Re: Forms Authentication: Storing UserData in the "FormsCookieName" Cookie

From: John Saunders (jws@jws.ultranet.com)
Date: 08/23/02 

From: "John Saunders" <jws@jws.ultranet.com>
Date: Thu, 22 Aug 2002 22:51:26 -0400

Duh.

Since both FormsIdentity.Ticket and FormsIdentity.Ticket.UserData are
read-only, I guess I don't have to worry about the updated values being sent
in the cookie.

Ok, so, I missed that, but did I miss something else as well? I can create a
new FormsAuthenticationTicket, including my UserData, but is there a way to
substitute my ticket for the one that the FormsAuthenticationModule issues?
I tried removing his cookie and adding my own, but that just gave me two of
them.

The ticket issued by the FormsAuthenticationModule represents an
authenticated user. You could say it's a serialized FormsIdentity that the
FormsAuthenticationModule deserializes whenever it receives the cookie. I
should be able to add my own custom UserData to that ticket and to use it in
my AuthenticateRequest event to deserialize my own IPrincipal instead of
adding my own cookie, independant of the FormsAuthenticationModule and
perhaps behaving differently from the FormsAuthenticationModule cookie. For
instance, if one cookie expired before the other, it would be a bad thing.

"John Saunders" <jws@jws.ultranet.com> wrote in message
news:udS8xDfSCHA.1648@tkmsftngp09...
> I've seen several examples of code that creates a separate cookie in the
> AuthenticateRequest event in order to store user data such as a list of
> roles. Many of these examples even use a FormsAuthenticationTicket and
store
> the data in the UserData property of the new ticket.
>
> But is there a way to store such data in the UserData property of the
ticket
> that's actually used by Forms Authentication? If one sets ((FormsIdentity)
> User.Identity).Ticket.UserData, does the updated ticket get sent back to
the
> client's browser in an updated cookie? I haven't seen this documented
> anywhere.
>
> Thanks,
> John Saunders
> johnwsaundersiii@hotmail.com
>
>
>

Relevant Pages

  • Re: Forms Authentication - Not timing out, not redirecting.
    ... > the encrypted auth ticket as described in the "Building Secure ASP.NET ... > a non-persistent formsauth cookie. ... > inserted a check whether the authTicket had expired, ... > Reflector and look at the FormsAuthenticationModule class and look at it's ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Forms Authentication - Not timing out, not redirecting.
    ... > the encrypted auth ticket as described in the "Building Secure ASP.NET ... > a non-persistent formsauth cookie. ... > inserted a check whether the authTicket had expired, ... > Reflector and look at the FormsAuthenticationModule class and look at it's ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Forms Authentication: Storing UserData in the "FormsCookieName" Cookie
    ... Encrypt the ticket using FormsAuthentication.Encrypt. ... in a new cookie and add it via Response.Cookies.Add. ... > new FormsAuthenticationTicket, including my UserData, but is there a way ... > substitute my ticket for the one that the FormsAuthenticationModule ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Forms Authentication - Not timing out, not redirecting.
    ... it describes how to build the login event from the login ... a non-persistent formsauth cookie. ... inserted a check whether the authTicket had expired, ... Reflector and look at the FormsAuthenticationModule class and look at it's ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Forms Authentication - Not timing out, not redirecting.
    ... it describes how to build the login event from the login ... a non-persistent formsauth cookie. ... inserted a check whether the authTicket had expired, ... Reflector and look at the FormsAuthenticationModule class and look at it's ...
    (microsoft.public.dotnet.framework.aspnet)