Ask a Question related to ASP.NET Security, Design and Development.
-
E.M.Smith #1
Funky FormsAuthentication Cookie Behavior.
We are having a problem where the HttpCookie.Value for FormsAuthentication is different between when it is created in Login.aspx.cs and when it is retrieved in Global.asax.cs. This problem happens whether the cookie is create with the encrypted authentication ticket or something as simple as "Hello World!". The code, web.config, and sample results are below. Does anyone please have any suggestions? Thank you
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Login.aspx.cs code snippet
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
loAuthenticationTicket = new FormsAuthenticationTicket( 1, lsUserIdentity, DateTime.Now, DateTime.Now.AddMinutes(60), false, lsRoles )
lsEncryptedTicket = FormsAuthentication.Encrypt( loAuthenticationTicket )
//loAuthenticationCookie = new HttpCookie( FormsAuthentication.FormsCookieName, "Hello World!" )
loAuthenticationCookie = new HttpCookie( FormsAuthentication.FormsCookieName, lsEncryptedTicket )
Response.Cookies.Add( loAuthenticationCookie )
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Global.asax.cs Application_AuthenticateRequest code snippet
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
loAuthenticationCookie = Context.Request.Cookies[ FormsAuthentication.FormsCookieName ]
if (loAuthenticationCookie == null) return
lsEncryptedTicket = loAuthenticationCookie.Value
loAuthenticationTicket = FormsAuthentication.Decrypt( lsEncryptedTicket )
if (loAuthenticationTicket == null) return
lsUserIdentity = loAuthenticationTicket.Name
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Web.Config
// NOTE: We have try multiple values and combination
// for the <forms> and <sessionState> elements
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
<authentication mode="Forms"><forms name="EMSATC" loginUrl="Security/Login.aspx" protection="All" timeout="60" /></authentication><authorization><deny users="?" /><allow users="*" /></authorization><compilation defaultLanguage="C#" debug="true" /><customErrors mode="Off" /><globalization requestEncoding="utf-8" responseEncoding="utf-8" /><httpRuntime maxRequestLength="8192" /><identity impersonate="true" /><sessionState mode="Off
stateConnectionString="tcpip=127.0.0.1:42424
sqlConnectionString="data source=127.0.0.1;user id=sa;password=
cookieless="true" /><trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// ------------------------------------------------------------------------------------------------
// Sample results
// ------------------------------------------------------------------------------------------------
// -------------------------------------------------------------------------------------------------
<forms protection="None"> on the encrypted autentication ticket:
HttpCookie.Value in Login.aspx.cs:
3A9082793BDB20070131007C0031007C00650073006D006900 740068000000201FDD61C448C4010020EF6525D548C4014700 750065007300740000002F000000
HttpCookie.Value in Global.asax.cs:
AEDA5C4CD4A36A630100005038B971C448C4010050A07DD3CC 48C40100002F000000
// -------------------------------------------------------------------------------------------------
<forms protection="All"> on the encrypted autentication ticket:
HttpCookie.Value in Login.aspx.cs:
26D64226C9FC29FE9BAD4746FA13DC48D3618C282B8E7CAD47 F4AF9CBD1BFACDF0907A6123AD1E5224FF2F54D8146F3181F5 3789950385286F90B4B51AEDFBA1089049525C1F414C57B851 683C74F857693F3AAD5131E4EB
HttpCookie.Value in Global.asax.cs:
349FDDC5EAC1F2CBF0BA96DF0BFEF89FEEFB389496B6520039 025AD7D34654A915D2C75AE1CA9F2F0DEE49E7020FA8CA50AF 32FFF0984D5B
// -------------------------------------------------------------------------------------------------
<forms protection="None"> on "Hello World!":
HttpCookie.Value in Login.aspx.cs:
Hello World!
HttpCookie.Value in Global.asax.cs:
A3A41B382C89D931010000C0495C7EC548C40100C0B120E0CD 48C40100002F000000
// -------------------------------------------------------------------------------------------------
<forms protection="All"> on "Hello World!":
HttpCookie.Value in Login.aspx.cs:
Hello World!
HttpCookie.Value in Global.asax.cs:
58DE4EDF9A37E074BEDF2CCD148E642D2363C4C74C80E1BE6A FF5EF502CB50F6A1BD8FD337B8F865ACB63D990C9BA77E514F EB7E89163B78
// -------------------------------------------------------------------------------------------------
// -------------------------------------------------------------------------------------------------
E.M.Smith Guest
-
Funky MX 11.0.2 behaviors
I've been able to upgrade our Freehand MX (Mac OS 10.2.6. Waiting for Font Reserve to be upgraded to Panther before we upgrade the OS I hear) and... -
CS funky printing
CS seems to want to print everything with a very fine colored halftone. A document consisting of nothing but a black square in the center of the page... -
FormsAuthentication cookie problems
Our website is confugred to use Forms Authentication. The web.config <authentication> element has the timeout property set to 45 (minutes). We... -
Cookies set one time, I delete cookie, cookie is never set again!
I am having this problem: My PHP script will set a cookie, it's there in my /Cookies folder. I delete the cookie (I have to for testing purposes,... -
Strange cookie behavior
Maybe the remote server is in a different time zone. Ray at work -- Will trade ASP help for SQL Server help "AHN" <anerse@excite.com>... -
Alex Kleyman #2 RE: Funky FormsAuthentication Cookie Behavior.
Are you using FormsAuthentication.RedirectFromLoginPage to redirect the user? If so, don't. It will create it's own authentication cookie with the same name as FormsAuthentication.FormsCookieName, therefore replacing the cookie YOU created. Just use Response.Redirect( FormsAuthentication.GetRedirectUrl( UserName, false ) ) instead
Ale
Alex Kleyman Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
