Create Forms Authentication Ticket with MachineKeys

C

Chuck

I'm using Selenium to test a web application.
I need to create a Forms Authentication Cookie and let Selenium load it into
the browser instance.

I'm having a problem because my nUnit class does not have access to the
web.config file.
The website uses MachineKey valdationKey and decryptionKey.
I know these values and can put them in the nUnit class.
However, I usually create Forms Cookies by doing

tkt = new FormsAuthenticationTicket(1, txtNewIdentity.Text, DateTime.Now,
DateTime.Now.AddMinutes(TimeOut_Get()), bPersistent,
HttpContext.Current.Request.UserHostAddress);

CookieValue= FormsAuthentication.Encrypt(tkt)

I don't believe the cookie will properly encrypted because when I run
..Encrypt(tkt), it won't find the encryption key to use.

Any way to manually make the forms authentication cookie without assuming
the .net methods have access to the web.config file?
 
T

Thomas Sun [MSFT]

Hi Chuck,

The FormsAuthentication.Encrypt method internally uses the algorithm and
key specified by the decryption and decryptionKey attributes on the
machineKey element of your web.config.

I am not using Selenium. If it cannot access web.config, you can try to set
decryptionKey property programmatically.
For example:
=====================================

MachineKeySection m = new MachineKeySection();
m.DecryptionKey = "your decryptionKey";

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
"userName",
DateTime.Now,
DateTime.Now.AddMinutes(20),
false,
String.Empty,
FormsAuthentication.FormsCookiePath);

string encryptedTicket = FormsAuthentication.Encrypt(ticket);

=====================================

For more information about MachineKeySection.DecryptionKey Property, See
http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeys
ection.decryptionkey.aspx



I look forward to receiving your test results.


Best Regards,
Thomas Sun

Microsoft Online Partner Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|
| I'm using Selenium to test a web application.
| I need to create a Forms Authentication Cookie and let Selenium load it
into
| the browser instance.
|
| I'm having a problem because my nUnit class does not have access to the
| web.config file.
| The website uses MachineKey valdationKey and decryptionKey.
| I know these values and can put them in the nUnit class.
| However, I usually create Forms Cookies by doing
|
| tkt = new FormsAuthenticationTicket(1, txtNewIdentity.Text,
DateTime.Now,
| DateTime.Now.AddMinutes(TimeOut_Get()), bPersistent,
| HttpContext.Current.Request.UserHostAddress);
|
| CookieValue= FormsAuthentication.Encrypt(tkt)
|
| I don't believe the cookie will properly encrypted because when I run
| .Encrypt(tkt), it won't find the encryption key to use.
|
| Any way to manually make the forms authentication cookie without assuming
| the .net methods have access to the web.config file?
|
|
|
|
 
C

Chuck

I'm pretty sure that won't work because the MachineKeySection m never gets
used by anything.

You don't really need selenium any C# class that runs without access to the
HttpContext will do.
 
T

Thomas Sun [MSFT]

Hi Chuck,

Thanks for your response.

The code should be as follow
===========================
//MachineKeySection m = new MachineKeySection();
//m.DecryptionKey = "your decryptionKey";
Configuration configuration =
WebConfigurationManager.OpenWebConfiguration("~");
MachineKeySection m=
(MachineKeySection)configuration.GetSectionGroup("system.web").Sections["mac
hineKey"];
m.DecryptionKey = "your decryptionKey";
===========================

The FormsAuthentication.Encrypt method internally uses the specified in
web.config. As far as I know, we cannot change it to read value from
another file instead of the configuration in web.config. This is by design.

To test ASP.NET web application, you can also consider using Visual Studio
Team System. For the introduce, you can refer to
http://www.asp.net/Learn/vsts-videos/video-128.aspx

I look forward to receiving your test results.

--
Best Regards,
Thomas Sun

Microsoft Online Partner Support

--------------------

|
| I'm pretty sure that won't work because the MachineKeySection m never
gets
| used by anything.
|
| You don't really need selenium any C# class that runs without access to
the
| HttpContext will do.
|
|
| "Thomas Sun [MSFT]" wrote:
|
| > Hi Chuck,
| >
| > The FormsAuthentication.Encrypt method internally uses the algorithm
and
| > key specified by the decryption and decryptionKey attributes on the
| > machineKey element of your web.config.
| >
| > I am not using Selenium. If it cannot access web.config, you can try to
set
| > decryptionKey property programmatically.
| > For example:
| > =====================================
| >
| > MachineKeySection m = new MachineKeySection();
| > m.DecryptionKey = "your decryptionKey";
| >
| > FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(1,
| > "userName",
| > DateTime.Now,
| > DateTime.Now.AddMinutes(20),
| > false,
| > String.Empty,
| > FormsAuthentication.FormsCookiePath);
| >
| > string encryptedTicket = FormsAuthentication.Encrypt(ticket);
| >
| > =====================================
| >
| > For more information about MachineKeySection.DecryptionKey Property,
See
| >
http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeys
| > ection.decryptionkey.aspx
| >
| >
| >
| > I look forward to receiving your test results.
| >
| >
| > Best Regards,
| > Thomas Sun
| >
| > Microsoft Online Partner Support
| >
| > ==================================================
| > Get notification to my posts through email? Please refer to
| >
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
| > ications.
| >
| > With newsgroups, MSDN subscribers enjoy unlimited, free support as
opposed
| > to the limited number of phone-based technical support incidents.
Complex
| > issues or server-down situations are not recommended for the
newsgroups.
| > Issues of this nature are best handled working with a Microsoft Support
| > Engineer using one of your phone-based incidents.
| > ==================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > |
| > | I'm using Selenium to test a web application.
| > | I need to create a Forms Authentication Cookie and let Selenium load
it
| > into
| > | the browser instance.
| > |
| > | I'm having a problem because my nUnit class does not have access to
the
| > | web.config file.
| > | The website uses MachineKey valdationKey and decryptionKey.
| > | I know these values and can put them in the nUnit class.
| > | However, I usually create Forms Cookies by doing
| > |
| > | tkt = new FormsAuthenticationTicket(1, txtNewIdentity.Text,
| > DateTime.Now,
| > | DateTime.Now.AddMinutes(TimeOut_Get()),
bPersistent,
| > | HttpContext.Current.Request.UserHostAddress);
| > |
| > | CookieValue= FormsAuthentication.Encrypt(tkt)
| > |
| > | I don't believe the cookie will properly encrypted because when I run

| > | .Encrypt(tkt), it won't find the encryption key to use.
| > |
| > | Any way to manually make the forms authentication cookie without
assuming
| > | the .net methods have access to the web.config file?
| > |
| > |
| > |
| > |
| >
| > .
| >
|
 
C

Chuck

That won't work either because the machine key is never applied to anything.
Also can't use that because web.config is not accessible.
 
J

Joe Kaplan

I don't understand the execution scenario here. In my experience with nUnit,
I didn't try to use for testing the web front end. It doesn't excel at this.
I would typically use it for testing logic in the layers of the application
below the "view" layer.

So, can you explain how your execution environment is configured here and
how it is that you are needing forms authentication in the context of an
nUnit test? There may or may not be a good solution here, but I'd need more
details to comment.
 
C

Chuck

Selenium is a tool that allows you to automatically test web application from
the UI. You can write selenium test scripts in a number of languages. I'm
using C# to write the scripts/methods.

Once the scripts are coded in C#, I replay them using nUnit.
The nUnit tests start the Selenium components, test the webpages and give me
the results.

Since you are testing in a C# dll, the none of the Request or Response
objects are available to you. So you can't do something like examine any of
the .Net objects in there. However, Selenium does let you inject cookies
into the browser. So if my test code could create a valid FormsAuthenication
cookie, I could place it in the browser.

This has proven problematic because the System.Web.Security class does an
initialization that expects to find the web.config. So, if you try to
encrypt an authentication ticket when the HttpContext is not available, such
as in a standalone dll, it will fail. Lots of static variables haven't been
initialized with the web.config values (e.g. the MachineKey)
 
J

Joe Kaplan

Ok, I read about Selenium a few years ago but never spent any time with it.
I think I understand the issue here.

What I would expect you to do in a case like this would be to use the
web-based tool to script the forms login so you could effectively "scrape"
the cookie and replay it that way. The infrastructure is not really designed
to support the way you are trying to do this (as you've seen).

You could do something a bit crazier like using reflector to reverse
engineer some of the forms auth stuff and try to refactor it so that you can
insert a machine key from your own config source. Another thing you might
consider is creating an API/web service on the app that allows you to
programmatically get a forms auth cookie by supplying plaintext credentials.
That might make the screen scraping a little easier.

Going in through the interface provided by the app you are testing sounds
like an overall cleaner approach to me.

Not sure if I'm helpful or not. :) Best of luck either way.
 
C

Chuck

I started messing with Reflector with
System.Web.Security.FormsAuthentication, but after about 4 pages of code I
stopped. They way they initialized static classes and had global members
being set in the middle of functions, just did not inspire confidence.
 
T

Thomas Sun [MSFT]

Hi Chuck,

Sorry for late responding.

With Reflector, we can see that the FormsAuthentication.Encrypt method
invokes MachineKeySection.EnsureConfig method which is used to load
MachineKeySection from config file when it is null. The follow code is from
.Net Framework:
============================
private static void EnsureConfig()
{
if (s_config == null)
{
lock (s_initLock)
{
if (s_config == null)
{
MachineKeySection machineKey =
RuntimeConfig.GetAppConfig().MachineKey;
machineKey.ConfigureEncryptionObject();
s_config = machineKey;
s_compatMode = machineKey.CompatibilityMode;
}
}
}
}
==========================


Without accessing web.config file, I think we cannot set its value.


-
Best Regards,
Thomas Sun

Microsoft Online Partner Support
--------------------
|
| I started messing with Reflector with
| System.Web.Security.FormsAuthentication, but after about 4 pages of code
I
| stopped. They way they initialized static classes and had global members
| being set in the middle of functions, just did not inspire confidence.
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
474,056
Messages
2,570,446
Members
47,101
Latest member
vaibhav87

Latest Threads

Top