BUG With FormsAuthentication

[Faassen, B.]

The authentication cookie with custom user is not available or the user data is gone after a redirect.
In other words all the examples on the net on how to do custom FormsAuthentication don't work!

Is there a workaround for this?

Barry
Software Engineer
Hogeschool Rotterdam
The Netherlands

[Raterus]

There is no bug this major with formsauthentication, perhaps you can provide us more details/code as to what you are doing and we will try to tell you what you are doing wrong.

"Faassen, B." <B.Faassen@hro.nl> wrote in message news:e13rNk4eEHA.2916@TK2MSFTNGP12.phx.gbl...

> The authentication cookie with custom user is not available or the user data is gone after a redirect.
> In other words all the examples on the net on how to do custom FormsAuthentication don't work!
>
> Is there a workaround for this?
>
> Barry
> Software Engineer
> Hogeschool Rotterdam
> The Netherlands

[Barry Faassen]

Hello

Well I have implemented the IPrincipal and IIdentity interfaces. The
resulting classes are CustomPrincipal wich has a static Login member and
uses LDAP to authenticate and retrieves the user info stored in a
stucture if the login was succesfull. This works fine. No I want to Use
the Principal wich holds all the struct and other info like roles etc.
in my ASP.NET application. One way to do this is to generate a ticket
encrypt it and store the principal in a auth. cookie. Then add this
cookie to the Coookies collection. From this I do a redirect to the page
the user requested. In the Global.ASX I have implemented a event member
AcquireRequestState. In this member I trie to get the auth. cookie I
just generated and decrypt the ticket and decrypt the principal wich
should be stored in the ticket. After retrieving the Principal I can set
it on the HttpContext.Current.User and go on..
But first of all there is no cookie to get in the Global.ASAX. I never
get a cookie back except when I use FormsAuthenticate.SetAuthCookie(..)
in the Login handler
but I cant use this cookie because its empty.. If I generate the cookie
on another way the cookie will be lost after Response.Redirect(..)

I folowed the example of R. Lhotka which has a nice article about
authentication. I also used examples found in the VS.2003 MSDN docs. I
also tried some other examples but all give the same result. My cookie
will be lost somewhere.
Another trick I tried is to add an extra cookie and first call
FormsAuthencation.SetAuthCookie(..) and then create a new one add this
cookie to the collection ... In this case I will get a cookie back but
then again it is empty..

Here is my code:

public static void RedirectFromLoginPage( CustomPrincipal principal )
{
string principalText;
bool persistCookie = false;
if ( principal != null ) {
// Encrypt the principal so it can be safely stored
// in a cookie
principalText = CustomAuthentication.Encrypt( principal );

HttpCookie cookie = FormsAuthentication.GetAuthCookie(
principal.Identity.Name, false );
FormsAuthenticationTicket ticket =
FormsAuthentication.Decrypt(cookie.Value);
FormsAuthenticationTicket newticket = new FormsAuthenticationTicket(
ticket.Version,
ticket.Name,
ticket.IssueDate,
ticket.Expiration,
ticket.IsPersistent,
principalText, ticket.CookiePath);
cookie.Value = FormsAuthentication.Encrypt(newticket);
cookie.Expires = ticket.Expiration;
HttpContext.Current.Response.Cookies.Set( cookie );

HttpContext.Current.Response.Redirect(
FormsAuthentication.GetRedirectUrl(
newticket.Name,
newticket.IsPersistent )
);
}

public static string Encrypt(CustomPrincipal principal)
{
MemoryStream buffer;
IFormatter formatter;
string principalText = string.Empty;
if ( principal != null )
{
buffer = new MemoryStream();
formatter = new BinaryFormatter();
formatter.Serialize(buffer, principal);
buffer.Position = 0;
principalText = Convert.ToBase64String( buffer.GetBuffer() );
}
return principalText;
}

public static CustomPrincipal Decrypt( string encryptedInput )
{
CustomPrincipal principal = null;
MemoryStream buffer = new MemoryStream( Convert.FromBase64String(
encryptedInput ) );
BinaryFormatter formatter = new BinaryFormatter();
principal = (CustomPrincipal)formatter.Deserialize( buffer );
return principal;

}

private void Global_AcquireRequestState(object sender, EventArgs e)
{
HttpCookie cookie =
Request.Cookies.Get(FormsAuthentication.FormsCooki eName);
if ( cookie != null )
{
FormsAuthenticationTicket ticket =
FormsAuthentication.Decrypt(cookie.Value);
if ( ticket.Expired )
{
FormsAuthentication.SignOut();
Response.Redirect("login.aspx");
}
else
{
IPrincipal principal = CustomAuthentication.Decrypt( ticket.UserData );
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = HttpContext.Current.User;
}
}
}

*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Raterus]

If you are having a dissapearing cookie problem, I'd ensure the path of the cookie is set how you would like it. Setting the path to "/" is probably best to make sure this isn't the problem. Also where is this redirect going? Same site, same domain? if you are using cookies it is going to have to be at least the same down to the second level domain. You can't use forms authentication on [url]www.domain1.com[/url] and have it will work when you move over to [url]www.domain2.com[/url].

Just some thoughts,
--Michael

"Barry Faassen" <b.faassen@hro.nl> wrote in message news:Otg3zs7eEHA.2440@tk2msftngp13.phx.gbl...

>
> Hello
>
> Well I have implemented the IPrincipal and IIdentity interfaces. The
> resulting classes are CustomPrincipal wich has a static Login member and
> uses LDAP to authenticate and retrieves the user info stored in a
> stucture if the login was succesfull. This works fine. No I want to Use
> the Principal wich holds all the struct and other info like roles etc.
> in my ASP.NET application. One way to do this is to generate a ticket
> encrypt it and store the principal in a auth. cookie. Then add this
> cookie to the Coookies collection. From this I do a redirect to the page
> the user requested. In the Global.ASX I have implemented a event member
> AcquireRequestState. In this member I trie to get the auth. cookie I
> just generated and decrypt the ticket and decrypt the principal wich
> should be stored in the ticket. After retrieving the Principal I can set
> it on the HttpContext.Current.User and go on..
> But first of all there is no cookie to get in the Global.ASAX. I never
> get a cookie back except when I use FormsAuthenticate.SetAuthCookie(..)
> in the Login handler
> but I cant use this cookie because its empty.. If I generate the cookie
> on another way the cookie will be lost after Response.Redirect(..)
>
> I folowed the example of R. Lhotka which has a nice article about
> authentication. I also used examples found in the VS.2003 MSDN docs. I
> also tried some other examples but all give the same result. My cookie
> will be lost somewhere.
> Another trick I tried is to add an extra cookie and first call
> FormsAuthencation.SetAuthCookie(..) and then create a new one add this
> cookie to the collection ... In this case I will get a cookie back but
> then again it is empty..
>
> Here is my code:
>
> public static void RedirectFromLoginPage( CustomPrincipal principal )
> {
> string principalText;
> bool persistCookie = false;
> if ( principal != null ) {
> // Encrypt the principal so it can be safely stored
> // in a cookie
> principalText = CustomAuthentication.Encrypt( principal );
>
> HttpCookie cookie = FormsAuthentication.GetAuthCookie(
> principal.Identity.Name, false );
> FormsAuthenticationTicket ticket =
> FormsAuthentication.Decrypt(cookie.Value);
> FormsAuthenticationTicket newticket = new FormsAuthenticationTicket(
> ticket.Version,
> ticket.Name,
> ticket.IssueDate,
> ticket.Expiration,
> ticket.IsPersistent,
> principalText, ticket.CookiePath);
> cookie.Value = FormsAuthentication.Encrypt(newticket);
> cookie.Expires = ticket.Expiration;
> HttpContext.Current.Response.Cookies.Set( cookie );
>
> HttpContext.Current.Response.Redirect(
> FormsAuthentication.GetRedirectUrl(
> newticket.Name,
> newticket.IsPersistent )
> );
> }
>
> public static string Encrypt(CustomPrincipal principal)
> {
> MemoryStream buffer;
> IFormatter formatter;
> string principalText = string.Empty;
> if ( principal != null )
> {
> buffer = new MemoryStream();
> formatter = new BinaryFormatter();
> formatter.Serialize(buffer, principal);
> buffer.Position = 0;
> principalText = Convert.ToBase64String( buffer.GetBuffer() );
> }
> return principalText;
> }
>
> public static CustomPrincipal Decrypt( string encryptedInput )
> {
> CustomPrincipal principal = null;
> MemoryStream buffer = new MemoryStream( Convert.FromBase64String(
> encryptedInput ) );
> BinaryFormatter formatter = new BinaryFormatter();
> principal = (CustomPrincipal)formatter.Deserialize( buffer );
> return principal;
>
> }
>
> private void Global_AcquireRequestState(object sender, EventArgs e)
> {
> HttpCookie cookie =
> Request.Cookies.Get(FormsAuthentication.FormsCooki eName);
> if ( cookie != null )
> {
> FormsAuthenticationTicket ticket =
> FormsAuthentication.Decrypt(cookie.Value);
> if ( ticket.Expired )
> {
> FormsAuthentication.SignOut();
> Response.Redirect("login.aspx");
> }
> else
> {
> IPrincipal principal = CustomAuthentication.Decrypt( ticket.UserData );
> HttpContext.Current.User = principal;
> Thread.CurrentPrincipal = HttpContext.Current.User;
> }
> }
> }
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
> Don't just participate in USENET...get rewarded for it!

[Hernan de Lahitte]

Watch out for the cookie size of you store custom info inside the FormsAuth
ticket.
Check out this posts:

[url]http://weblogs.asp.net/hernandl/archive/2004/07/30/FormsAuthRolesRev.aspx[/url]
[url]http://weblogs.asp.net/hernandl/archive/2004/08/05/FormsAuthRoles2.aspx[/url]

Regards.
--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://weblogs.asp.net/hernandl[/url]


This posting is provided "AS IS" with no warranties, and confers no rights.

"Raterus" <moc.liamtoh@suretar.reverse> wrote in message
news:O9Qpkz7eEHA.712@TK2MSFTNGP09.phx.gbl...
If you are having a dissapearing cookie problem, I'd ensure the path of the
cookie is set how you would like it. Setting the path to "/" is probably
best to make sure this isn't the problem. Also where is this redirect
going? Same site, same domain? if you are using cookies it is going to
have to be at least the same down to the second level domain. You can't use
forms authentication on [url]www.domain1.com[/url] and have it will work when you move
over to [url]www.domain2.com[/url].

Just some thoughts,
--Michael

"Barry Faassen" <b.faassen@hro.nl> wrote in message
news:Otg3zs7eEHA.2440@tk2msftngp13.phx.gbl...

>
> Hello
>
> Well I have implemented the IPrincipal and IIdentity interfaces. The
> resulting classes are CustomPrincipal wich has a static Login member and
> uses LDAP to authenticate and retrieves the user info stored in a
> stucture if the login was succesfull. This works fine. No I want to Use
> the Principal wich holds all the struct and other info like roles etc.
> in my ASP.NET application. One way to do this is to generate a ticket
> encrypt it and store the principal in a auth. cookie. Then add this
> cookie to the Coookies collection. From this I do a redirect to the page
> the user requested. In the Global.ASX I have implemented a event member
> AcquireRequestState. In this member I trie to get the auth. cookie I
> just generated and decrypt the ticket and decrypt the principal wich
> should be stored in the ticket. After retrieving the Principal I can set
> it on the HttpContext.Current.User and go on..
> But first of all there is no cookie to get in the Global.ASAX. I never
> get a cookie back except when I use FormsAuthenticate.SetAuthCookie(..)
> in the Login handler
> but I cant use this cookie because its empty.. If I generate the cookie
> on another way the cookie will be lost after Response.Redirect(..)
>
> I folowed the example of R. Lhotka which has a nice article about
> authentication. I also used examples found in the VS.2003 MSDN docs. I
> also tried some other examples but all give the same result. My cookie
> will be lost somewhere.
> Another trick I tried is to add an extra cookie and first call
> FormsAuthencation.SetAuthCookie(..) and then create a new one add this
> cookie to the collection ... In this case I will get a cookie back but
> then again it is empty..
>
> Here is my code:
>
> public static void RedirectFromLoginPage( CustomPrincipal principal )
> {
> string principalText;
> bool persistCookie = false;
> if ( principal != null ) {
> // Encrypt the principal so it can be safely stored
> // in a cookie
> principalText = CustomAuthentication.Encrypt( principal );
>
> HttpCookie cookie = FormsAuthentication.GetAuthCookie(
> principal.Identity.Name, false );
> FormsAuthenticationTicket ticket =
> FormsAuthentication.Decrypt(cookie.Value);
> FormsAuthenticationTicket newticket = new FormsAuthenticationTicket(
> ticket.Version,
> ticket.Name,
> ticket.IssueDate,
> ticket.Expiration,
> ticket.IsPersistent,
> principalText, ticket.CookiePath);
> cookie.Value = FormsAuthentication.Encrypt(newticket);
> cookie.Expires = ticket.Expiration;
> HttpContext.Current.Response.Cookies.Set( cookie );
>
> HttpContext.Current.Response.Redirect(
> FormsAuthentication.GetRedirectUrl(
> newticket.Name,
> newticket.IsPersistent )
> );
> }
>
> public static string Encrypt(CustomPrincipal principal)
> {
> MemoryStream buffer;
> IFormatter formatter;
> string principalText = string.Empty;
> if ( principal != null )
> {
> buffer = new MemoryStream();
> formatter = new BinaryFormatter();
> formatter.Serialize(buffer, principal);
> buffer.Position = 0;
> principalText = Convert.ToBase64String( buffer.GetBuffer() );
> }
> return principalText;
> }
>
> public static CustomPrincipal Decrypt( string encryptedInput )
> {
> CustomPrincipal principal = null;
> MemoryStream buffer = new MemoryStream( Convert.FromBase64String(
> encryptedInput ) );
> BinaryFormatter formatter = new BinaryFormatter();
> principal = (CustomPrincipal)formatter.Deserialize( buffer );
> return principal;
>
> }
>
> private void Global_AcquireRequestState(object sender, EventArgs e)
> {
> HttpCookie cookie =
> Request.Cookies.Get(FormsAuthentication.FormsCooki eName);
> if ( cookie != null )
> {
> FormsAuthenticationTicket ticket =
> FormsAuthentication.Decrypt(cookie.Value);
> if ( ticket.Expired )
> {
> FormsAuthentication.SignOut();
> Response.Redirect("login.aspx");
> }
> else
> {
> IPrincipal principal = CustomAuthentication.Decrypt( ticket.UserData );
> HttpContext.Current.User = principal;
> Thread.CurrentPrincipal = HttpContext.Current.User;
> }
> }
> }
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
> Don't just participate in USENET...get rewarded for it!

[Faassen, B.]

Sorry but I still say there is a BUG in the FormsAuthentication class, because it still works like shit.

On some browsers it works and on some it doesnt!