Forms Authentication Ticket/Cookie values

G

Guest

Folks, Can anyone confirm that my understading is correct and maybe shed some
light on why it's as it is. (I'm guessing security, but that seems weak to
me.)

The asp.net web application is using forms authentication.

If I create an FormsAuthTicket with userdata in the approprite place. Then
encode it and create a cookie, add it to the response.cookie collection and
use it all is well.

However if after I create the cookie I add some additional values to the
cookie, and then add it to the collection, asp.net no longer recognizes this
as a valid authentication ticket.

Thanks for the info...Chuck
 
G

Guest

Scott, I get how to stuff items in the "userdata" area of the forms auth
ticket. The question I have is concerning the cookie values collection of the
encoded ticket.

I'll also quibble with the words in your resonse. If the cookie is hashed
and encrypted, why have a routine of
....GetAuthCookie(name,Ispersistent,path). Once I get the cookie I can set the
expiration can't I?

I know there are quirks in the system, I am just trying to confirm my belief
that FormsAuth cookies can NOT have members in the "values" collection.
 
B

Brock Allen

You can piggyback data in the cookie, but since the forms auth cookie
is encrypted and hashed to prevent tampering it takes some extra work.
There is a section in the following document to show you how:

http://www.pluralsight.com/articlecontent/efficientRoleBasedAuthentica
tion.pdf
Click to expand...

I'd be wary of this approach, personally. My main complaint is that if the
roles are cached in the cookie, then it's difficult to remove the role from
the user while they have their browser active. I tend to cache the roles
on the server in the ASP.NET Cache. Of course, this has the same drawbacks
as the cookie if you're using a server farm. See, nothing's easy :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

forms auth ticket expiration 2
Forms authentication cookie handling question (C#) 4
Authentication Ticket Timeout 5
forms authentication ticket .userdata vanishing 1
Forms authentication failed - ticket supplied has expired 7
Create Forms Authentication Ticket with MachineKeys 9
Create Forms Authentication Ticket with Machine Keys 1
What relationship between cookie and ticket expiration? 2

Members online

Total: 62 (members: 2, guests: 60)
Robots: 447

Forum statistics

Threads
473,982
Messages
2,570,190
Members
46,736
Latest member
zacharyharris

Latest Threads

Top