Cookieless Forms Authentication and Roles

Discussion in 'ASP .Net' started by Mark Olbert, Dec 24, 2005.

  1. Mark Olbert

    Mark Olbert Guest

    I'm building an ASPNET2 website which uses forms authentication but does not use the Microsoft-supplied membership providers (mostly
    because I don't want to create my own provider at this point, and the supplied stuff comes with a lot of baggage I don't want/need).

    In ASPNET1.1 what I would do was something like the following, after authenticating the user on the login form:

    FormsAuthentication.SetAuthCookie(userInfo.UserID, false);

    FormsAuthenticationTicket theTicket = new FormsAuthenticationTicket(1, userInfo.UserID, DateTime.Now, DateTime.Now.AddMinutes(30),
    false, role);

    string encryptedTicket = FormsAuthentication.Encrypt(theTicket);

    HttpCookie cookie = new HttpCookie("role", encryptedTicket);
    Response.Cookies.Add(cookie);

    Then, in Global.asax I would do something like this:

    void Application_AuthenticateRequest( Object sender, EventArgs e )
    {
    HttpApplication theApp = (HttpApplication) sender;

    if (theApp.Request.IsAuthenticated && theApp.User.Identity is FormsIdentity)
    {
    FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity;

    HttpCookie cookie = theApp.Request.Cookies["role"];
    FormsAuthenticationTicket theTicket = FormsAuthentication.Decrypt(cookie.Value);

    theApp.Context.User = new GenericPrincipal(theIdentity, new string[] { theTicket.UserData });
    }
    }

    Under ASPNET2 with the new cookieless alternative, what will happen when I use code like this? It looks like
    FormsAuthentication.SetAuthCookie() doesn't actually create a cookie in that case -- it mangles the URL to add a session ID
    (actually, that behavior is just like ASPNET 1.1...although the session ID looks longer).

    But what about the Response.Cookies.Add() call? Does that actually add a cookie when in cookieless mode? I can't tell if it's adding
    cookies because Internet Explorer doesn't let me manage (i.e., prompt on) cookies coming from the local intranet zone or my
    development machine (I'm using the builtin web server in VSNET 2005).

    If cookies are in fact being created need to find a way to cache the role data on the server. I thought about putting it in the
    Session object, but Session isn't available inside Application_AuthenticateRequest().

    However, the Cache is...and it would make sense to store the encrypted role ticket in the Cache using the session ID. Only I can't
    figure out where the session ID is accessible after the call to FormsAuthentication.SetAuthCookie().

    Suggestions welcome!

    - Mark
     
    Mark Olbert, Dec 24, 2005
    #1
    1. Advertisements

  2. Hi Mark,

    For the web based application such as ASP.NET, there has limited storage to
    persist some status info between client and serverside, cookie is the most
    common one, so generally sessionState , Forms based authentication's ticket
    ... are all stored in cookie by default. When cookie is not allowed, URL
    string is the only alternative. There is no other place which can help
    store info (specific to a certain client/browser) and can be accessed by
    server .....

    Also, as for Response.Cookies.Add(cookie), it always add the value into
    the ASP.NET response's cookie collection (Forms Authentication or Session's
    cookieless setting won't affect it). Also whether the Response.Cookies
    collection's new values will be persisted at client depend on the
    clientside browser's setting (browser support cookie or not , user allow
    cookie or not....)

    For general ASP.NET application user state management approaches, here is a
    msdn article mentioned some common approaches:

    #Nine Options for Managing Persistent User State in Your ASP.NET Application
    http://msdn.microsoft.com/msdnmag/issues/03/04/aspnetuserstate/default.aspx

    However, if we need to some info persisted at clientside and to associated
    some serverside resources/data, cookie or url string will be the only
    approaches so far we have....

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)



    --------------------
    | NNTP-Posting-Date: Sat, 24 Dec 2005 15:49:08 -0600
    | From: Mark Olbert <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Subject: Cookieless Forms Authentication and Roles
    | Date: Sat, 24 Dec 2005 13:49:08 -0800
    | Organization: Olbert & McHugh, LLC
    | Reply-To:
    | Message-ID: <>
    | X-Newsreader: Forte Agent 3.1/32.783
    | MIME-Version: 1.0
    | Content-Type: text/plain; charset=us-ascii
    | Content-Transfer-Encoding: 7bit
    | Lines: 50
    | X-Trace:
    sv3-0hlUljChrBiX5tVhGY7JlZ9L4IcNTKvoVwCWgaYgymgTsD+YOy/iXpnCjYrSQXyql1vALOyN
    yfYy+ry!qK4EIOUNQ3m+HhFSb/luAzLVJWt+LxBO+vUk3RKhW8B4H2/uIJI9sphZvqB5JrI8lRgZ
    Ig==
    | X-Complaints-To:
    | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    complaint properly
    | X-Postfilter: 1.3.32
    | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
    ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet:366954
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | I'm building an ASPNET2 website which uses forms authentication but does
    not use the Microsoft-supplied membership providers (mostly
    | because I don't want to create my own provider at this point, and the
    supplied stuff comes with a lot of baggage I don't want/need).
    |
    | In ASPNET1.1 what I would do was something like the following, after
    authenticating the user on the login form:
    |
    | FormsAuthentication.SetAuthCookie(userInfo.UserID, false);
    |
    | FormsAuthenticationTicket theTicket = new FormsAuthenticationTicket(1,
    userInfo.UserID, DateTime.Now, DateTime.Now.AddMinutes(30),
    | false, role);
    |
    | string encryptedTicket = FormsAuthentication.Encrypt(theTicket);
    |
    | HttpCookie cookie = new HttpCookie("role", encryptedTicket);
    | Response.Cookies.Add(cookie);
    |
    | Then, in Global.asax I would do something like this:
    |
    | void Application_AuthenticateRequest( Object sender, EventArgs e )
    | {
    | HttpApplication theApp = (HttpApplication) sender;
    |
    | if (theApp.Request.IsAuthenticated && theApp.User.Identity is
    FormsIdentity)
    | {
    | FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity;
    |
    | HttpCookie cookie = theApp.Request.Cookies["role"];
    | FormsAuthenticationTicket theTicket =
    FormsAuthentication.Decrypt(cookie.Value);
    |
    | theApp.Context.User = new GenericPrincipal(theIdentity, new string[] {
    theTicket.UserData });
    | }
    | }
    |
    | Under ASPNET2 with the new cookieless alternative, what will happen when
    I use code like this? It looks like
    | FormsAuthentication.SetAuthCookie() doesn't actually create a cookie in
    that case -- it mangles the URL to add a session ID
    | (actually, that behavior is just like ASPNET 1.1...although the session
    ID looks longer).
    |
    | But what about the Response.Cookies.Add() call? Does that actually add a
    cookie when in cookieless mode? I can't tell if it's adding
    | cookies because Internet Explorer doesn't let me manage (i.e., prompt on)
    cookies coming from the local intranet zone or my
    | development machine (I'm using the builtin web server in VSNET 2005).
    |
    | If cookies are in fact being created need to find a way to cache the role
    data on the server. I thought about putting it in the
    | Session object, but Session isn't available inside
    Application_AuthenticateRequest().
    |
    | However, the Cache is...and it would make sense to store the encrypted
    role ticket in the Cache using the session ID. Only I can't
    | figure out where the session ID is accessible after the call to
    FormsAuthentication.SetAuthCookie().
    |
    | Suggestions welcome!
    |
    | - Mark
    |
    |
     
    Steven Cheng[MSFT], Dec 26, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.