Why retrieve ticket during authenticate_request
From: Mike (anonymous_at_discussions.microsoft.com)
Date: 03/26/04
- Next message: Ken Schaefer: "Re: Constrained Delegation question - Please Help"
- Previous message: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Next in thread: Mike: "RE: Why retrieve ticket during authenticate_request"
- Reply: Mike: "RE: Why retrieve ticket during authenticate_request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Mar 2004 18:31:08 -0800
Is the a security reason why microsofts example for forms authentication retrieves the authentication ticket from the cookie at every request rather than just retrieving it from the current identity? I know the problem about authentication issues between sites if the form name is the same. But is there any other security implications?
Thanks
//extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if (null == authCookie)
{
//there is no authentication cookie
return;
}
//extract and decrypt the authentication ticket from the forms authentication cookie
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch//(Exception ex)
{
return;
}
if (null == authTicket)
{
//cookie failed to decryt
return;
}
//parse out the pipe separate list of role names attached to the ticket when
//the user was originally authenticated
//when the ticket was created, the UserData property was assigned a
//pipe delimited string of role names
string[] roles = authTicket.UserData.Split(new char[] {'|'});
//create a FormsIdentity object with the user name obtained from the ticket name
//and a GenericPrincipal object that contains this identity together with the user's role list
//create an Identity object
FormsIdentity id = new FormsIdentity(authTicket);
//this principal will flow throughout the request
GenericPrincipal principal = new GenericPrincipal(id, roles);
//attach the new principal object to the current HttpContext object
Context.User = principal;
Why not retrieve just check to see if the user is authenticated and retrieve the roles from the current authenticated user's identity forms authentication ticket
// TODO: change this in template
// check is current user is authenticated
if (Context.Request.IsAuthenticated)
{
string[] arrRoles;
FormsIdentity ident;
// retrieve user's identity from httpcontext user
ident = (FormsIdentity)Context.User.Identity;
// retrieve roles from the authentication ticket userdata field
arrRoles = ident.Ticket.UserData.Split(new char[] {'|'});
// create principal and attach to user
Context.User = new GenericPrincipal(ident, arrRoles);
}
- Next message: Ken Schaefer: "Re: Constrained Delegation question - Please Help"
- Previous message: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Next in thread: Mike: "RE: Why retrieve ticket during authenticate_request"
- Reply: Mike: "RE: Why retrieve ticket during authenticate_request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
