Folks, Can anyone confirm that my understading is correct and maybe shed some
light on why it's as it is. (I'm guessing security, but that seems weak to
me.)
The asp.net web application is using forms authentication.
If I create an FormsAuthTicket with userdata in the approprite place. Then
encode it and create a cookie, add it to the response.cookie collection and
use it all is well.
However if after I create the cookie I add some additional values to the
cookie, and then add it to the collection, asp.net no longer recognizes this
as a valid authentication ticket.
Thanks for the info...Chuck
3  2291 
Hi Chuck:
You can piggyback data in the cookie, but since the forms auth cookie
is encrypted and hashed to prevent tampering it takes some extra work.
There is a section in the following document to show you how: http://www.pluralsight.com/articleco...entication.pdf
HTH,
--
Scott http://www.OdeToCode.com/blogs/scott/
On Mon, 16 May 2005 21:10:31 -0700, "chuck rudolph"
<ch**********@discussions.microsoft.com> wrote: Folks, Can anyone confirm that my understading is correct and maybe shed some
light on why it's as it is. (I'm guessing security, but that seems weak to
me.)
The asp.net web application is using forms authentication.
If I create an FormsAuthTicket with userdata in the approprite place. Then
encode it and create a cookie, add it to the response.cookie collection and
use it all is well.
However if after I create the cookie I add some additional values to the
cookie, and then add it to the collection, asp.net no longer recognizes this
as a valid authentication ticket.
Thanks for the info...Chuck
Scott, I get how to stuff items in the "userdata" area of the forms auth
ticket. The question I have is concerning the cookie values collection of the
encoded ticket.
I'll also quibble with the words in your resonse. If the cookie is hashed
and encrypted, why have a routine of
....GetAuthCookie(name,Ispersistent,path). Once I get the cookie I can set the
expiration can't I?
I know there are quirks in the system, I am just trying to confirm my belief
that FormsAuth cookies can NOT have members in the "values" collection.
"Scott Allen" wrote: Hi Chuck:
You can piggyback data in the cookie, but since the forms auth cookie
is encrypted and hashed to prevent tampering it takes some extra work.
There is a section in the following document to show you how:
http://www.pluralsight.com/articleco...entication.pdf
HTH,
--
Scott
http://www.OdeToCode.com/blogs/scott/
On Mon, 16 May 2005 21:10:31 -0700, "chuck rudolph"
<ch**********@discussions.microsoft.com> wrote:
Folks, Can anyone confirm that my understading is correct and maybe shed some
light on why it's as it is. (I'm guessing security, but that seems weak to
me.)
The asp.net web application is using forms authentication.
If I create an FormsAuthTicket with userdata in the approprite place. Then
encode it and create a cookie, add it to the response.cookie collection and
use it all is well.
However if after I create the cookie I add some additional values to the
cookie, and then add it to the collection, asp.net no longer recognizes this
as a valid authentication ticket.
Thanks for the info...Chuck
> You can piggyback data in the cookie, but since the forms auth cookie is encrypted and hashed to prevent tampering it takes some extra work.
There is a section in the following document to show you how:
http://www.pluralsight.com/articleco...asedAuthentica
tion.pdf
I'd be wary of this approach, personally. My main complaint is that if the
roles are cached in the cookie, then it's difficult to remove the role from
the user while they have their browser active. I tend to cache the roles
on the server in the ASP.NET Cache. Of course, this has the same drawbacks
as the cookie if you're using a server farm. See, nothing's easy :)
-Brock
DevelopMentor http://staff.develop.com/ballen This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: e |
last post by:
I'm using forms authentication on a site. When the user logs in via the
login page, the entered creds are checked against AD, and if valid, an
encrypted forms authentication ticket is produced and...
|
by: Martin |
last post by:
Dear fellow ASP.NET programmer,
I stared using forms authentication and temporarily used a <credentials> tag
in web.config. After I got it working I realized this wasn't really
practical. I...
|
by: Kenneth Keeley |
last post by:
Hi,
I have a web app that has forms authentication and I can login to the
page the first time I go there but it never times me out if I come back in
24 hours a hit the refresh key the page loads...
|
by: Mike |
last post by:
I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have...
|
by: javatopia |
last post by:
Hello,
I have a series of applications that have URLS like the following:
http://www/root/app1
http://www/root/app2
http://www/root/app3
All have the same domain and root URL, but...
|
by: Mark Olbert |
last post by:
I'm building an ASPNET2 website which uses forms authentication but does not use the Microsoft-supplied membership providers (mostly
because I don't want to create my own provider at this point, and...
|
by: Andrew Robinson |
last post by:
Is there any way to dynamically set the timeout while using forms based
authentication? I want to change this value depending on the type of user
that logs into my system. I understand that this...
|
by: =?Utf-8?B?RmFyaWJh?= |
last post by:
It know that we can use the following method
http://msdn2.microsoft.com/en-us/library/eb0zx8fc.aspx
to form authenticate across multiple applications.
I have created an asp.net application...
|
by: Peter Bradley |
last post by:
We are in the process of designing our first ASP.NET 2.0 application and
have discovered that Forms Authentication works completely differently in
ASP.NET 2.0.
For a number of reasons, we cannot...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
