Re: Forms Security
From: Matt (matthewr_at_becta.org.uk)
Date: 06/24/05
- Next message: Dam6: "VB Login page problem?"
- Previous message: Matt: "Re: Forms Security"
- In reply to: Matt: "Re: Forms Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 24 Jun 2005 16:24:23 +0100
Adding the following code to Application_AuthenticateRequest() has helped me
step through the auth process..
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if(null == authCookie)
{
//There is no authentication cookie.
return;
}
authCookie is returning as Null, but it is being written in the login
process.
Matt
"Matt" <matthewr@becta.org.uk> wrote in message
news:#gof#zLeFHA.1920@tk2msftngp13.phx.gbl...
> OK, typically, just after I posted this I figured out the difference!
>
> Now my code is the same as yours.
>
> Using Fiddler, When I submit the username and password, I can see it
sending
> a cookie of the correct type with a load of data in it.
>
> Below that is another entry for the login page again. this too has the
line
> for the cookie, with the same data. So looking at that, the page knows
there
> is a cookie written, and it is just ignoring it. Both the entry for the
> login page, and for the user home page have the same referrer.
>
> I just cant see why this is happening, (but this is all new to me so it is
> almost certainly something straightforward!)
>
> Matt
> "Matt" <matthewr@becta.org.uk> wrote in message
> news:#dycyxAeFHA.616@TK2MSFTNGP12.phx.gbl...
> > Well I'll look some more, but I just copied your code in, and I get the
> same
> > issue. The only difference is I need to have a web.config in each folder
> as
> > it doesnt like me having a
> > <location = "<folder>">
> > </location> block in the config
> >
> > If I set the redirect to be away from the secure area of my site it
works,
> > and I looked at my cookie cache, and the system did create a new cookie.
> >
> > Its all very confusing, but I'll have to wait until later to download
> > fiddler.
> >
> > Any other gotcha's I should be looking out for?
> >
> >
> > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
> > wrote in message news:512811632551440719389333@news.microsoft.com...
> > > Hello MATT,
> > >
> > > just compare the code in my sample and yours for setting the auth
> cookie.
> > > there must be a difference. maybe the expiration time is the problem.
> Also
> > > - try using a tool like Fiddler (www.fiddlertool.com) to inspect the
> > behavior
> > > and if the cookie is really set in IE.
> > >
> > > ---------------------------------------
> > > Dominick Baier - DevelopMentor
> > > http://www.leastprivilege.com
> > >
> > > > Thanks Dominick, theres a lot to digest there, and no doubt I'll be
> > > > tweaking my application for some time based on what you've shown
me. -
> > > > When I understand what it all does :-)
> > > >
> > > > But it doesnt explain why my code doesnt work, it definitely writes
> > > > and creates a cookie, and tries to redirect. But instead of
> > > > redirecting it is bouncing straight back to the login page. So if
the
> > > > decryption of my ticket is hapening automajically, then what on
earth
> > > > is causing this problem?
> > > >
> > > > (all the sample code I have is straight of the MS website, and
usually
> > > > I find that works)
> > > >
> > > > Is there anyway I can catch the redirect, to see why it is sending
me
> > > > back to the login page?
> > > >
> > > > Matt
> > > >
> > > > "Dominick Baier [DevelopMentor]"
> > > > <dbaier@pleasepleasenospamdevelop.com> wrote in message
> > > > news:511930632551367308934364@news.microsoft.com...
> > > >
> > > >> Hello MATT,
> > > >>
> > > >> look at that code -
> > > >>
> > > >
http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-9
> > > > 8d0-bc 8cfbec4c3a
> > > >
> > > >> the decryption is done be the FormsAuthenticationModule and is
> > > >> transparent to your application.
> > > >>
> > > >> ---------------------------------------
> > > >> Dominick Baier - DevelopMentor
> > > >> http://www.leastprivilege.com
> > > >>> Sorry, here it is.
> > > >>>
> > > >>> [code]
> > > >>> FormsAuthenticationTicket authTicket = new
> > > >>>
FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToSt
> > > >>> ri
> > > >>> ng(),f
> > > >>> alse,10);
> > > >>> //Encrypt the ticket
> > > >>> string eT = FormsAuthentication.Encrypt(authTicket);
> > > >>> //Create a Cookie and store the data
> > > >>> HttpCookie authCookie = new
> > > >>> HttpCookie(FormsAuthentication.FormsCookieName,eT);
> > > >>> DateTime dt = DateTime.Now;
> > > >>> authCookie.Expires = dt.AddHours(1);
> > > >>> Response.Cookies.Add(authCookie);
> > > >>> //Redirect to Originally Requested Page
> > > >>> Label2.Text = (FormsAuthentication.GetRedirectUrl
> > > >>> (selectCMD.Parameters["@output"].Value.ToString(),false));
> > > >>> Response.Redirect(FormsAuthentication.GetRedirectUrl
> > > >>> (selectCMD.Parameters["@output"].Value.ToString(),false))
> > > >>> [/code]
> > > >>> I guess I dont understand the forms security model, but if there
is
> > > >>> a
> > > >>> ticket encrypt method, I assume that there needs to be a
> > > >>> ticket.decrypt method call hapenning somewhere.
> > > >>> But then that may be bad thinking on my part!
> > > >>>
> > > >>> Matt
> > > >>>
> > > >>> "Dominick Baier [DevelopMentor]"
> > > >>> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> > > >>> news:509256632550731384720833@news.microsoft.com...
> > > >>>
> > > >>>> Hello MATT,
> > > >>>>
> > > >>>> can you post the code, where you set the Auth Cookie?
> > > >>>>
> > > >>>> ---------------------------------------
> > > >>>> Dominick Baier - DevelopMentor
> > > >>>> http://www.leastprivilege.com
> > > >>>>> Hi I have the MSDN forms security example in my .net code,
tweaked
> > > >>>>> to suit my application.
> > > >>>>>
> > > >>>>> When I log in, and step through my code, I see everything get
> > > >>>>> created correctly, and if I look in the cookies folder, the
cookie
> > > >>>>> myname@localhost gets created
> > > >>>>>
> > > >>>>> But the page then redirects, and the security doesnt see the
> > > >>>>> cookie
> > > >>>>> and so I
> > > >>>>> end up back at the login page.
> > > >>>>> What have I missed?
> > > >>>>> I assume that the .net framework handles the rest, so it looks
to
> > > >>>>> me
> > > >>>>> that it
> > > >>>>> is not finding the correct cookie name in the web.config file
> > > >>>>> The only thing I have done is encrypted the ticket, so I can see
I
> > > >>>>> may
> > > >>>>> need to add in a function somewhere to decrypt it and check it?
> > > >>>>> Any advice / help greatfully recieved, as Im goign round and
round
> > > >>>>> in circles
> > >
> > >
> > >
> >
> >
>
>
- Next message: Dam6: "VB Login page problem?"
- Previous message: Matt: "Re: Forms Security"
- In reply to: Matt: "Re: Forms Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
