tags:

views:

117

answers:

1
+1  Q: 

Cookie value expiring before the cookie expires

I have an asp.net MVC app that i am working on and I wrote a custom actionfilter in order to filter out certain controller actions based on authorization levels which are set on login and stored in an encrypted cookie along side the formsauthentication cookie, both cookies are set to have the same expiration time but for some reason after awhile of idle time the authorization cookie value becomes blank, i haven't been able to debug and catch it in the act but it just disappears

my actionfilter code looks like this:

string usersRole = "";
if (filterContext.HttpContext.Session["role"] != null)
usersRole = filterContext.HttpContext.Session["role"].ToString();
else if (filterContext.HttpContext.Response.Cookies["ArisPortalCookie"].Value != null)
{
usersRole = filterContext.HttpContext.Response.Cookies["ArisPortalCookie"].Value;
filterContext.HttpContext.Session["role"] = usersRole;
}
string encryptedRole = EncryptionHelper.Encrypt(RoleToCheckFor);

if (encryptedRole == usersRole || usersRole == EncryptionHelper.Encrypt("Admin")) //if the user's role and role required match, we have success
        {
            //now we break down the response action based on what role was required
            if (RoleToCheckFor == "Admin")
            {
            }
            else if (RoleToCheckFor == "Tech" || RoleToCheckFor == "Admin")
            {

            }
            else if (RoleToCheckFor == "Physician" || RoleToCheckFor == "Admin")
            {

            }
        }
        else
        {
            filterContext.Result = new ViewResult
            {
                ViewName = "NoAuth",
                ViewData = filterContext.Controller.ViewData,
                TempData = filterContext.Controller.TempData
            };
        }
+1  A: 

I do the same to store Roles. Why have them side by side?

I assume you're doing something like this:

FormsAuthenticationTicket authTicket =
              new FormsAuthenticationTicket(1,
                                            username,
                                            DateTime.Now,
                                            DateTime.Now.AddMinutes(60),
                                            rememberMe,
                                            roles);
            string encTicket = FormsAuthentication.Encrypt(authTicket);
            HttpCookie authenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
            authenticationCookie.HttpOnly = true;  
            contextBase.Response.Cookies.Add(authenticationCookie);

If you are using FormsAuthentication.SetAuthCookie as well, which I don't think you need to and I don't, then make sure your config has timeout set to 60 minutes as well or equivalent to your time of above.

Reading values (piped format) from cookie (as requested)

private static void ReadCookieForPrincipal()
{
    string cookieName = FormsAuthentication.FormsCookieName;
    HttpCookie authCookie = HttpContext.Current.Request.Cookies[cookieName];

    // If the cookie can't be found, don't issue the ticket
    if (authCookie == null) return;

    // Get the authentication ticket and rebuild the principal & identity
    FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
    string[] roles = authTicket.UserData.Split(new Char[] { '|' });
    GenericIdentity userIdentity = new GenericIdentity(authTicket.Name);
    GenericPrincipal userPrincipal = new GenericPrincipal(userIdentity, roles);
    HttpContext.Current.User = userPrincipal;
}
dove  2009-09-23 15:20:15
mind showing how you add roles to the formsauth cookie and then retrieve those values back?
Jimmy  2009-09-23 15:23:39
yes thats what im doing minus the roles tacked on the end of the cookie, how do you pull the roles data out of the formsauth cookie?
Jimmy  2009-09-23 15:25:33
mind sharing your code that checks which role the user is in?
Jimmy  2009-09-23 15:30:15
@Jimmy added in the reading there, writing is trivial, I've a custom authentication service that serialises list of roles to pipe delimited string, e.g. "Admin|Moderator" for two roles.
dove  2009-09-23 15:30:24
@Jimmy I have an Enum of roles, which I add as a property to my customer AuthorizeAttribute, so final check is simply filterContext.HttpContext.User.IsInRole(RoleRequired.ToString()).So if user has this role then they're in. Haven't a need for intersection of roles but easy extend for that when I do need it.
dove  2009-09-23 15:33:50
very cool, thanks for the help, i never really took the time to learn the genericidentity and principal stuff ive mostly just tried to do that stuff on my own
Jimmy  2009-09-23 15:36:36

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data