Form Authentication Ticket

[wrytat]

I've read some books and online articles on how to implement form
authentication. Some taught me just to do
FormsAuthentication.RedirectFromLoginPage(username .Value, false) after the
user is validated. While others include more steps, like generating
authentication ticket, encrypt it, create a cookie, and add it to the
response, before redirecting the user. Both way should work, but why do I
need to generate an authentication ticket, when it still works if I don't
generate one?

What's an authentication ticket for? Why do I need it?

Thank you.

[Brock Allen]

The auth ticket is in essence the user's name encrypted in the cookie. This
is how ASP.NET knows who the user is when the browser makes requests into
your app. For simplicity, I'd suggest not messing with it. The only time
you'd want to do something with the Ticket/Cookie is if you wanted to put
other sensitive data into a cookie so the browser passes it back every time.
Usually since it's putting the username then all other sensitive data can
be fetched from the database on the server, meaning there's no need to put
anything else into the cookie.

-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]

> I've read some books and online articles on how to implement form
> authentication. Some taught me just to do
> FormsAuthentication.RedirectFromLoginPage(username .Value, false) after
> the user is validated. While others include more steps, like
> generating authentication ticket, encrypt it, create a cookie, and add
> it to the response, before redirecting the user. Both way should work,
> but why do I need to generate an authentication ticket, when it still
> works if I don't generate one?
>
> What's an authentication ticket for? Why do I need it?
>
> Thank you.
>

[wrytat]

Does that mean if I am only going to need the cookie to store the user name,
I just need to do a FormsAuthentication.RedirectFromLoginPage(username .Value,
false) or FormsAuthentication.SetAuthCookie and Response.Redirect(somewhere,
True) after validation? But if I need to store other data in the same cookie,
I have to do something like this:

Dim tkt As FormsAuthenticationTicket
Dim cookiestr As String
Dim ck As HttpCookie

tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(),
dateTime.Now.AddMinutes(30), false, "other data")
cookiestr = FormsAuthentication.Encrypt(tkt)
ck = new HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
ck.Path = FormsAuthentication.FormsCookiePath()
Response.Cookies.Add(ck)
Response.Redirect(somewhere,True)

Am I right?

Then if I need to store more than 1 data do I just do:
tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(),
dateTime.Now.AddMinutes(30), false, "data1", "data2", "data3", ..., "dataN") ?

And how do I retrieve the data?

Sorry, a lot of questions...

"Brock Allen" wrote:

> The auth ticket is in essence the user's name encrypted in the cookie. This
> is how ASP.NET knows who the user is when the browser makes requests into
> your app. For simplicity, I'd suggest not messing with it. The only time
> you'd want to do something with the Ticket/Cookie is if you wanted to put
> other sensitive data into a cookie so the browser passes it back every time.
> Usually since it's putting the username then all other sensitive data can
> be fetched from the database on the server, meaning there's no need to put
> anything else into the cookie.
>
> -Brock
> DevelopMentor
> [url]http://staff.develop.com/ballen[/url]
>
>
>

> > I've read some books and online articles on how to implement form
> > authentication. Some taught me just to do
> > FormsAuthentication.RedirectFromLoginPage(username .Value, false) after
> > the user is validated. While others include more steps, like
> > generating authentication ticket, encrypt it, create a cookie, and add
> > it to the response, before redirecting the user. Both way should work,
> > but why do I need to generate an authentication ticket, when it still
> > works if I don't generate one?
> >
> > What's an authentication ticket for? Why do I need it?
> >
> > Thank you.
> >

>
>
>
>

[Hernan de Lahitte]

For your first question, it's basically right your approach, though I would
recommend not to depend on harcoded values but to use the configured in
Forms settings.
Take a look at this sample:

[url]http://weblogs.asp.net/hernandl/archive/2004/07/30/FormsAuthRolesRev.aspx[/url]

For your second question, the way to add more data to your ticket is simply
storing a single string with all the information in there. In that case you
shoud be aware of your string lenght because of the limitation of the cookie
size.
Notice that the above link give you an advice on this issue. You may take a
look at this link as well:

[url]http://weblogs.asp.net/hernandl/archive/2004/08/05/FormsAuthRoles2.aspx[/url]

Regards,
Hernan de Lahitte.
[url]http://clariusconsulting.net/hdl[/url]


"wrytat" <wrytat@discussions.microsoft.com> wrote in message
news:F8669715-7FA4-45D8-A68B-65F24FB4AFF8@microsoft.com...

> Does that mean if I am only going to need the cookie to store the user
> name,
> I just need to do a
> FormsAuthentication.RedirectFromLoginPage(username .Value,
> false) or FormsAuthentication.SetAuthCookie and
> Response.Redirect(somewhere,
> True) after validation? But if I need to store other data in the same
> cookie,
> I have to do something like this:
>
> Dim tkt As FormsAuthenticationTicket
> Dim cookiestr As String
> Dim ck As HttpCookie
>
> tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(),
> dateTime.Now.AddMinutes(30), false, "other data")
> cookiestr = FormsAuthentication.Encrypt(tkt)
> ck = new HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
> ck.Path = FormsAuthentication.FormsCookiePath()
> Response.Cookies.Add(ck)
> Response.Redirect(somewhere,True)
>
> Am I right?
>
> Then if I need to store more than 1 data do I just do:
> tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(),
> dateTime.Now.AddMinutes(30), false, "data1", "data2", "data3", ...,
> "dataN") ?
>
> And how do I retrieve the data?
>
> Sorry, a lot of questions...
>
> "Brock Allen" wrote:
>

>> The auth ticket is in essence the user's name encrypted in the cookie.
>> This
>> is how ASP.NET knows who the user is when the browser makes requests into
>> your app. For simplicity, I'd suggest not messing with it. The only time
>> you'd want to do something with the Ticket/Cookie is if you wanted to put
>> other sensitive data into a cookie so the browser passes it back every
>> time.
>> Usually since it's putting the username then all other sensitive data can
>> be fetched from the database on the server, meaning there's no need to
>> put
>> anything else into the cookie.
>>
>> -Brock
>> DevelopMentor
>> [url]http://staff.develop.com/ballen[/url]
>>
>>
>>

>> > I've read some books and online articles on how to implement form
>> > authentication. Some taught me just to do
>> > FormsAuthentication.RedirectFromLoginPage(username .Value, false) after
>> > the user is validated. While others include more steps, like
>> > generating authentication ticket, encrypt it, create a cookie, and add
>> > it to the response, before redirecting the user. Both way should work,
>> > but why do I need to generate an authentication ticket, when it still
>> > works if I don't generate one?
>> >
>> > What's an authentication ticket for? Why do I need it?
>> >
>> > Thank you.
>> >

>>
>>
>>
>>