Re: HOW TO: Setting Up Forms Authentication

From: John Saunders (john.saunders_at_surfcontrol.com)
Date: 08/07/03 

Date: Thu, 7 Aug 2003 11:58:18 -0400

"VB Programmer" <growNO-SPAM@go-intech.com> wrote in message
news:uAMxYlPXDHA.1896@TK2MSFTNGP12.phx.gbl...
> Cool. That's basically what I did.
>
> 1. What defines where the custom cookie is stored? I used to see the
> default cookie in "C:\Documents and Settings\Administrator\Cookies", but
now
> I can't find my custom cookie?

If you don't set an expiration date on a cookie, it will be a "session
cookie", which I don't believe is stored on disk. Session cookies are a Good
Thing, as browsers are more likely to be set to accept them than permanent
cookies.

> 2. How do I retrieve the roles that are stored in UserData (ticket)?

By doing the opposite of of what you did to put them there. :-)

For instance, if your database code in login produced an array of roles, you
might use:

string[] roles = GetRolesForUser(userName);
string userData = String.Join(",", roles);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
        1,
        userName,
        System.DateTime.Now,
        System.DateTime.Now.AddMinutes(30),
        isPersistent,
        userData,
        FormsAuthentication.FormsCookiePath);

 // Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);

// Create the cookie.
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName,
encTicket));

// Redirect back to original URL.
Response.Redirect(FormsAuthentication.GetRedirectUrl(userName,isPersistent))
;

Well, in this case you'll want to do the following in
Application_AuthenticateRequest:

FormsIdentity fi = User.Identity as FormsIdentity;
if (fi == null) return; // don't know how _that_ happened!
FormsAuthenticationTicket ticket = fi.Ticket;
string userData = ticket.UserData;
string roles[] = userData.Split(',');
Request.User = new GenericPrincipal(fi, roles);

> 3. What is a common reason why you would access this in
> Application_AuthenticateRequest? This seems to work with no code in
> Application_AuthenticateRequest.

But it's not working. If you put the user in a role right now, is he still
in the same role on all subsequent requests? I doubt it. You need to set the
Principal on each request - remember we're talking "stateless". 

-- 
John Saunders
Internet Engineer
john.saunders@surfcontrol.com
> You're a great resource! Thanks.
You're welcome.
-- 
John Saunders
Internet Engineer
john.saunders@surfcontrol.com

Relevant Pages

  • FormsAuthenticationTicket looses UserData
    ... Upon logon I create a ticket and put some userdata in it: ... FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( ... //Hash the cookie for transport ... FormsIdentity id = HttpContext.Current.User.Identity; ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Getting forms auth challenge
    ... However it's still not redirecting unauthenticated users to ... //Create an authentication ticket to store in a cookie ... FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( ... string encryptedTicket = FormsAuthentication.Encrypt; ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Trying to figure out forms authentication
    ... Can one do one's own checking of username and password and totally bypass calling FormsAuthentication.Authenticate? ... Does the session object get created fresh from every forms submit using the browser's cookie that ASP.Net requests from the browser on every page submit? ... ) {FormsAuthenticationTicket ticket = new ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: FormsAuthentication.SignOut(); doesnt work...
    ... still able to roam about the site - they are never logged off. ... strange thing is that if a user does log back on, it DOES reset the cookie. ... FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( ... string encTicket = FormsAuthentication.Encrypt; ...
    (microsoft.public.dotnet.framework.aspnet.security)