Re: authentication ticket expiring too soon

Just curious -- what is it that indicates the cookies are not being
properly set?

I am using the following code to set the ticket:

(signin.aspx)
------------------
void Page_Load(Object s, EventArgs e) {
if (IsPostBack) {
int signinResult =
Authenticator.SignIn(TextBox_Email.Text,TextBox_Password.Text);
if (signinResult == 1)

FormsAuthentication.RedirectFromLoginPage(Authenticator.UserID, false);
else
Label_Error.Text = "That email/password combination is
invalid. Please try again.";
}
}
}

(Authenticator.cs)
------------------------
public class Authenticator
{
public Authenticator()
{
}

public static HttpCookie CookieObj
{
get
{
if (HttpContext.Current.Request.Cookies["UserInfo"] == null)
return new HttpCookie("UserInfo");
else
return HttpContext.Current.Request.Cookies["UserInfo"];
}
set
{
System.Web.HttpContext.Current.Response.Cookies.Add(value);
}
}

public static int SignIn(string email, string pw)
{
HttpCookie tmpCookieObj = new HttpCookie("UserInfo");
string sql = "SELECT FirstName, LastName, UserID FROM Users WHERE
EMail = '" + email.Trim() + "' " + "AND Password = '" + pw.Trim() +
"'";
using (OleDbConnection connectionObj = new
OleDbConnection(myConnectionString))
{
OleDbCommand Cmd = new OleDbCommand(sql,connectionObj);
connectionObj.Open();
OleDbDataReader DReader = Cmd.ExecuteReader();
if (DReader.Read())
{
string FirstName = DReader.GetString(0);
string LastName = DReader.GetString(1);
string UserID = DReader.GetInt32(2).ToString();
DReader.Close();
tmpCookieObj.Values.Add("FirstName", FirstName);
tmpCookieObj.Values.Add("LastName", LastName);
tmpCookieObj.Values.Add("UserID", UserID);
tmpCookieObj.Expires = DateTime.Now.AddDays(3);
CookieObj = tmpCookieObj;
return 1;
}
else
{
DReader.Close();
connectionObj.Close();
return -1;
}
}
}

public static string UserID
{
get
{
if (CookieObj["UserID"] != null)
return CookieObj["UserID"];
else
return String.Empty;
}
}
}


I should also now note the other cookie that appears on the test page
(previously omitted):

Name: UserInfo
Value: FirstName=Joe&LastName=Smith&UserID=1
Domain:
Path: /
HasKeys: True
Expires: 1/1/0001 12:00:00 AM

Thanks,
Alyssa


Gaurav Vaish (www.EduJiniOnline.com) wrote:
Name: UserID
Expires: 1/1/0001 12:00:00 AM

Name: ASP.NET_SessionId
Expires: 1/1/0001 12:00:00 AM

The cookies are not being properly set.
Neither for ASP.Net_SessionId, nor for UserID.

Just check how you are generating and setting the FormsAuthenticationTicket?


--
Happy Hacking,
Gaurav Vaish | http://www.mastergaurav.com
http://www.edujinionline.com
http://articles.edujinionline.com/webservices
-------------------

.

Relevant Pages

  • Re: Automating a POST request
    ... The way you are creating your payload string is nuts. ... Look at the cookies. ... Most sites handle login by sending a cookie on the login form. ... The cookie needs to come back on the Post request. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: FormsAuthentication and Redirection fails
    ... I've figured the reason why this behaviour is happening. ... and it seems that it blocks cookies from http://localhost ... > public static string Authenticate(string EmailAddress, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
    ... There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1, ... Doing this prompts a peculiar behavior: internally, DOM string variables ... cookies for *.example.com; he'll be also able to alter document.domain ... malicious sites can manipulate authentication ...
    (Full-Disclosure)
  • Firefox: serious cookie stealing / same-domain bypass vulnerability
    ... There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1, ... Doing this prompts a peculiar behavior: internally, DOM string variables ... cookies for *.example.com; he'll be also able to alter document.domain ... malicious sites can manipulate authentication ...
    (Bugtraq)
  • Re: upload xml to https with certificate?
    ... CookieContainer cookies = new CookieContainer; ... // cast the WebRequest to a HttpWebRequest since we're using HTTPS ... //add secure certificate ... string postHeader = sb.ToString; ...
    (microsoft.public.dotnet.framework.aspnet)