FormsAuthentication Class Question

[Joe Reazor]

First, here's a quick description of what I have so far. I have a website
that I am building that contains both asp and asp.net pages. I have
configured the site using a custom HTTPHandler, web.config, and a custom
HTTPModule so that all requests (both asp and asp.net) go through the
asp.net runtime. Asp requests are then redirected to the asp handler and
asp.net are processed as normal. The entire site is then password protected
using forms authentication and authorization to any page or sub app is
controlled through the web.config in my root web. My custom HTTPModule
handles the Authenticate Request event so that I can check my cookie, that I
set on my login page, decrypt it and get my user and group info. All of
this works perfectly on the asp.net side. I now want to be able to use that
same cookie that I can access in my regular old asp pages decrypt it and get
my user info. I made a class that uses the FormsAuthentication Class and
thought I could decrypt my cookie that way. The problem I found was that
the FormsAuthentication class only works when called within a asp.net
application because when you call the Decrypt method it initializes which
looks for the encryption keys in the web.config file. My custom class
called from an asp page through interop obviously does not have this, so I
get this error:

System.NullReferenceException: Object reference not set to an instance of an
object. at System.Web.Security.FormsAuthentication.Initialize() at
System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket) at
CustomHandlers.AuthenticationAccessor.SetAuthTicket(String CookieValue)

Does anyone have any ideas how I might be able to decrypt the cookie on the
ASP side of things? Would not using the Encrypt method of the
FormsAuthentication class on my login page and instead writing a custom
encrypter be the best way to go?


==============
Joe Reazor
Gorbel Inc.
email: joerea=AT=gorbel=DOT=com

 

[[MSFT]]

Hi Joe,

I think you have to create customized encryption/decryption under this
situation. For example, with CryptoStream in .NET. You may take a look at
this article for this:

Encrypting Data
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconencryptingdata.asp

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Joe Reazor]

Thanks Luke, I was afraid that was going to be the answer. The thing that I
am getting stuck on now is that if I don't use FormAuthentication.Encrypt
and instead do the encrypt myself, I'm not sure what this Encrypt method
does? You pass it an authentication ticket and it returns an encrypted
version. How exactly do I reproduce that but with my own class?


==============
Joe Reazor
Gorbel Inc.
email: joerea=AT=gorbel=DOT=com

 

[Joe Reazor]

This is getting frustrating. In trying to implement a custom
encryptor/decryptor using RijndaelManaged class I found out that I can't
directly encrypt a FormsAuthenticationTicket when I am outside of a webforms
application. The stack trace yielded the same issue I saw before where the
call to FormsAuthentication.Initialize that happens somewhere in the .net
runtime fails, I'm guessing because I'm outside of a forms app. Its
annyoing though because I just want to use the ticket and its data. I guess
I can ignore trying to return a ticket from my custom class and just provide
access to the ticket's data that is stored in the encrpyted cookie.

In just thinking about it some more. I probably could just as easy go back
to using standard FormsAuthentication encryption of my ticket, let my custom
httpmodule use that for the begin authentication event to confirm the user
is authenticated and on the login page I just add some extra code to encrypt
just my username field as a separate cookie. Then I can access this in a
custom class that is called through interop by my asp page and return it the
username. Then on the asp side I can write my code to use that username to
get user data from my SQL tables.

Does that seem to make more sense?


==============
Joe Reazor
Gorbel Inc.
email: joerea=AT=gorbel=DOT=com

 

[[MSFT]]

Hi Joe,

I think it is a fgood idea to encrypt username field as a separate cookie.
Only cookie can be shared between asp and asp.net, not with application or
session variant.

Another idea is to upgrade all your asp files to aspx. Normally, we only
need to change the filename directly.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Joe Reazor]

Thanks Luke. This is the approach that I have ended up taking. It seems
the easiest and most straightforward and when we switch everything over to
all aspx pages then this extra cookie can just go away.


==============
Joe Reazor
Gorbel Inc.
email: joerea=AT=gorbel=DOT=com