FormsAuth and Sessions Troubles...

From: Jeff (jeffpriz_at_yahoo.com)
Date: 08/20/03 

Date: 20 Aug 2003 12:56:40 -0700

I'm having some trouble implementing Forms Authentication and using
Session variables...
If i just turn on Forms Auth and don't set up any roles (Don't setup a
GenericPrincipal, and dont assign the Context.User) everything works
fine. I can keep my Auth Cookie, and Session timed in sync and i have
no issues.
NOW however as soon as i set a GenericPrincipal for my user and assign
Context.User to that principal everything goes to heck. It acts as
though my Auth Ticket doesn't expire... So what i get after i wait
20min (session timeout)is my session is dead, however in my
Application_AuthenticateRequest event, the auth cookie (that should've
expired) is available and i assign the principal... i don't get
redirected to my login page. Now when my pages load they try to access
a session variable, but Ooops, not there and i blow up.

In my AuthenticateRequest Event, i have :

Dim ticket As System.Web.Security.FormsAuthenticationTicket
Dim roles As String()
Dim formsID As FormsIdentity
Dim principal As GenericPrincipal

cook = Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName)
If Not cook Is Nothing Then

            ticket =
System.Web.Security.FormsAuthentication.Decrypt(cook.Value)

            roles = ticket.UserData.Split(roleDelimiter)

            formsID = New FormsIdentity(ticket)
            principal = New GenericPrincipal(formsID, roles)

            Context.User = principal
end if

--- Now if i comment out the "Context.User = principal" line it works
as i'd expect...

thanks for any help

jeffpriz

Relevant Pages

  • Re: LOGIN Control instructions
    ... "forms authentication" is very cool. ... When they authenticate, if you need the details, create a userinfo object and stuff it in the session. ... Dim user As User = New User(txtLoginID.Text, ...
    (microsoft.public.dotnet.framework.aspnet.webcontrols)
  • Re: Something I am doing with Session seems funky
    ... > I am reading some data from a database and placing the values into session ... > for each sessitem in Session.Contents ... > AUTH - True ... > UserType - N ...
    (microsoft.public.inetserver.asp.general)
  • Problems with Forms Auth and Session State.
    ... Clearly Forms Authentication manages it's Authorization state using a ... different cookie than the Session cookie. ... using Forms auth to auth the user and set the Auth cookie. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: php vs. apache login verification security?
    ... This would make it easier to maintain the auth and other global routines ... > into the cookie to allow for session identification. ... The hashing of username and password is -only- to prevent ...
    (alt.php)
  • Re: Windows Update on Server 2000 through Terminal Services
    ... > Details from WindowsUpdate.log for failed item (TS Session): ... S-1-5-18 is the SID for the System Account. ... > services I get 0x8024401B error for all downloads it attempts (the scan ... > proxy auth or server auth. ...
    (microsoft.public.windowsupdate)