Hello, friends,
I am implementing a role based authentication (Forms authentication) for our
web app using .net 1.1. I read the paper:
http://msdn.microsoft.com/library/de...SecNetHT04.asp
However, what I could not understand was: After adding a new cookie with
user's roles,
string encryptedTicket = FormsAuthentica tion.Encrypt(au thTicketWithRol eInfo);
HttpCookie authCookie =
new HttpCookie(Form sAuthentication .FormsCookieNam e,
encryptedTicket );
Response.Cookie s.Add(authCooki e);
Response.Redire ct( FormsAuthentica tion.GetRedirec tUrl(
txtUserName.Tex t,
false ));
why one still should "Construct GenericPrincipa l and FormsIdentity Objects"
in Application_Aut henticateReques t(), like the follows?
authTicket = FormsAuthentica tion.Decrypt(au thCookie.Value) ;
string[] roles = authTicket.User Data.Split(new char[]{'|'});
FormsIdentity id = new FormsIdentity( authTicket );
GenericPrincipa l principal = new GenericPrincipa l(id, roles);
Context.User = principal;
I thought Response.Cookie s.Add(authCooki e) already included all info for IIS
to check. Can we skip the above source code in
Application_Aut henticateReques t()? Why?
Thanks a lot for your help.