tags:

views:

500

answers:

1
Q: 

What am I doing wrong with my FormsAuthenticationTicket?

Hi

I am trying to recreate my cookie what would be normally generated by FormsAuthentication.SetAuthCookie() and what is in the webconfig.

<authentication mode="Forms">
      <forms loginUrl="~/Account/LogOn" protection="All" timeout="20160" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="false" defaultUrl="default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
     </authentication>

However I want to send one more piece of data along so as far as I understand I have to make my own FormsAuthenticationTicket to add this data(or merge it all with the userName in SetAuthCookie and do splitting).

So I am trying to get it as secure(or more secure) as the one it makes from the webconfig, have the same values as the one generated from the webconfig.

So this is what I have so far

 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, "chobo2", DateTime.Now, DateTime.Now.AddYears(10), true, "test");
            string encTicket = FormsAuthentication.Encrypt(ticket);
            Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));

However I am still not sure what it is using. Does it use stuff from the webconfig? Since it does not ask for a cookieName nor a timeout.

When I look at this cookie through web developer it says it not secure, and that it expires in the end of session.

When I look at the one generated from the webconfig it has a expiry date of like october 12th and still says not secure(guess it is refering to SSL).

Also I am still confused about the userData. How do I add I grab this value later on? How do I add more then once peice of data?

Do I always have to decrypt(ie call the decrypt method) to decrypt the cookie or does it do it automatically.

What kind of encryption is the cookie using by default anyways?

Thanks

A: 

You need to manually set all of those properties on the forms authentication ticket. You can access most of the the values via static accessors on the FormsAuthentication class. The configuration settings in the web.config are only used when you use FormsAuthentication.GetAuthCookie or FormsAuthentication.SetAuthCookie.

User data can be retrieved by extracting and decrypting the forms authentication ticket then using the UserData property accessor on the decrypted ticket.

You will always need to decrypt the ticket to access the user data.

http://msdn.microsoft.com/en-us/library/ms998310.aspx contains details on the encryption and validation ciphers used, but by default the ticket is encrypted using AES and validated using SHA1 (HMACSHA1).

http://support.microsoft.com/kb/910443 contains a further information and links that may answer any further questions you have.

Neal  2009-09-29 01:34:38
Hmm ok so then what is the stuff in the new FormsAuthenticationTicket() ticket doing? Like I set Expiry time and it does nothing. So what is that stuff for?
chobo2  2009-09-29 05:17:34
I think you are confusing the cookie with the ticket. The ticket is the thing that manages the state of an authenticated session between client and server, the cookie is simply the means by which the state is stored on the client.The cookie expiry determines when the cookie expires on the client. The ticket expiry determines when the ticket expires *on the server*. Ticket settings are interrogated on the server to determine the validity of the authenticated session and attach the appropriate principal / identity to the currently executing request.
Neal  2009-09-29 20:45:25
So what happens if I want the user to stay authenticated for say 2 weeks? what do I set?
chobo2  2009-09-29 22:22:56
The expiry date in both the ticket and the cookie
Neal  2009-10-01 21:49:03

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?