Professional Web Applications Themes

ASP.NET Forms Authentication - ASP.NET General

You don't need to play with cookies in global.asax. The Forms Authentication module does that for you. If it sees a valid Forms Authentication cookie, it will create a FormsIdentity, set it as the Identity property of a GenericPrincipal, and set that principal as the current principal. By the time your Application_AuthenticateRequest event handler is called, Request.IsAuthenticated is set to True. At that time, you can either leave the principal alone, or, if you put something into the ticket, you can pull it out: If Not Request.IsAuthenticated Then Return Dim fi As FormsIdentity = CType(User.Identity, FormsIdentity) ' Do something with ...

  1. #1

    Default Re: ASP.NET Forms Authentication

    You don't need to play with cookies in global.asax. The Forms Authentication
    module does that for you. If it sees a valid Forms Authentication cookie, it
    will create a FormsIdentity, set it as the Identity property of a
    GenericPrincipal, and set that principal as the current principal. By the
    time your Application_AuthenticateRequest event handler is called,
    Request.IsAuthenticated is set to True.

    At that time, you can either leave the principal alone, or, if you put
    something into the ticket, you can pull it out:

    If Not Request.IsAuthenticated Then Return
    Dim fi As FormsIdentity = CType(User.Identity, FormsIdentity)
    ' Do something with fi.Ticket.UserData
    ' like maybe get a set of roles and create a new GenericPrincipal to hold
    those roles and the same FormsIdentity

    --
    John Saunders
    Internet Engineer
    [email]john.saunderssurfcontrol.com[/email]


    "Mekkala" <jodakimcomcast.com> wrote in message
    news:011301c35155$c02d2540$a501280aphx.gbl...
    > I just started using ASP.NET, though I've used the old
    > ASP before. I'm trying to set up an application to use
    > the Forms Authentication Module. Authentication mode is
    > set to Forms and in my login page I have the following
    > code:
    >
    > -- Begin Code --
    > Dim ticket As New FormsAuthenticationTicket(1,
    > txtUserID.Text, DateTime.Now, DateTime.Now.AddMinutes
    > (5000), False, "Admin")
    > Dim encryptedTicket As String =
    > FormsAuthentication.Encrypt(ticket)
    > Dim authCookie As New HttpCookie
    > (FormsAuthentication.FormsCookieName, encryptedTicket)
    > authCookie.Expires = DateTime.Now.AddHours(1)
    > Response.Cookies.Add(authCookie)
    > FormsAuthentication.RedirectFromLoginPage
    > (txtUserID.Text, False)
    > -- End Code --
    >
    > Then in Global.asax I put code in the
    > Application_AuthenticateRequest event procedure to check
    > the cookie and create a GenericPrincipal object if it
    > exists and is valid. The problem is that the cookie I
    > created and added in the Login.aspx form is no longer
    > there when I attempt to retrieve it using
    >
    > Dim authCookie As HttpCookie = Context.Request.Cookies
    > (cookieName)
    >
    > so every time I successfully log in, the
    > AuthenticateRequest procedure doesn't find the cookie,
    > doesn't make my GenericPrincipal object, and I get
    > redirected back to the login page. WHY is that cookie no
    > longer there?! I'm completely and absolutely stumped
    > here. No matter what I do to it, I can't for the life of
    > me make that cookie stick around.

    John Saunders Guest

  2. #2

    Default Re: ASP.NET Forms Authentication

    It works for me. :-)

    How about simplifying the problem to diagnose it? Stop doing the explicit
    cookie setting on your login page and let Forms Authentication do it for
    you. Then see if the cookie is there. Or, leave all the cookie settings at
    the defaults and see what happens.

    In my experience, if a cookie isn't found on the server, it's because the
    client didn't send it. That's probably because the cookie is set for one
    domain and path, and the page you expected to have receive the cookie is on
    another. It could also be because the cookie has expired, but that hasn't
    happened to me yet. :-)

    --
    John Saunders
    Internet Engineer
    [email]john.saunderssurfcontrol.com[/email]

    "Mekkala" <jodakimcomcast.com> wrote in message
    news:0c6101c351f3$833e0b10$a501280aphx.gbl...
    > >You don't need to play with cookies in global.asax. The
    > Forms Authentication
    > >module does that for you. If it sees a valid Forms
    > Authentication cookie, it
    > >will create a FormsIdentity, set it as the Identity
    > property of a
    > >GenericPrincipal, and set that principal as the current
    > principal. By the
    > >time your Application_AuthenticateRequest event handler
    > is called,
    > >Request.IsAuthenticated is set to True.
    > >
    > >At that time, you can either leave the principal alone,
    > or, if you put
    > >something into the ticket, you can pull it out:
    > >
    > >If Not Request.IsAuthenticated Then Return
    > >Dim fi As FormsIdentity = CType(User.Identity,
    > FormsIdentity)
    > >' Do something with fi.Ticket.UserData
    > >' like maybe get a set of roles and create a new
    > GenericPrincipal to hold
    > >those roles and the same FormsIdentity
    >
    > Thanks, man. But that doesn't solve my problem. Ok, so
    > now I know I don't have to do anything with the cookie,
    > that the FormsAuthenticationModule will handle it
    > automatically. That still doesn't change the fact that
    > the cookie just plain isn't there. I can make the cookie
    > and add it to the Response, then retrieve and read the
    > cookie just fine while I'm still in the same page, but as
    > soon as I go to another page, the cookie is just
    > suddenly... gone. If I try to retrieve it, I get a null
    > reference. More importantly, the
    > FormsAuthenticationModule quite obviously can't retrieve
    > it, because when I successfully log on, it points me
    > towards the page I was originally trying to get to, then
    > immediately bumps me back to the login page.
    >
    > I thought maybe my browser is set to block cookies, but
    > it's not. I have no idea what the problem is here.

    John Saunders Guest

  3. #3

    Default Re: ASP.NET Forms Authentication

    Since Session state depends on a cookie, it would appear that you have a
    single reproducible problem - cookies aren't working for you. This appears
    to happen for your cookies, and for cookies used by ASP.NET. I would suggest
    that you cease testing your own cookies and instead work on getting Session
    state to work. Once you get it working, try your cookies again.

    I have occasionally had issues with "localhost" and cookies. Try using
    [url]http://machine-name/[/url] instead. If possible, try
    [url]http://machine-name.yourdomain.com/[/url].

    Also, consider watching your requests and responses with ProxyTrace from
    [url]http://www.pocketsoap.com[/url]. In using it, you should definitely try the
    machine name rather than localhost.

    Good Luck,
    John Saunders
    Internet Engineer
    [email]john.saunderssurfcontrol.com[/email]

    "Mekkala" <jodakimcomcast.com> wrote in message
    news:015501c35200$5abd5120$a301280aphx.gbl...
    >
    > >-----Original Message-----
    > >It works for me. :-)
    > >
    > >How about simplifying the problem to diagnose it? Stop
    > doing the explicit
    > >cookie setting on your login page and let Forms
    > Authentication do it for
    > >you. Then see if the cookie is there. Or, leave all the
    > cookie settings at
    > >the defaults and see what happens.
    > >
    > >In my experience, if a cookie isn't found on the server,
    > it's because the
    > >client didn't send it. That's probably because the
    > cookie is set for one
    > >domain and path, and the page you expected to have
    > receive the cookie is on
    > >another. It could also be because the cookie has
    > expired, but that hasn't
    > >happened to me yet. :-)
    >
    > All right, let me be more specific about the problem.
    >
    > I've tested this more thoroughly, and what I've found is
    > that the contents of the entire Response header disappear
    > every time I redirect, using the following:
    >
    > (to redirect from
    > [url]http://localhost/gulfmex/LeaseQuery.aspx[/url] to
    > [url]http://localhost/gulfmex/LeaseData.aspx):[/url]
    >
    > Session("MyVar") = "MyVarVal"
    > Response.Redirect("LeaseData.aspx")
    >
    > then (in LeaseData.aspx):
    >
    > Response.Write("'" & Session("MyVar") & "'")
    >
    > Result is "''". Always. Same with anything else I
    > store, including cookies.

    John Saunders Guest

  4. #4

    Default Re: ASP.NET Forms Authentication

    Ok, thanks, friend, I found the problem... and it's so
    simple I'm laughing at myself (at at Microsoft, for that
    matter).

    Recently Microsoft issued a security patch that prevented
    any server with certain characters, one of which was the
    underscore ("_") character, from storing any cookies
    and/or session variables. My server name
    is "John_Dell1". When I started using "localhost" or the
    IP address instead, just now, to navigate to the page, it
    worked fine. And I've been spending the past several
    days beating my head into the wall over this problem...
    If I hadn't just come across a thread in
    dotnet.framework.aspnet.security about this same problem,
    I never would have found out what was happening, either.

    :D
    John Kievlan Guest

  5. #5

    Default Re: ASP.NET Forms Authentication

    Could you point us to that security patch? I hadn't heard of it.

    --
    John Saunders
    Internet Engineer
    [email]john.saunderssurfcontrol.com[/email]

    "John Kievlan" <jodakimcomcast.com> wrote in message
    news:0ceb01c35205$05753f70$a601280aphx.gbl...
    > Ok, thanks, friend, I found the problem... and it's so
    > simple I'm laughing at myself (at at Microsoft, for that
    > matter).
    >
    > Recently Microsoft issued a security patch that prevented
    > any server with certain characters, one of which was the
    > underscore ("_") character, from storing any cookies
    > and/or session variables. My server name
    > is "John_Dell1". When I started using "localhost" or the
    > IP address instead, just now, to navigate to the page, it
    > worked fine. And I've been spending the past several
    > days beating my head into the wall over this problem...
    > If I hadn't just come across a thread in
    > dotnet.framework.aspnet.security about this same problem,
    > I never would have found out what was happening, either.
    >
    > :D

    John Saunders Guest

  6. #6

    Default Re: ASP.NET Forms Authentication

    >-----Original Message-----
    >Could you point us to that security patch? I hadn't
    heard of it.

    Go to the following link:
    PRB: Session Variables Do Not Persist Between Requests
    After You Install Internet Explorer Security Patch MS01-
    055
    [url]http://support.microsoft.com/?id=316112[/url]
    John Kievlan Guest

  7. #7

    Default Re: ASP.NET Forms Authentication

    Thanks for the info, John. That could prove to be a life saver.

    John Saunders
    [email]john.saunderssurfcontrol.com[/email]

    *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
    Don't just participate in USENET...get rewarded for it!
    John Saunders Guest

Similar Threads

  1. Replies: 1
    Last Post: November 10th, 03:44 PM
  2. ASP.Net Forms authentication with basic authentication popup
    By Brett Porter in forum ASP.NET Security
    Replies: 2
    Last Post: January 20th, 02:17 PM
  3. Replies: 1
    Last Post: October 20th, 06:04 PM
  4. Authentication ticket, cookieless, forms authentication?
    By Lauchlan M in forum ASP.NET Security
    Replies: 0
    Last Post: October 1st, 12:23 AM
  5. Forms authentication with Windows authentication
    By Dadi in forum ASP.NET Security
    Replies: 2
    Last Post: September 16th, 04:47 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139