FormsAuthentication & createPersistentCookie

[Alex Maghen]

I'm a little confused about how to work with the "createPersistentCookie"
feature of FormsAuthentication.RedirectFromLoginPage().

1. There are various things that I need my application to do when a user
successfully logs in. I do that stuff inside the code of my Login.aspx page
after I am sure the user is authentic but before I call
FormsAuthentication.RedirectFromLoginPage(). If I pass TRUE to the second
parameter, what actually happens when the user comes back in? They seem to
get authenticated, but is my code actually getting called? How do I hook into
it so that I can do things when authentication occurs?

2. Once the user is cookied for auto-login, is there a function I can call
to clear that cookie should the user want to stop doing auto-login? Or do I
have to delete the cookie myself?

Alex

 

[Brock Allen]

1. There are various things that I need my application to do when a

user successfully logs in. I do that stuff inside the code of my
Login.aspx page after I am sure the user is authentic but before I
call FormsAuthentication.RedirectFromLoginPage(). If I pass TRUE to
the second parameter, what actually happens when the user comes back
in? They seem to get authenticated, but is my code actually getting
called? How do I hook into it so that I can do things when
authentication occurs?

True sets a persistent cookie, thus subsequent requests are as if the user
had just logged on. What is it you need to do when the user authenticates?

2. Once the user is cookied for auto-login, is there a function I can
call to clear that cookie should the user want to stop doing
auto-login? Or do I have to delete the cookie myself?

FormsAuthentication.SignOut()

 

[Alex Maghen]

Here's what I mean: When the user FIRST logs in on the site, I have a form
that provides me a Username and a Password. I use my OWN code (which checks a
database and also writes a record indicating that a login has ocurred) and
then, if all's well MY code calls
FormsAuthentication.RedirectFromLoginPage()

But what I don't get is this: The next time that user comes in, assuming
that he had checked the Persist box, what code gets executed to the log the
user back in? Does the persistent cookie on the user's machine contain the
username and password and then pass that information back in for
authentication? Despite the fact that the user has asked for this auto-login
functionality, I still need to authenticate the user with MY code beofre
they're allowed back into the site.

See what I mean?

Alex

 

[Dominick Baier [DevelopMentor]]

Hi,

the authentication cookie is encrypted with a key - the machine key - by
default this is a auto-generated per app key - but you can specify it explicitly
using the <machineKey> element.

The fact that the application can decrypt the cookie using the machine key
is the proof that the user has been authenticated by this application. You
don't re-authenticate the user.

The cookie contains the user's name to regenerate Context.User on each request.

 

[Steven Cheng[MSFT]]

Hi Alex,

The "createPersistentCookie" parameter in the
FormsAuthentication.RedirectFromLoginPage() method controls whether the
ASP.NET will create a persistent cookie or session cookie for the
authentication ticket of the current login user. Forms authentication's
authentication ticket is stored in client-side cookie by default. There are
two kinds of cookies, session cookie and persistent cookie. Session cookie
is only available during its lifecycle(before it expires), however, if the
client user close the browser, the session cookie will also be no longer
available. While persistent cookie is always available as long as it
hasn't expired (even if the client user close the browser). So using
"persistent cookie" can provide a "remember me " function like many
websites do.

Also, the username/password is required only when the user is
authenticating against the login page. After he has logedIn, an
authentication ticket is produced and cached in the user's client-side
cookie(the default behavior). And all the sequential requests from the user
will use this ticket(from cookie) to perform the authentication (rather
than username/password credentials) as long as the ticket hasn't expired.

Hope this helps clarify some. If there is still anything unclear, please
feel free to post here.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hello Alex,

Does our suggestion help you some? If there is still anything we can help,
please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)