Ok, I spend now half the night to get this working. And actuallyit works, the only problem is, my user can't sign out anymore.
Here is what I'm doing: I've got a web-app which has twosubdirectories: AdminArea and EditorArea, to which access isrestricted per role. Here an excerpt from my web.config:
<location path="EditorArea">
<system.web>
<authorization>
<allow roles="Editors" />
<deny users="*" />
</authorization>
</system.web>
</location>
Ok, and here goes the code which executes, whenever the user hitsthe logon button (the details of validating username andpassword are omitted):
// the user (sUser) is valid, password correct...
FormsAuthenticationTicket ticket = newFormsAuthenticationTicket(
1,
sUser,
DateTime.Now,
DateTime.Now.AddMinutes(20),
false,
sRole,
FormsAuthentication.FormsCookiePath);
string sEncTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = newHttpCookie(FormsAuthentication.FormsCookieName, sEncTicket);
Context.Response.Cookies.Add(cookie);
Response.Redirect(sTargetURL);
What happens here is that I fetch the Role this user belongs tofrom a Database and add it to the UserData field of the ticket,so that I don't have to go check everytime the user requests apage.
Next thing is to authenticate each page request. Here is theevent handler in my global.asax:
protected void Application_AuthenticateRequest(Object sender,EventArgs e) {
if(Request.IsAuthenticated) {
string[] sRoles = new string[1];
FormsAuthenticationTicket ticket =
FormsAuthentication.Decrypt(Request.Cookies.Get(Fo rmsAuthentication.FormsCookieName).Value);
if (ticket == null) {
throw new Exception("Authorisation Ticket invalid!");
}
sRoles[0] = ticket.UserData;
Context.User = new System.Security.Principal.GenericPrincipal(newForm sIdentity(ticket), sRoles);
}
}
Fine, it works. Only Admins can access the AdminArea and so on.But now I'm getting wild, because I want to add a Logoff. SayI've got a page that is called "AdminDefault.aspx". After thesuccessful logon, the (Admin-) User is redirected to this page.On the page is a button called sign out, which, in its clickhandler, transfers the user to the logout page, which actuallywill attempt to perform the logout using this:
FormsAuthentication.SignOut();
Response.Cookies.Clear(); // try harder
Response.Redirect("Logon.aspx", true);</code>
If you are as tired as I am by know, you'll just try <i>anything</i>to get rid of the *?%"-cookies. The problem is, thatwhatever I do, the cookies remain (or are re-injected into theresponse?). I simply can't log out. I'm transfered to thelogon.aspx page, and looking at the trace I see that I received2 (TWO) encrypted cookies which belong to FormsAuthentication.
I really, really would be glad if somebody could shed some lightand send me to bed X|
Matthias
--------------------------------
From: Matthias Steinbart
-----------------------
Posted by a user from .NET 247 (http://www.dotnet247.com/)
<Id>HY4vabdrzUymddk5c1H5vw==</Id>
