Folks, Can anyone confirm that my understading is correct and maybe shed some
light on why it's as it is. (I'm guessing security, but that seems weak to
me.)
The asp.net web application is using forms authentication.
If I create an FormsAuthTicket with userdata in the approprite place. Then
encode it and create a cookie, add it to the response.cookie collection and
use it all is well.
However if after I create the cookie I add some additional values to the
cookie, and then add it to the collection, asp.net no longer recognizes this
as a valid authentication ticket.
Thanks for the info...Chuck 3 2305
Hi Chuck:
You can piggyback data in the cookie, but since the forms auth cookie
is encrypted and hashed to prevent tampering it takes some extra work.
There is a section in the following document to show you how: http://www.pluralsight.com/articleco...entication.pdf
HTH,
--
Scott http://www.OdeToCode.com/blogs/scott/
On Mon, 16 May 2005 21:10:31 -0700, "chuck rudolph"
<ch**********@d iscussions.micr osoft.com> wrote: Folks, Can anyone confirm that my understading is correct and maybe shed some light on why it's as it is. (I'm guessing security, but that seems weak to me.)
The asp.net web application is using forms authentication.
If I create an FormsAuthTicket with userdata in the approprite place. Then encode it and create a cookie, add it to the response.cookie collection and use it all is well.
However if after I create the cookie I add some additional values to the cookie, and then add it to the collection, asp.net no longer recognizes this as a valid authentication ticket.
Thanks for the info...Chuck
Scott, I get how to stuff items in the "userdata" area of the forms auth
ticket. The question I have is concerning the cookie values collection of the
encoded ticket.
I'll also quibble with the words in your resonse. If the cookie is hashed
and encrypted, why have a routine of
....GetAuthCook ie(name,Ispersi stent,path). Once I get the cookie I can set the
expiration can't I?
I know there are quirks in the system, I am just trying to confirm my belief
that FormsAuth cookies can NOT have members in the "values" collection.
"Scott Allen" wrote: Hi Chuck:
You can piggyback data in the cookie, but since the forms auth cookie is encrypted and hashed to prevent tampering it takes some extra work. There is a section in the following document to show you how:
http://www.pluralsight.com/articleco...entication.pdf
HTH,
-- Scott http://www.OdeToCode.com/blogs/scott/
On Mon, 16 May 2005 21:10:31 -0700, "chuck rudolph" <ch**********@d iscussions.micr osoft.com> wrote:
Folks, Can anyone confirm that my understading is correct and maybe shed some light on why it's as it is. (I'm guessing security, but that seems weak to me.)
The asp.net web application is using forms authentication.
If I create an FormsAuthTicket with userdata in the approprite place. Then encode it and create a cookie, add it to the response.cookie collection and use it all is well.
However if after I create the cookie I add some additional values to the cookie, and then add it to the collection, asp.net no longer recognizes this as a valid authentication ticket.
Thanks for the info...Chuck
> You can piggyback data in the cookie, but since the forms auth cookie is encrypted and hashed to prevent tampering it takes some extra work. There is a section in the following document to show you how:
http://www.pluralsight.com/articleco...asedAuthentica tion.pdf
I'd be wary of this approach, personally. My main complaint is that if the
roles are cached in the cookie, then it's difficult to remove the role from
the user while they have their browser active. I tend to cache the roles
on the server in the ASP.NET Cache. Of course, this has the same drawbacks
as the cookie if you're using a server farm. See, nothing's easy :)
-Brock
DevelopMentor http://staff.develop.com/ballen This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: e |
last post by:
I'm using forms authentication on a site. When the user logs in via the
login page, the entered creds are checked against AD, and if valid, an
encrypted forms authentication ticket is produced and stored in the forms
auth cookie (and written to the client), using this code:
____________________
'create the forms auth ticket
objAuthTicket = New FormsAuthenticationTicket(1, txtUsername.Text, _
DateTime.Now, DateTime.Now.AddMinutes(8),...
|
by: Martin |
last post by:
Dear fellow ASP.NET programmer,
I stared using forms authentication and temporarily used a <credentials> tag
in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentication.Authenticate() method's documentations claims the
following:
"Attempts to validate the credentials against those contained...
|
by: Kenneth Keeley |
last post by:
Hi,
I have a web app that has forms authentication and I can login to the
page the first time I go there but it never times me out if I come back in
24 hours a hit the refresh key the page loads and I am still logged in. My
session details are gone but I am still logged.
These are the settings I am using are they right or do I need to change
them?
<system.web>
<authentication mode="Forms">
|
by: Mike |
last post by:
I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie...
|
by: javatopia |
last post by:
Hello,
I have a series of applications that have URLS like the following:
http://www/root/app1
http://www/root/app2
http://www/root/app3
All have the same domain and root URL, but different application node names.
| |
by: Mark Olbert |
last post by:
I'm building an ASPNET2 website which uses forms authentication but does not use the Microsoft-supplied membership providers (mostly
because I don't want to create my own provider at this point, and the supplied stuff comes with a lot of baggage I don't want/need).
In ASPNET1.1 what I would do was something like the following, after authenticating the user on the login form:
FormsAuthentication.SetAuthCookie(userInfo.UserID, false);
...
|
by: Andrew Robinson |
last post by:
Is there any way to dynamically set the timeout while using forms based
authentication? I want to change this value depending on the type of user
that logs into my system. I understand that this value lives in the config
file but can I change it in code?
Thanks,
-Andy
|
by: =?Utf-8?B?RmFyaWJh?= |
last post by:
It know that we can use the following method
http://msdn2.microsoft.com/en-us/library/eb0zx8fc.aspx
to form authenticate across multiple applications.
I have created an asp.net application that supports form authentication. My
application is going to be called by another legacy application (HTML) which
does the initial authentication.Something like this:
<form name="form1" action="auth.asp" method="post" >
|
by: Peter Bradley |
last post by:
We are in the process of designing our first ASP.NET 2.0 application and
have discovered that Forms Authentication works completely differently in
ASP.NET 2.0.
For a number of reasons, we cannot use the standard login component supplied
with ASP.NET 2.0 (e.g. we need full control of the look and feel - including
using CSS and not tables for layout - and we need to be able to handle the
authentication cookie ourselves rather than let a...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |