Forms Security

[Matt]

Hi I have the MSDN forms security example in my .net code, tweaked to suit
my application.

When I log in, and step through my code, I see everything get created
correctly, and if I look in the cookies folder, the cookie myname@localhost
gets created

But the page then redirects, and the security doesnt see the cookie and so I
end up back at the login page.
What have I missed?
I assume that the .net framework handles the rest, so it looks to me that it
is not finding the correct cookie name in the web.config file

The only thing I have done is encrypted the ticket, so I can see I may need
to add in a function somewhere to decrypt it and check it?

Any advice / help greatfully recieved, as Im goign round and round in
circles

 

[Dominick Baier [DevelopMentor]]

Hello MATT,

can you post the code, where you set the Auth Cookie?

 

[Matt]

Sorry, here it is.

FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToString(),f
alse,10);

//Encrypt the ticket
string eT = FormsAuthentication.Encrypt(authTicket);
//Create a Cookie and store the data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,eT);
DateTime dt = DateTime.Now;
authCookie.Expires = dt.AddHours(1);
Response.Cookies.Add(authCookie);
//Redirect to Originally Requested Page
Label2.Text = (FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false));
Response.Redirect(FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false))

I guess I dont understand the forms security model, but if there is a ticket
encrypt method, I assume that there needs to be a ticket.decrypt method call
hapenning somewhere.

But then that may be bad thinking on my part!

Matt

 

[Dominick Baier [DevelopMentor]]

Hello MATT,

look at that code - http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc8cfbec4c3a

the decryption is done be the FormsAuthenticationModule and is transparent
to your application.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Sorry, here it is.

FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToStri
ng(),f
alse,10);
//Encrypt the ticket
string eT = FormsAuthentication.Encrypt(authTicket);
//Create a Cookie and store the data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,eT);
DateTime dt = DateTime.Now;
authCookie.Expires = dt.AddHours(1);
Response.Cookies.Add(authCookie);
//Redirect to Originally Requested Page
Label2.Text = (FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false));
Response.Redirect(FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false))

I guess I dont understand the forms security model, but if there is a
ticket encrypt method, I assume that there needs to be a
ticket.decrypt method call hapenning somewhere.

But then that may be bad thinking on my part!

Matt

Hello MATT,

can you post the code, where you set the Auth Cookie?

 

[Matt]

Thanks Dominick, theres a lot to digest there, and no doubt I'll be tweaking
my application for some time based on what you've shown me. - When I
understand what it all does

But it doesnt explain why my code doesnt work, it definitely writes and
creates a cookie, and tries to redirect. But instead of redirecting it is
bouncing straight back to the login page. So if the decryption of my ticket
is hapening automajically, then what on earth is causing this problem?

(all the sample code I have is straight of the MS website, and usually I
find that works)

Is there anyway I can catch the redirect, to see why it is sending me back
to the login page?

Matt

Hello MATT,

look at that code - http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc
8cfbec4c3a

the decryption is done be the FormsAuthenticationModule and is transparent
to your application.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Sorry, here it is.

FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToStri
ng(),f
alse,10);
//Encrypt the ticket
string eT = FormsAuthentication.Encrypt(authTicket);
//Create a Cookie and store the data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,eT);
DateTime dt = DateTime.Now;
authCookie.Expires = dt.AddHours(1);
Response.Cookies.Add(authCookie);
//Redirect to Originally Requested Page
Label2.Text = (FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false));
Response.Redirect(FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false))

I guess I dont understand the forms security model, but if there is a
ticket encrypt method, I assume that there needs to be a
ticket.decrypt method call hapenning somewhere.

But then that may be bad thinking on my part!

Matt

Hello MATT,

can you post the code, where you set the Auth Cookie?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi I have the MSDN forms security example in my .net code, tweaked
to suit my application.

When I log in, and step through my code, I see everything get
created correctly, and if I look in the cookies folder, the cookie
myname@localhost gets created

But the page then redirects, and the security doesnt see the cookie
and so I
end up back at the login page.
What have I missed?
I assume that the .net framework handles the rest, so it looks to me
that it
is not finding the correct cookie name in the web.config file
The only thing I have done is encrypted the ticket, so I can see I
may
need to add in a function somewhere to decrypt it and check it?
Any advice / help greatfully recieved, as Im goign round and round
in circles

 

[Dominick Baier [DevelopMentor]]

Hello MATT,

just compare the code in my sample and yours for setting the auth cookie.
there must be a difference. maybe the expiration time is the problem. Also
- try using a tool like Fiddler (www.fiddlertool.com) to inspect the behavior
and if the cookie is really set in IE.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Thanks Dominick, theres a lot to digest there, and no doubt I'll be
tweaking my application for some time based on what you've shown me. -
When I understand what it all does

But it doesnt explain why my code doesnt work, it definitely writes
and creates a cookie, and tries to redirect. But instead of
redirecting it is bouncing straight back to the login page. So if the
decryption of my ticket is hapening automajically, then what on earth
is causing this problem?

(all the sample code I have is straight of the MS website, and usually
I find that works)

Is there anyway I can catch the redirect, to see why it is sending me
back to the login page?

Matt

Hello MATT,

look at that code -

http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-9
8d0-bc 8cfbec4c3a

the decryption is done be the FormsAuthenticationModule and is
transparent to your application.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Sorry, here it is.

FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToSt
ri
ng(),f
alse,10);
//Encrypt the ticket
string eT = FormsAuthentication.Encrypt(authTicket);
//Create a Cookie and store the data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,eT);
DateTime dt = DateTime.Now;
authCookie.Expires = dt.AddHours(1);
Response.Cookies.Add(authCookie);
//Redirect to Originally Requested Page
Label2.Text = (FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false));
Response.Redirect(FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false))

I guess I dont understand the forms security model, but if there is
a
ticket encrypt method, I assume that there needs to be a
ticket.decrypt method call hapenning somewhere.
But then that may be bad thinking on my part!

Matt

"Dominick Baier [DevelopMentor]"

Hello MATT,

can you post the code, where you set the Auth Cookie?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi I have the MSDN forms security example in my .net code, tweaked
to suit my application.

When I log in, and step through my code, I see everything get
created correctly, and if I look in the cookies folder, the cookie
myname@localhost gets created

But the page then redirects, and the security doesnt see the
cookie
and so I
end up back at the login page.
What have I missed?
I assume that the .net framework handles the rest, so it looks to
me
that it
is not finding the correct cookie name in the web.config file
The only thing I have done is encrypted the ticket, so I can see I
may
need to add in a function somewhere to decrypt it and check it?
Any advice / help greatfully recieved, as Im goign round and round
in circles

 

[Matt]

Well I'll look some more, but I just copied your code in, and I get the same
issue. The only difference is I need to have a web.config in each folder as
it doesnt like me having a
<location = "<folder>">
</location> block in the config

If I set the redirect to be away from the secure area of my site it works,
and I looked at my cookie cache, and the system did create a new cookie.

Its all very confusing, but I'll have to wait until later to download
fiddler.

Any other gotcha's I should be looking out for?

Hello MATT,

just compare the code in my sample and yours for setting the auth cookie.
there must be a difference. maybe the expiration time is the problem. Also
- try using a tool like Fiddler (www.fiddlertool.com) to inspect the behavior
and if the cookie is really set in IE.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Thanks Dominick, theres a lot to digest there, and no doubt I'll be
tweaking my application for some time based on what you've shown me. -
When I understand what it all does

But it doesnt explain why my code doesnt work, it definitely writes
and creates a cookie, and tries to redirect. But instead of
redirecting it is bouncing straight back to the login page. So if the
decryption of my ticket is hapening automajically, then what on earth
is causing this problem?

(all the sample code I have is straight of the MS website, and usually
I find that works)

Is there anyway I can catch the redirect, to see why it is sending me
back to the login page?

Matt

Hello MATT,

look at that code -

http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-9
8d0-bc 8cfbec4c3a

the decryption is done be the FormsAuthenticationModule and is
transparent to your application.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Sorry, here it is.

FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToSt
ri
ng(),f
alse,10);
//Encrypt the ticket
string eT = FormsAuthentication.Encrypt(authTicket);
//Create a Cookie and store the data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,eT);
DateTime dt = DateTime.Now;
authCookie.Expires = dt.AddHours(1);
Response.Cookies.Add(authCookie);
//Redirect to Originally Requested Page
Label2.Text = (FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false));
Response.Redirect(FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false))

I guess I dont understand the forms security model, but if there is
a
ticket encrypt method, I assume that there needs to be a
ticket.decrypt method call hapenning somewhere.
But then that may be bad thinking on my part!

Matt

"Dominick Baier [DevelopMentor]"

Hello MATT,

can you post the code, where you set the Auth Cookie?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi I have the MSDN forms security example in my .net code, tweaked
to suit my application.

When I log in, and step through my code, I see everything get
created correctly, and if I look in the cookies folder, the cookie
myname@localhost gets created

But the page then redirects, and the security doesnt see the
cookie
and so I
end up back at the login page.
What have I missed?
I assume that the .net framework handles the rest, so it looks to
me
that it
is not finding the correct cookie name in the web.config file
The only thing I have done is encrypted the ticket, so I can see I
may
need to add in a function somewhere to decrypt it and check it?
Any advice / help greatfully recieved, as Im goign round and round
in circles

 

[Matt]

OK, typically, just after I posted this I figured out the difference!

Now my code is the same as yours.

Using Fiddler, When I submit the username and password, I can see it sending
a cookie of the correct type with a load of data in it.

Below that is another entry for the login page again. this too has the line
for the cookie, with the same data. So looking at that, the page knows there
is a cookie written, and it is just ignoring it. Both the entry for the
login page, and for the user home page have the same referrer.

I just cant see why this is happening, (but this is all new to me so it is
almost certainly something straightforward!)

Matt

Well I'll look some more, but I just copied your code in, and I get the same
issue. The only difference is I need to have a web.config in each folder as
it doesnt like me having a
<location = "<folder>">
</location> block in the config

If I set the redirect to be away from the secure area of my site it works,
and I looked at my cookie cache, and the system did create a new cookie.

Its all very confusing, but I'll have to wait until later to download
fiddler.

Any other gotcha's I should be looking out for?

Hello MATT,

just compare the code in my sample and yours for setting the auth cookie.
there must be a difference. maybe the expiration time is the problem. Also
- try using a tool like Fiddler (www.fiddlertool.com) to inspect the behavior
and if the cookie is really set in IE.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Thanks Dominick, theres a lot to digest there, and no doubt I'll be
tweaking my application for some time based on what you've shown me. -
When I understand what it all does

But it doesnt explain why my code doesnt work, it definitely writes
and creates a cookie, and tries to redirect. But instead of
redirecting it is bouncing straight back to the login page. So if the
decryption of my ticket is hapening automajically, then what on earth
is causing this problem?

(all the sample code I have is straight of the MS website, and usually
I find that works)

Is there anyway I can catch the redirect, to see why it is sending me
back to the login page?

Matt

"Dominick Baier [DevelopMentor]"

Hello MATT,

look at that code -

http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-9
8d0-bc 8cfbec4c3a

the decryption is done be the FormsAuthenticationModule and is
transparent to your application.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Sorry, here it is.

FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToSt
ri
ng(),f
alse,10);
//Encrypt the ticket
string eT = FormsAuthentication.Encrypt(authTicket);
//Create a Cookie and store the data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,eT);
DateTime dt = DateTime.Now;
authCookie.Expires = dt.AddHours(1);
Response.Cookies.Add(authCookie);
//Redirect to Originally Requested Page
Label2.Text = (FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false));
Response.Redirect(FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false))

I guess I dont understand the forms security model, but if there is
a
ticket encrypt method, I assume that there needs to be a
ticket.decrypt method call hapenning somewhere.
But then that may be bad thinking on my part!

Matt

"Dominick Baier [DevelopMentor]"

Hello MATT,

can you post the code, where you set the Auth Cookie?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi I have the MSDN forms security example in my .net code, tweaked
to suit my application.

When I log in, and step through my code, I see everything get
created correctly, and if I look in the cookies folder, the cookie
myname@localhost gets created

But the page then redirects, and the security doesnt see the
cookie
and so I
end up back at the login page.
What have I missed?
I assume that the .net framework handles the rest, so it looks to
me
that it
is not finding the correct cookie name in the web.config file
The only thing I have done is encrypted the ticket, so I can see I
may
need to add in a function somewhere to decrypt it and check it?
Any advice / help greatfully recieved, as Im goign round and round
in circles

 

[Matt]

Adding the following code to Application_AuthenticateRequest() has helped me
step through the auth process..

string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

if(null == authCookie)
{
//There is no authentication cookie.
return;
}

authCookie is returning as Null, but it is being written in the login
process.

Matt

OK, typically, just after I posted this I figured out the difference!

Now my code is the same as yours.

Using Fiddler, When I submit the username and password, I can see it sending
a cookie of the correct type with a load of data in it.

Below that is another entry for the login page again. this too has the line
for the cookie, with the same data. So looking at that, the page knows there
is a cookie written, and it is just ignoring it. Both the entry for the
login page, and for the user home page have the same referrer.

I just cant see why this is happening, (but this is all new to me so it is
almost certainly something straightforward!)

Matt

Well I'll look some more, but I just copied your code in, and I get the same
issue. The only difference is I need to have a web.config in each folder as
it doesnt like me having a
<location = "<folder>">
</location> block in the config

If I set the redirect to be away from the secure area of my site it works,
and I looked at my cookie cache, and the system did create a new cookie.

Its all very confusing, but I'll have to wait until later to download
fiddler.

Any other gotcha's I should be looking out for?

Hello MATT,

just compare the code in my sample and yours for setting the auth cookie.
there must be a difference. maybe the expiration time is the problem. Also
- try using a tool like Fiddler (www.fiddlertool.com) to inspect the behavior
and if the cookie is really set in IE.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Thanks Dominick, theres a lot to digest there, and no doubt I'll be
tweaking my application for some time based on what you've shown me. -
When I understand what it all does

But it doesnt explain why my code doesnt work, it definitely writes
and creates a cookie, and tries to redirect. But instead of
redirecting it is bouncing straight back to the login page. So if the
decryption of my ticket is hapening automajically, then what on earth
is causing this problem?

(all the sample code I have is straight of the MS website, and usually
I find that works)

Is there anyway I can catch the redirect, to see why it is sending me
back to the login page?

Matt

"Dominick Baier [DevelopMentor]"

Hello MATT,

look at that code -

http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-9
8d0-bc 8cfbec4c3a

the decryption is done be the FormsAuthenticationModule and is
transparent to your application.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Sorry, here it is.

FormsAuthenticationTicket authTicket = new
 FormsAuthenticationTicket(selectCMD.Parameters["@output"].Value.ToSt
ri
ng(),f
alse,10);
//Encrypt the ticket
string eT = FormsAuthentication.Encrypt(authTicket);
//Create a Cookie and store the data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,eT);
DateTime dt = DateTime.Now;
authCookie.Expires = dt.AddHours(1);
Response.Cookies.Add(authCookie);
//Redirect to Originally Requested Page
Label2.Text = (FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false));
Response.Redirect(FormsAuthentication.GetRedirectUrl
(selectCMD.Parameters["@output"].Value.ToString(),false))

I guess I dont understand the forms security model, but if there is
a
ticket encrypt method, I assume that there needs to be a
ticket.decrypt method call hapenning somewhere.
But then that may be bad thinking on my part!

Matt

"Dominick Baier [DevelopMentor]"

Hello MATT,

can you post the code, where you set the Auth Cookie?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi I have the MSDN forms security example in my .net code, tweaked
to suit my application.

When I log in, and step through my code, I see everything get
created correctly, and if I look in the cookies folder, the cookie
myname@localhost gets created

But the page then redirects, and the security doesnt see the
cookie
and so I
end up back at the login page.
What have I missed?
I assume that the .net framework handles the rest, so it looks to
me
that it
is not finding the correct cookie name in the web.config file
The only thing I have done is encrypted the ticket, so I can see I
may
need to add in a function somewhere to decrypt it and check it?
Any advice / help greatfully recieved, as Im goign round and round
in circles