.SetAuthCookie(userInfo.UserID, false);
FormsAuthenticationTicket theTicket = new FormsAuthenticationTicket(1, userInfo.UserID, DateTime.Now, DateTime.Now.AddMinutes(30),
false, role);
string encryptedTicket = FormsAuthentication.Encrypt(theTicket);
HttpCookie cookie = new HttpCookie("role", encryptedTicket);
Response.Cookies.Add(cookie);
Then, in Global.asax I would do something like this:
void Application_AuthenticateRequest( Object sender, EventArgs e )
{
HttpApplication theApp = (HttpApplication) sender;
if (theApp.Request.IsAuthenticated && theApp.User.Identity is FormsIdentity)
{
FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity;
HttpCookie cookie = theApp.Request.Cookies["role"];
FormsAuthenticationTicket theTicket = FormsAuthentication.Decrypt(cookie.Value);
theApp.Context.User = new GenericPrincipal(theIdentity, new string[] { theTicket.UserData });
}
}
Under ASPNET2 with the new cookieless alternative, what will happen when I use code like this? It looks like
FormsAuthentication.SetAuthCookie() doesn't actually create a cookie in that case -- it mangles the URL to add a session ID
(actually, that behavior is just like ASPNET 1.1...although the session ID looks longer).
But what about the Response.Cookies.Add() call? Does that actually add a cookie when in cookieless mode? I can't tell if it's adding
cookies because Internet Explorer doesn't let me manage (i.e., prompt on) cookies coming from the local intranet zone or my
development machine (I'm using the builtin web server in VSNET 2005).
If cookies are in fact being created need to find a way to cache the role data on the server. I thought about putting it in the
Session object, but Session isn't available inside Application_AuthenticateRequest().
However, the Cache is...and it would make sense to store the encrypted role ticket in the Cache using the session ID. Only I can't
figure out where the session ID is accessible after the call to FormsAuthentication.SetAuthCookie().
Suggestions welcome!
- Mark