Re: Forms Security
From: Matt (matthewr_at_becta.org.uk)
Date: 06/24/05
- Previous message: [MSFT]: "RE: Schedule Task Security in Windows Server 2003"
- In reply to: Matt: "Re: Forms Security"
- Next in thread: Matt: "Re: Forms Security"
- Reply: Matt: "Re: Forms Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 24 Jun 2005 14:02:17 +0100
OK, typically, just after I posted this I figured out the difference!
Now my code is the same as yours.
Using Fiddler, When I submit the username and password, I can see it sending
a cookie of the correct type with a load of data in it.
Below that is another entry for the login page again. this too has the line
for the cookie, with the same data. So looking at that, the page knows there
is a cookie written, and it is just ignoring it. Both the entry for the
login page, and for the user home page have the same referrer.
I just cant see why this is happening, (but this is all new to me so it is
almost certainly something straightforward!)
Matt
"Matt" <matthewr@becta.org.uk> wrote in message
news:#dycyxAeFHA.616@TK2MSFTNGP12.phx.gbl...
> Well I'll look some more, but I just copied your code in, and I get the
same
> issue. The only difference is I need to have a web.config in each folder
as
> it doesnt like me having a
> <location = "<folder>">
> </location> block in the config
>
> If I set the redirect to be away from the secure area of my site it works,
> and I looked at my cookie cache, and the system did create a new cookie.
>
> Its all very confusing, but I'll have to wait until later to download
> fiddler.
>
> Any other gotcha's I should be looking out for?
>
>
> "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
> wrote in message news:512811632551440719389333@news.microsoft.com...
> > Hello MATT,
> >
> > just compare the code in my sample and yours for setting the auth
cookie.
> > there must be a difference. maybe the expiration time is the problem.
Also
> > - try using a tool like Fiddler (www.fiddlertool.com) to inspect the
> behavior
> > and if the cookie is really set in IE.
> >
> > ---------------------------------------
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com
> >
> > > Thanks Dominick, theres a lot to digest there, and no doubt I'll be
> > > tweaking my application for some time based on what you've shown me. -
> > > When I understand what it all does :-)
> > >
> > > But it doesnt explain why my code doesnt work, it definitely writes
> > > and creates a cookie, and tries to redirect. But instead of
> > > redirecting it is bouncing straight back to the login page. So if the
> > > decryption of my ticket is hapening automajically, then what on earth
> > > is causing this problem?
> > >
> > > (all the sample code I have is straight of the MS website, and usually
> > > I find that works)
> > >
> > > Is there anyway I can catch the redirect, to see why it is sending me
> > > back to the login page?
> > >
> > > Matt
> > >
> > > "Dominick Baier [DevelopMentor]"
> > > <dbaier@pleasepleasenospamdevelop.com> wrote in message
> > > news:511930632551367308934364@news.microsoft.com...
> > >
> > >> Hello MATT,
> > >>
> > >> look at that code -
> > >>
> > > http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-9
> > > 8d0-bc 8cfbec4c3a
> > >
> > >> the decryption is done be the FormsAuthenticationModule and is
> > >> transparent to your application.
> > >>
> > >> ---------------------------------------
> > >> Dominick Baier - DevelopMentor
> > >> http://www.leastprivilege.com
> > >>> Sorry, here it is.
> > >>>
> > >>> [code]
> > >>> FormsAuthenticationTicket authTicket = new
> > >>> FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToSt
> > >>> ri
> > >>> ng(),f
> > >>> alse,10);
> > >>> //Encrypt the ticket
> > >>> string eT = FormsAuthentication.Encrypt(authTicket);
> > >>> //Create a Cookie and store the data
> > >>> HttpCookie authCookie = new
> > >>> HttpCookie(FormsAuthentication.FormsCookieName,eT);
> > >>> DateTime dt = DateTime.Now;
> > >>> authCookie.Expires = dt.AddHours(1);
> > >>> Response.Cookies.Add(authCookie);
> > >>> //Redirect to Originally Requested Page
> > >>> Label2.Text = (FormsAuthentication.GetRedirectUrl
> > >>> (selectCMD.Parameters["@output"].Value.ToString(),false));
> > >>> Response.Redirect(FormsAuthentication.GetRedirectUrl
> > >>> (selectCMD.Parameters["@output"].Value.ToString(),false))
> > >>> [/code]
> > >>> I guess I dont understand the forms security model, but if there is
> > >>> a
> > >>> ticket encrypt method, I assume that there needs to be a
> > >>> ticket.decrypt method call hapenning somewhere.
> > >>> But then that may be bad thinking on my part!
> > >>>
> > >>> Matt
> > >>>
> > >>> "Dominick Baier [DevelopMentor]"
> > >>> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> > >>> news:509256632550731384720833@news.microsoft.com...
> > >>>
> > >>>> Hello MATT,
> > >>>>
> > >>>> can you post the code, where you set the Auth Cookie?
> > >>>>
> > >>>> ---------------------------------------
> > >>>> Dominick Baier - DevelopMentor
> > >>>> http://www.leastprivilege.com
> > >>>>> Hi I have the MSDN forms security example in my .net code, tweaked
> > >>>>> to suit my application.
> > >>>>>
> > >>>>> When I log in, and step through my code, I see everything get
> > >>>>> created correctly, and if I look in the cookies folder, the cookie
> > >>>>> myname@localhost gets created
> > >>>>>
> > >>>>> But the page then redirects, and the security doesnt see the
> > >>>>> cookie
> > >>>>> and so I
> > >>>>> end up back at the login page.
> > >>>>> What have I missed?
> > >>>>> I assume that the .net framework handles the rest, so it looks to
> > >>>>> me
> > >>>>> that it
> > >>>>> is not finding the correct cookie name in the web.config file
> > >>>>> The only thing I have done is encrypted the ticket, so I can see I
> > >>>>> may
> > >>>>> need to add in a function somewhere to decrypt it and check it?
> > >>>>> Any advice / help greatfully recieved, as Im goign round and round
> > >>>>> in circles
> >
> >
> >
>
>
- Previous message: [MSFT]: "RE: Schedule Task Security in Windows Server 2003"
- In reply to: Matt: "Re: Forms Security"
- Next in thread: Matt: "Re: Forms Security"
- Reply: Matt: "Re: Forms Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
