ASP.NET Forms Authentication - ASP.NET General

[John Saunders]

You don't need to play with cookies in global.asax. The Forms Authentication
module does that for you. If it sees a valid Forms Authentication cookie, it
will create a FormsIdentity, set it as the Identity property of a
GenericPrincipal, and set that principal as the current principal. By the
time your Application_AuthenticateRequest event handler is called,
Request.IsAuthenticated is set to True.

At that time, you can either leave the principal alone, or, if you put
something into the ticket, you can pull it out:

If Not Request.IsAuthenticated Then Return
Dim fi As FormsIdentity = CType(User.Identity, FormsIdentity)
' Do something with fi.Ticket.UserData
' like maybe get a set of roles and create a new GenericPrincipal to hold
those roles and the same FormsIdentity

--
John Saunders
Internet Engineer
[email]john.saunderssurfcontrol.com[/email]


"Mekkala" <jodakimcomcast.com> wrote in message
news:011301c35155$c02d2540$a501280aphx.gbl...

> I just started using ASP.NET, though I've used the old
> ASP before. I'm trying to set up an application to use
> the Forms Authentication Module. Authentication mode is
> set to Forms and in my login page I have the following
> code:
>
> -- Begin Code --
> Dim ticket As New FormsAuthenticationTicket(1,
> txtUserID.Text, DateTime.Now, DateTime.Now.AddMinutes
> (5000), False, "Admin")
> Dim encryptedTicket As String =
> FormsAuthentication.Encrypt(ticket)
> Dim authCookie As New HttpCookie
> (FormsAuthentication.FormsCookieName, encryptedTicket)
> authCookie.Expires = DateTime.Now.AddHours(1)
> Response.Cookies.Add(authCookie)
> FormsAuthentication.RedirectFromLoginPage
> (txtUserID.Text, False)
> -- End Code --
>
> Then in Global.asax I put code in the
> Application_AuthenticateRequest event procedure to check
> the cookie and create a GenericPrincipal object if it
> exists and is valid. The problem is that the cookie I
> created and added in the Login.aspx form is no longer
> there when I attempt to retrieve it using
>
> Dim authCookie As HttpCookie = Context.Request.Cookies
> (cookieName)
>
> so every time I successfully log in, the
> AuthenticateRequest procedure doesn't find the cookie,
> doesn't make my GenericPrincipal object, and I get
> redirected back to the login page. WHY is that cookie no
> longer there?! I'm completely and absolutely stumped
> here. No matter what I do to it, I can't for the life of
> me make that cookie stick around.

[John Saunders]

It works for me. :-)

How about simplifying the problem to diagnose it? Stop doing the explicit
cookie setting on your login page and let Forms Authentication do it for
you. Then see if the cookie is there. Or, leave all the cookie settings at
the defaults and see what happens.

In my experience, if a cookie isn't found on the server, it's because the
client didn't send it. That's probably because the cookie is set for one
domain and path, and the page you expected to have receive the cookie is on
another. It could also be because the cookie has expired, but that hasn't
happened to me yet. :-)

--
John Saunders
Internet Engineer
[email]john.saunderssurfcontrol.com[/email]

"Mekkala" <jodakimcomcast.com> wrote in message
news:0c6101c351f3$833e0b10$a501280aphx.gbl...

> >You don't need to play with cookies in global.asax. The

> Forms Authentication

> >module does that for you. If it sees a valid Forms

> Authentication cookie, it

> >will create a FormsIdentity, set it as the Identity

> property of a

> >GenericPrincipal, and set that principal as the current

> principal. By the

> >time your Application_AuthenticateRequest event handler

> is called,

> >Request.IsAuthenticated is set to True.
> >
> >At that time, you can either leave the principal alone,

> or, if you put

> >something into the ticket, you can pull it out:
> >
> >If Not Request.IsAuthenticated Then Return
> >Dim fi As FormsIdentity = CType(User.Identity,

> FormsIdentity)

> >' Do something with fi.Ticket.UserData
> >' like maybe get a set of roles and create a new

> GenericPrincipal to hold

> >those roles and the same FormsIdentity

>
> Thanks, man. But that doesn't solve my problem. Ok, so
> now I know I don't have to do anything with the cookie,
> that the FormsAuthenticationModule will handle it
> automatically. That still doesn't change the fact that
> the cookie just plain isn't there. I can make the cookie
> and add it to the Response, then retrieve and read the
> cookie just fine while I'm still in the same page, but as
> soon as I go to another page, the cookie is just
> suddenly... gone. If I try to retrieve it, I get a null
> reference. More importantly, the
> FormsAuthenticationModule quite obviously can't retrieve
> it, because when I successfully log on, it points me
> towards the page I was originally trying to get to, then
> immediately bumps me back to the login page.
>
> I thought maybe my browser is set to block cookies, but
> it's not. I have no idea what the problem is here.

[John Saunders]

Since Session state depends on a cookie, it would appear that you have a
single reproducible problem - cookies aren't working for you. This appears
to happen for your cookies, and for cookies used by ASP.NET. I would suggest
that you cease testing your own cookies and instead work on getting Session
state to work. Once you get it working, try your cookies again.

I have occasionally had issues with "localhost" and cookies. Try using
[url]http://machine-name/[/url] instead. If possible, try
[url]http://machine-name.yourdomain.com/[/url].

Also, consider watching your requests and responses with ProxyTrace from
[url]http://www.pocketsoap.com[/url]. In using it, you should definitely try the
machine name rather than localhost.

Good Luck,
John Saunders
Internet Engineer
[email]john.saunderssurfcontrol.com[/email]

"Mekkala" <jodakimcomcast.com> wrote in message
news:015501c35200$5abd5120$a301280aphx.gbl...

>

> >-----Original Message-----
> >It works for me. :-)
> >
> >How about simplifying the problem to diagnose it? Stop

> doing the explicit

> >cookie setting on your login page and let Forms

> Authentication do it for

> >you. Then see if the cookie is there. Or, leave all the

> cookie settings at

> >the defaults and see what happens.
> >
> >In my experience, if a cookie isn't found on the server,

> it's because the

> >client didn't send it. That's probably because the

> cookie is set for one

> >domain and path, and the page you expected to have

> receive the cookie is on

> >another. It could also be because the cookie has

> expired, but that hasn't

> >happened to me yet. :-)

>
> All right, let me be more specific about the problem.
>
> I've tested this more thoroughly, and what I've found is
> that the contents of the entire Response header disappear
> every time I redirect, using the following:
>
> (to redirect from
> [url]http://localhost/gulfmex/LeaseQuery.aspx[/url] to
> [url]http://localhost/gulfmex/LeaseData.aspx):[/url]
>
> Session("MyVar") = "MyVarVal"
> Response.Redirect("LeaseData.aspx")
>
> then (in LeaseData.aspx):
>
> Response.Write("'" & Session("MyVar") & "'")
>
> Result is "''". Always. Same with anything else I
> store, including cookies.

[John Kievlan]

Ok, thanks, friend, I found the problem... and it's so
simple I'm laughing at myself (at at Microsoft, for that
matter).

Recently Microsoft issued a security patch that prevented
any server with certain characters, one of which was the
underscore ("_") character, from storing any cookies
and/or session variables. My server name
is "John_Dell1". When I started using "localhost" or the
IP address instead, just now, to navigate to the page, it
worked fine. And I've been spending the past several
days beating my head into the wall over this problem...
If I hadn't just come across a thread in
dotnet.framework.aspnet.security about this same problem,
I never would have found out what was happening, either.

:D

[John Saunders]

Could you point us to that security patch? I hadn't heard of it.

--
John Saunders
Internet Engineer
[email]john.saunderssurfcontrol.com[/email]

"John Kievlan" <jodakimcomcast.com> wrote in message
news:0ceb01c35205$05753f70$a601280aphx.gbl...

> Ok, thanks, friend, I found the problem... and it's so
> simple I'm laughing at myself (at at Microsoft, for that
> matter).
>
> Recently Microsoft issued a security patch that prevented
> any server with certain characters, one of which was the
> underscore ("_") character, from storing any cookies
> and/or session variables. My server name
> is "John_Dell1". When I started using "localhost" or the
> IP address instead, just now, to navigate to the page, it
> worked fine. And I've been spending the past several
> days beating my head into the wall over this problem...
> If I hadn't just come across a thread in
> dotnet.framework.aspnet.security about this same problem,
> I never would have found out what was happening, either.
>
> :D

[John Kievlan]

>-----Original Message-----
>Could you point us to that security patch? I hadn't

heard of it.

Go to the following link:
PRB: Session Variables Do Not Persist Between Requests
After You Install Internet Explorer Security Patch MS01-
055
[url]http://support.microsoft.com/?id=316112[/url]

[John Saunders]

Thanks for the info, John. That could prove to be a life saver.

John Saunders
[email]john.saunderssurfcontrol.com[/email]

*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!