Role Manager Cookies

[Chuck]

When using Forms Authentication the cookie's value contains an authentication
ticket and the ticket has a timeout.
When using Role Manager, does the roles cookie have a ticket and a time out
too.
If so when and where does it get the value?

Thanks,

 

[Allen Chen [MSFT]]

Hi,

When using Forms Authentication the cookie's value contains an authentication
ticket and the ticket has a timeout.
When using Role Manager, does the roles cookie have a ticket and a time out
too.
If so when and where does it get the value?

Thanks,

It depends on the provider of Role Manager. If you're using
SqlRoleProvider, when you call Roles API such as Roles.IsUserInRole(string
username, string rolename), the IsUserInRole(string username, string
rolename) method of the SqlRoleProvider will be called, which queries
database to check if the user is in the role. In the IsUserInRole(string
username, string rolename) method, a stored procedure will be called, see
below:

public override bool IsUserInRole(string username, string roleName)
{
bool flag;
SecUtility.CheckParameter(ref roleName, true, true, true, 0x100,
"roleName");
SecUtility.CheckParameter(ref username, true, false, true, 0x100,
"username");
if (username.Length < 1)
{
return false;
}
try
{
SqlConnectionHolder connection = null;
try
{
connection =
SqlConnectionHelper.GetConnection(this._sqlConnectionString, true);
this.CheckSchemaVersion(connection.Connection);
SqlCommand cmd = new
SqlCommand("dbo.aspnet_UsersInRoles_IsUserInRole", connection.Connection);
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandTimeout = this.CommandTimeout;
SqlParameter parameter = new SqlParameter("@ReturnValue",
SqlDbType.Int);
parameter.Direction = ParameterDirection.ReturnValue;
cmd.Parameters.Add(parameter);
cmd.Parameters.Add(this.CreateInputParam("@ApplicationName",
SqlDbType.NVarChar, this.ApplicationName));
cmd.Parameters.Add(this.CreateInputParam("@UserName",
SqlDbType.NVarChar, username));
cmd.Parameters.Add(this.CreateInputParam("@RoleName",
SqlDbType.NVarChar, roleName));
cmd.ExecuteNonQuery();
switch (this.GetReturnValue(cmd))
{
case 0:
return false;

case 1:
return true;

case 2:
return false;

case 3:
return false;
}
throw new
ProviderException(SR.GetString("Provider_unknown_failure"));
}
finally
{
if (connection != null)
{
connection.Close();
connection = null;
}
}
}
catch
{
throw;
}
return flag;
}


This should address your question "where does it get the value". As to
"when does it get the value", it depends on when you call the Role Manager
API. You may intentionally call it or use other APIs that implicitly call
it.

Hope above information helpful. If you have additional questions please
don't hesitate to let me know. I'll do my best to follow up.


Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Chuck]

My understanding was that the if you were using the SQL role provider it
would query the database and then put the roles into a cookie.
<roleManager
cacheRolesInCookie="true" >
</roleManager>

So when using the Role Manager and cookie caching, does the roles cookie
have a ticket and a time out.
If so when and where does it get the cookie timeout value?
Is there a way I can read the roles cookie and see what the time out is?

 

[Allen Chen [MSFT]]

Hi,

So when using the Role Manager and cookie caching, does the roles cookie
have a ticket and a time out.
If so when and where does it get the cookie timeout value?
Is there a way I can read the roles cookie and see what the time out is?

Thanks for the clarification. The code that sets/gets the roles cookie is
in the RoleManagerModule class. In its OnEnter() and OnLeave() method the
cookie is get/set. OnEnter fires on PostAuthenticateRequest event of
HttpApplication and OnLeave fires on EndRequest event of HttpApplication:

public void Init(HttpApplication app)
{
if (Roles.Enabled)
{
app.PostAuthenticateRequest += new EventHandler(this.OnEnter);
app.EndRequest += new EventHandler(this.OnLeave);
}
}


To get the roles cookie, you can try:

HttpCookie cookie = context.Request.Cookies[Roles.CookieName];

private void OnLeave(object source, EventArgs eventArgs)
{
HttpApplication application = (HttpApplication) source;
HttpContext context = application.Context;
if (((Roles.Enabled && Roles.CacheRolesInCookie) &&
!context.Response.HeadersWritten) && (((context.User != null) &&
(context.User is RolePrincipal)) && context.User.Identity.IsAuthenticated))
{
if (Roles.CookieRequireSSL && !context.Request.IsSecureConnection)
{
if (context.Request.Cookies[Roles.CookieName] != null)
{
Roles.DeleteCookie();
}
}
else
{
RolePrincipal user = (RolePrincipal) context.User;
if (user.CachedListChanged && context.Request.Browser.Cookies)
{
string str = user.ToEncryptedTicket();
if (string.IsNullOrEmpty(str) || (str.Length > 0x1000))
{
Roles.DeleteCookie();
}
else
{
HttpCookie cookie = new HttpCookie(Roles.CookieName,
str);
cookie.HttpOnly = true;
cookie.Path = Roles.CookiePath;
cookie.Domain = Roles.Domain;
if (Roles.CreatePersistentCookie)
{
cookie.Expires = user.ExpireDate;
}
cookie.Secure = Roles.CookieRequireSSL;
context.Response.Cookies.Add(cookie);
}
}
}
}
}



But to read the detailed information of the cookie you can simply try this:

RolePrincipal rp = (RolePrincipal)HttpContext.Current.User;
rp.

 

[Allen Chen [MSFT]]

Hi,

So when using the Role Manager and cookie caching, does the roles cookie
have a ticket and a time out.
If so when and where does it get the cookie timeout value?
Is there a way I can read the roles cookie and see what the time out is?

<Sorry I posted incomplete post by mistake.>

Thanks for the clarification. Yes it has timeout and cookie. The code that
sets/gets the roles cookie is
in the RoleManagerModule class. In its OnEnter() and OnLeave() method the
cookie is get/set. OnEnter fires on PostAuthenticateRequest event of
HttpApplication and OnLeave fires on EndRequest event of HttpApplication:

public void Init(HttpApplication app)
{
if (Roles.Enabled)
{
app.PostAuthenticateRequest += new EventHandler(this.OnEnter);
app.EndRequest += new EventHandler(this.OnLeave);
}
}


To get the roles cookie, you can try:

HttpCookie cookie = context.Request.Cookies[Roles.CookieName];


But to read the detailed information of the cookie you can simply try
following code because the data in roles cookie will be decoded and
assigned to RolePrincipal:

RolePrincipal rp = (RolePrincipal)HttpContext.Current.User;
//rp.ExpireDate

If you have interest, you can view the source code for more details:

private void OnEnter(object source, EventArgs eventArgs)
{
if (!Roles.Enabled)
{
if (HttpRuntime.UseIntegratedPipeline)
{
((HttpApplication)
source).Context.DisableNotifications(RequestNotification.EndRequest, 0);
}
}
else
{
HttpApplication application = (HttpApplication) source;
HttpContext context = application.Context;
if (this._eventHandler != null)
{
RoleManagerEventArgs e = new RoleManagerEventArgs(context);
this._eventHandler(this, e);
if (e.RolesPopulated)
{
return;
}
}
if (Roles.CacheRolesInCookie)
{
if (context.User.Identity.IsAuthenticated &&
(!Roles.CookieRequireSSL || context.Request.IsSecureConnection))
{
try
{
HttpCookie cookie =
context.Request.Cookies[Roles.CookieName];
if (cookie != null)
{
string encryptedTicket = cookie.Value;
if ((encryptedTicket != null) &&
(encryptedTicket.Length > 0x1000))
{
Roles.DeleteCookie();
}
else
{
if (!string.IsNullOrEmpty(Roles.CookiePath) &&
(Roles.CookiePath != "/"))
{
cookie.Path = Roles.CookiePath;
}
cookie.Domain = Roles.Domain;
context.User = new
RolePrincipal(context.User.Identity, encryptedTicket);
}
}
}
catch
{
}
}
else
{
if (context.Request.Cookies[Roles.CookieName] != null)
{
Roles.DeleteCookie();
}
if (HttpRuntime.UseIntegratedPipeline)
{

context.DisableNotifications(RequestNotification.EndRequest, 0);
}
}
}
if (!(context.User is RolePrincipal))
{
context.User = new RolePrincipal(context.User.Identity);
}
Thread.CurrentPrincipal = context.User;
}
}




private void OnLeave(object source, EventArgs eventArgs)
{
HttpApplication application = (HttpApplication) source;
HttpContext context = application.Context;
if (((Roles.Enabled && Roles.CacheRolesInCookie) &&
!context.Response.HeadersWritten) && (((context.User != null) &&
(context.User is RolePrincipal)) && context.User.Identity.IsAuthenticated))
{
if (Roles.CookieRequireSSL && !context.Request.IsSecureConnection)
{
if (context.Request.Cookies[Roles.CookieName] != null)
{
Roles.DeleteCookie();
}
}
else
{
RolePrincipal user = (RolePrincipal) context.User;
if (user.CachedListChanged && context.Request.Browser.Cookies)
{
string str = user.ToEncryptedTicket();
if (string.IsNullOrEmpty(str) || (str.Length > 0x1000))
{
Roles.DeleteCookie();
}
else
{
HttpCookie cookie = new HttpCookie(Roles.CookieName,
str);
cookie.HttpOnly = true;
cookie.Path = Roles.CookiePath;
cookie.Domain = Roles.Domain;
if (Roles.CreatePersistentCookie)
{
cookie.Expires = user.ExpireDate;
}
cookie.Secure = Roles.CookieRequireSSL;
context.Response.Cookies.Add(cookie);
}
}
}
}
}

Regards,
Allen Chen
Microsoft Online Support

 

[Allen Chen [MSFT]]

Hi,

quote from (e-mail address removed)
So when using the Role Manager and cookie caching, does the roles cookie
have a ticket and a time out.
If so when and where does it get the cookie timeout value?
Is there a way I can read the roles cookie and see what the time out is?

Do you have additional questions?

Regards,
Allen Chen
Microsoft Online Support