Using Custom MembershipProvider without a Login control in ASP.NET

Question

We have got a custom MembershipProvider in asp.net. Now there are 2 possible scenario the user can be validated:

1. User login via login.aspx page by entering his username/password. I have used Login control and linked it with the MyMembershipProvider. This is working perfectly fine.

2. A authentication token is passed via URL in query string form a different web sites. For this I have one overload in MembershipProvider, Validate(string authenticationToken), which is actually validating the user. In this case we cannot use the Login control. Now how can I use the same MembershipProvider to validate the user without actually using the Login control? I tried to call Validate manually, but this is not Signing In the user.

Here is the code snippet I am using

if (!string.IsNullOrEmpty(Request.QueryString["authenticationToken"]))
{
    string ticket = Request.QueryString["authenticationToken"];
    MyMembershipProvider provider = Membership.Provider as MyMembershipProvider;
    if (provider != null)
    {
     if (provider.ValidateUser(ticket))
      // Login Success
     else
      // Login Fail
    }
}

Answer 1

After validation is successful, you need to sign in the user, by calling FormsAuthentication.Authenticate: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.authenticate.aspx

EDIT: It is FormsAuthentication.SetAuthCookie: http://msdn.microsoft.com/en-us/library/twk5762b.aspx

Also, to redirect the user back where he wanted to go, call: FormsAuthentication.RedirectFromLoginPage: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.redirectfromloginpage.aspx

link text

Answer 2

You can set your own FormsAuthenticationTicket if the validation is successful... something like this:

> if (provider != null)     {
>         if (provider.ValidateUser(ticket))
>         {
>                 // Login Success
>                 FormsAuthenticationTicket authTicket = new
>                 FormsAuthenticationTicket(
>                     1, //version
>                     someUserName, //name
>                     DateTime.Now, //issue date
>                     DateTime.Now.AddMinutes(lengthOfSession), //expiration
>                     false, // persistence of login
>                     FormsAuthentication.FormsCookiePath
>                     );
> 
>                 //encrypt the ticket
>                 string hash = FormsAuthentication.Encrypt(authTicket);
>                 HttpCookie cookie = new HttpCookie(
>                     FormsAuthentication.FormsCookieName,
>                     hash);
> 
>                 Response.Cookies.Add(cookie);
>                 Response.Redirect(url where you want the user to land);
>         }
>         else
>         {
>                 // Login Fail  
>         }   
>}

Answer 3

But shall we use cookie for authentication? Cookies is almost deprecated concept for authentication. Please correct me if I am wrong.