Forms Authentication Ticket/Cookie values

Discussion in 'ASP .Net' started by Guest, May 17, 2005.

  1. Guest

    Guest Guest

    Folks, Can anyone confirm that my understading is correct and maybe shed some
    light on why it's as it is. (I'm guessing security, but that seems weak to
    me.)

    The asp.net web application is using forms authentication.

    If I create an FormsAuthTicket with userdata in the approprite place. Then
    encode it and create a cookie, add it to the response.cookie collection and
    use it all is well.

    However if after I create the cookie I add some additional values to the
    cookie, and then add it to the collection, asp.net no longer recognizes this
    as a valid authentication ticket.

    Thanks for the info...Chuck
     
    Guest, May 17, 2005
    #1
    1. Advertisements

  2. Guest

    Scott Allen Guest

    Scott Allen, May 18, 2005
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    Scott, I get how to stuff items in the "userdata" area of the forms auth
    ticket. The question I have is concerning the cookie values collection of the
    encoded ticket.

    I'll also quibble with the words in your resonse. If the cookie is hashed
    and encrypted, why have a routine of
    ....GetAuthCookie(name,Ispersistent,path). Once I get the cookie I can set the
    expiration can't I?

    I know there are quirks in the system, I am just trying to confirm my belief
    that FormsAuth cookies can NOT have members in the "values" collection.
     
    Guest, May 18, 2005
    #3
  4. Guest

    Brock Allen Guest

    You can piggyback data in the cookie, but since the forms auth cookie
    I'd be wary of this approach, personally. My main complaint is that if the
    roles are cached in the cookie, then it's difficult to remove the role from
    the user while they have their browser active. I tend to cache the roles
    on the server in the ASP.NET Cache. Of course, this has the same drawbacks
    as the cookie if you're using a server farm. See, nothing's easy :)
     
    Brock Allen, May 19, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.