Forms Based Authentication and the OpenWave Browsers

From: Dylan Phillips (mykoan_at_hotmail.com)
Date: 05/26/03

  • Next message: Dieter Depuydt: "Re: NTLM Hash in ASP.NET" 
    Date: Mon, 26 May 2003 11:11:32 -0400

    Background

    I've spent nearly 10 hours working on this problem. I'm hoping that I'll save some folks some headaches, or if I'm really lucky, someone will notice a flaw in my logic. This problem relates to Forms Based Authentication in cookie enabled WAP browsers.

    Environment

    client devices:

    I'm doing my development and testing with the following client devices:

    Samsung N400 (Actual Device)
    OpenWave 4.1 Emulator
    OpenWave 6.1 Emulator

    web.config forms element:

    <authentication mode="Forms">
        <forms loginUrl="login.aspx" protection="All" timeout="10" name="mySecCookie"/>
    </authentication>

    sessionState forms element:
    <sessionState
        mode="InProc"
        stateConnectionString="tcpip=127.0.0.1:42424"
        sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
        cookieless="false"
        timeout="10"
    />

    authentication form:
    private void cmdLogIn_Click(object sender, System.EventArgs e)
    {
        try
        {
            User user = UserDA.AuthenticateUser(this.txtAlias.Text,this.txtPassword.Text);
            Session.Add("CurrentUser",user);
            System.Web.Security.FormsAuthentication.SetAuthCookie(user.UserID.ToString(),true);
            this.RedirectToMobilePage("MobileHome.aspx");
            //System.Web.Mobile.MobileFormsAuthentication.RedirectFromLoginPage(user.UserID.ToString(),true);
        }
        catch(NutriTrack.DataAccess.AuthenticationException eAuth)
        {
            this.lblMessage.Text = eAuth.Message;
            this.lblMessage.Visible = true;
        }
        catch(Exception eUber)
        {
            throw eUber;
        }
    }

    Issues:

    "Thread was being aborted" - This error seems to be thrown after a the commented out call to System.Web.Mobile.MobileFormsAuthentication.RedirectFromLoginPage(). It is thrown on both Windows Server 2003 and Windows XP. On Windows Server 2003 the error does not create a problem, but on Windows XP you I found that I needed to call FormsAuthentication.SetAuthCookie() prior to calling the Redirect.

    Samsung Browser, Forms Authentication and RedirectFromLoginPage - This is a strange error that has been plaguing me for nearly three weeks. I decided that this weekend I would fix the problem. When the Samsung Browser is closed, the URL is marked and the next time the Browser is opened the browser goes to the marked URL. When using MobileFormsAuthentication.RedirectFromLoginPage(), the login.aspx page throws an unhandled exception in Page.ProcessRequest ... MobilePage.DeterminePostBackMethod. This is a royal pain as neither of these methods are overrideable, and I cannot see into the code to find the problem. Using trace.axd, I was able to assertain that the issue was related to the redirect URL. When the Forms based authentication cookie's protection element is set to "All", it creates a darn big cookie (141 bytes). The 'redir' query string element ends up getting chopped off. I'll let the MS guys figure that one out. Since I'm using cookie based authenication, I just used RedirectToMobilePage() which does not included the Authentication Ticket in the query string and the Sumsung browser worked fine.

    Open Wave Browser and Cookies - While regression testing my new change, I noticed that the OpenWave browsers stopped working. This is my current stopping point. It seems that the OpenWave Browsers only work with MobileFormsAuthentication.RedirectFromLoginPage(). Using three givens:

    1. MobileFormsAuthentication.RedirectFromLoginPage - places the Authentication ticket into the Query String
    2. The stated reason for this function is overcome the "limitations of certain mobile devices that either do not support cookies or support cookies that are too small for storing authentication information in a secure manner"
    3. I am using cookie based Session state.

    I can assume that the OpenWave limitation is related to only supporting "cookies that are too small for storing authentication information is a secure manner"

    Last Thoughts:

    Good luck everyone. By the way, Kudos to the MS ASP .NET mobile development team. Even though these issues are rather annoying, the possiblities that are enabled by Mobile Web Forms are tremendously exciting. Thanks especially to Andres who spoke at the MobileDev Con 2003 in New Orleans.

    Regards to all,

    Dylan Phillips

  • Next message: Dieter Depuydt: "Re: NTLM Hash in ASP.NET"