tags:

views:

1144

answers:

2
+4  Q: 

How to set Request.IsAuthenticated to true when not using FormsAuthentication.RedirectFromLoginPage?

I am using Form Authentication and sending an Aajx request to the server for authentication. Based on the json result, the client decides where to go and what to do. That is the reason I am not using FormsAuthentication.RedirectFromLoginPage to not interfere the ajax/json response.

In this case Request.IsAuthenticated returns false, even after validating the user with Membership.ValidateUser. Then I set the cookie using 

FormsAuthentication.SetAuthCookie(username, false);

Although the second parameter, persistent cookie, is false, the cookie is still valid across browser sessions.

Any idea how to make Request.IsAuthenticated work without using FormsAuthentication.RedirectFromLoginPage?

+1  A: 

You need to update the current security principal for the request. When you call Response. Redirect(...) a new request is done and the security principal is reinitialized and Request.IsAuthenticated returns true in your case. FormsAuthentication.RedirectFromLoginPage internally calls Response. Redirect(...). You can manually renew the security principal for the current request like this:

public void RenewCurrentUser()
{
    System.Web.HttpCookie authCookie =
        System.Web.HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
    if (authCookie != null)
    {
        FormsAuthenticationTicket authTicket = null;
        authTicket = FormsAuthentication.Decrypt(authCookie.Value);

        if (authTicket != null && !authTicket.Expired)
        {
            FormsAuthenticationTicket newAuthTicket = authTicket;

            if (FormsAuthentication.SlidingExpiration)
            {
                newAuthTicket = FormsAuthentication.RenewTicketIfOld(authTicket);
            }
            string userData = newAuthTicket.UserData;
            string[] roles = userData.Split(',');

            System.Web.HttpContext.Current.User =
                new System.Security.Principal.GenericPrincipal(new FormsIdentity(newAuthTicket), roles);
        }
    }
}
Branislav Abadjimarinov  2010-01-21 09:55:03
Manual renewal isn't required (especially for GenericPrincipal and FormsIdentity), and credentials shouldn't change part-way through a request, which why the cookie is added to the response and then a completely new response/request life cycle is performed. On the next request the cookie created by FormsAuthentication.SetAuthCookie() will be picked up.
Robert Paulson  2010-01-21 22:32:37
Of course this method can be considered a hack because it doesn't follow the normal forms authentication flow. But it can be useful if you want to check if user is authenticated in the same request where authentication takes part.
Branislav Abadjimarinov  2010-01-22 09:23:09
Sometimes though a hack is what you need - I was trying to do things "the right way" and forcing a redirect, and getting into a right state with other systems being redirected :(
Zhaph - Ben Duguid  2010-08-05 19:30:33
+3  A: 

FormsAuthentication.SetAuthCookie

Method Creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, or to the URL if you are using cookieless authentication.

Ref: msdn

Have a look at the Forms Authentication Control Flow. The authentication cookie is set to the response cookie collection, and should be observable at the http protocol level (e.g. use FireCookie or Fiddler2 to verify this).

Membership only verifies a username/password. Neither Membership nor SetAuthCookie() will modify the current request. They expect to send the cookie back to the caller, and the next request is when the properties like IsAuthenticated will return true.

Note that you can override and extend these automatic processes using custom IIdentity and IPrincipal, and hook into the authentication events if you need to.

Also have a look at Using Forms Authentication with ASP.NET AJAX

Robert Paulson  2010-01-21 22:27:13
This is a great answer.
Greg  2010-01-22 22:41:40

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps