|
.net
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Cookieless Forms Authentication and Rolesbecause I don't want to create my own provider at this point, and the supplied stuff comes with a lot of baggage I don't want/need). In ASPNET1.1 what I would do was something like the following, after authenticating the user on the login form: FormsAuthentication.SetAuthCookie(userInfo.UserID, false); FormsAuthenticationTicket theTicket = new FormsAuthenticationTicket(1, userInfo.UserID, DateTime.Now, DateTime.Now.AddMinutes(30), false, role); string encryptedTicket = FormsAuthentication.Encrypt(theTicket); HttpCookie cookie = new HttpCookie("role", encryptedTicket); Response.Cookies.Add(cookie); Then, in Global.asax I would do something like this: void Application_AuthenticateRequest( Object sender, EventArgs e ) { HttpApplication theApp = (HttpApplication) sender; if (theApp.Request.IsAuthenticated && theApp.User.Identity is FormsIdentity) { FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity; HttpCookie cookie = theApp.Request.Cookies["role"]; FormsAuthenticationTicket theTicket = FormsAuthentication.Decrypt(cookie.Value); theApp.Context.User = new GenericPrincipal(theIdentity, new string[] { theTicket.UserData }); } } Under ASPNET2 with the new cookieless alternative, what will happen when I use code like this? It looks like FormsAuthentication.SetAuthCookie() doesn't actually create a cookie in that case -- it mangles the URL to add a session ID (actually, that behavior is just like ASPNET 1.1...although the session ID looks longer). But what about the Response.Cookies.Add() call? Does that actually add a cookie when in cookieless mode? I can't tell if it's adding cookies because Internet Explorer doesn't let me manage (i.e., prompt on) cookies coming from the local intranet zone or my development machine (I'm using the builtin web server in VSNET 2005). If cookies are in fact being created need to find a way to cache the role data on the server. I thought about putting it in the Session object, but Session isn't available inside Application_AuthenticateRequest(). However, the Cache is...and it would make sense to store the encrypted role ticket in the Cache using the session ID. Only I can't figure out where the session ID is accessible after the call to FormsAuthentication.SetAuthCookie(). Suggestions welcome! - Mark Hi Mark,
For the web based application such as ASP.NET, there has limited storage to persist some status info between client and serverside, cookie is the most common one, so generally sessionState , Forms based authentication's ticket ... are all stored in cookie by default. When cookie is not allowed, URL string is the only alternative. There is no other place which can help store info (specific to a certain client/browser) and can be accessed by server ..... Also, as for Response.Cookies.Add(cookie), it always add the value into the ASP.NET response's cookie collection (Forms Authentication or Session's cookieless setting won't affect it). Also whether the Response.Cookies collection's new values will be persisted at client depend on the clientside browser's setting (browser support cookie or not , user allow cookie or not....) For general ASP.NET application user state management approaches, here is a msdn article mentioned some common approaches: #Nine Options for Managing Persistent User State in Your ASP.NET Application http://msdn.microsoft.com/msdnmag/issues/03/04/aspnetuserstate/default.aspx However, if we need to some info persisted at clientside and to associated some serverside resources/data, cookie or url string will be the only approaches so far we have.... Thanks, Steven Cheng Microsoft Online Support Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) -------------------- | NNTP-Posting-Date: Sat, 24 Dec 2005 15:49:08 -0600 sv3-0hlUljChrBiX5tVhGY7JlZ9L4IcNTKvoVwCWgaYgymgTsD+YOy/iXpnCjYrSQXyql1vALOyN| From: Mark Olbert <ChairmanMAO@newsgroups.nospam> | Newsgroups: microsoft.public.dotnet.framework.aspnet | Subject: Cookieless Forms Authentication and Roles | Date: Sat, 24 Dec 2005 13:49:08 -0800 | Organization: Olbert & McHugh, LLC | Reply-To: m***@arcabama.com | Message-ID: <t0grq1du6q3flm542bc9k78us8o34jv***@4ax.com> | X-Newsreader: Forte Agent 3.1/32.783 | MIME-Version: 1.0 | Content-Type: text/plain; charset=us-ascii | Content-Transfer-Encoding: 7bit | Lines: 50 | X-Trace: yfYy+ry!qK4EIOUNQ3m+HhFSb/luAzLVJWt+LxBO+vUk3RKhW8B4H2/uIJI9sphZvqB5JrI8lRgZ Ig== | X-Complaints-To: ab***@giganews.com TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly | X-Postfilter: 1.3.32 | Path: ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.aspnet:366954| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet not use the Microsoft-supplied membership providers (mostly| | I'm building an ASPNET2 website which uses forms authentication but does | because I don't want to create my own provider at this point, and the supplied stuff comes with a lot of baggage I don't want/need).| authenticating the user on the login form:| In ASPNET1.1 what I would do was something like the following, after | userInfo.UserID, DateTime.Now, DateTime.Now.AddMinutes(30),| FormsAuthentication.SetAuthCookie(userInfo.UserID, false); | | FormsAuthenticationTicket theTicket = new FormsAuthenticationTicket(1, Show quoteHide quote | false, role); FormsAuthentication.Decrypt(cookie.Value);| | string encryptedTicket = FormsAuthentication.Encrypt(theTicket); | | HttpCookie cookie = new HttpCookie("role", encryptedTicket); | Response.Cookies.Add(cookie); | | Then, in Global.asax I would do something like this: | | void Application_AuthenticateRequest( Object sender, EventArgs e ) | { | HttpApplication theApp = (HttpApplication) sender; | | if (theApp.Request.IsAuthenticated && theApp.User.Identity is FormsIdentity) | { | FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity; | | HttpCookie cookie = theApp.Request.Cookies["role"]; | FormsAuthenticationTicket theTicket = | I use code like this? It looks like| theApp.Context.User = new GenericPrincipal(theIdentity, new string[] { theTicket.UserData }); | } | } | | Under ASPNET2 with the new cookieless alternative, what will happen when | FormsAuthentication.SetAuthCookie() doesn't actually create a cookie in that case -- it mangles the URL to add a session ID| (actually, that behavior is just like ASPNET 1.1...although the session ID looks longer).| cookie when in cookieless mode? I can't tell if it's adding| But what about the Response.Cookies.Add() call? Does that actually add a | cookies because Internet Explorer doesn't let me manage (i.e., prompt on) cookies coming from the local intranet zone or my| development machine (I'm using the builtin web server in VSNET 2005). data on the server. I thought about putting it in the| | If cookies are in fact being created need to find a way to cache the role | Session object, but Session isn't available inside role ticket in the Cache using the session ID. Only I can'tApplication_AuthenticateRequest(). | | However, the Cache is...and it would make sense to store the encrypted Show quoteHide quote | figure out where the session ID is accessible after the call to FormsAuthentication.SetAuthCookie(). | | Suggestions welcome! | | - Mark | |  
Other interesting topics
Custom HttpHandler and Server.Transfer
expected identifier error IIs Newbie question: why cant I create a new ASP.net project? Writing data back to a database DataGrid DataSource is null on postback PDF conversion on web server Upload a directory structure in ASP.Net Reg:vs.net 2005 app_code Calendar control question (VS2005) newbie question |
|||||||||||||||||||||||
