How can I manually create a authentication cookie instead of the default method?
asp.netasp.net Problem Overview
Using FormsAuthentication
we write code like this:
if (IsValidUser())
{
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);
FormsAuthentication.RedirectFromLoginPage(userName, createPersistentCookie);
}
-
How can I manually create a authentication cookie instead of writing
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie)
? -
How can I store a redirect URL from the login page in a string variable instead of writing
FormsAuthentication.RedirectFromLoginPage(userName, createPersistentCookie)
?
asp.net Solutions
Solution 1 - asp.net
Here you go. ASP.NET takes care of this for you when you use the higher level methods built into FormsAuthentication, but at the low level this is required to create an authentication cookie.
if (Membership.ValidateUser(username, password))
{
// sometimes used to persist user roles
string userData = string.Join("|",GetCustomUserRoles());
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // ticket version
username, // authenticated username
DateTime.Now, // issueDate
DateTime.Now.AddMinutes(30), // expiryDate
isPersistent, // true to persist across browser sessions
userData, // can be used to store additional user data
FormsAuthentication.FormsCookiePath); // the path for the cookie
// Encrypt the ticket using the machine key
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
// Add the cookie to the request to save it
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);
// Your redirect logic
Response.Redirect(FormsAuthentication.GetRedirectUrl(username, isPersistent));
}
I'm not sure why you would want to do something custom here. If you want to change the implementation of where user data is stored and how users authenticate then it's best practice to create a custom MembershipProvider
. Rolling your own solution and messing with the authentication cookie means a high probability of introducing security holes in your software.
I don't understand your part 2. You only need to call FormsAuthentication.GetRedirectUrl if you want to return users to the page they were trying to access when they got bounced to login. If not do whatever you want here, redirect to a url stored in the configuration if you want.
To read the FormsAuthentication cookie, normally you would hook the AuthenticateRequest
event in a HttpModule or the Global.asax and set up the user IPrinciple
context.
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if(authCookie != null)
{
//Extract the forms authentication cookie
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
// If caching roles in userData field then extract
string[] roles = authTicket.UserData.Split(new char[]{'|'});
// Create the IIdentity instance
IIdentity id = new FormsIdentity( authTicket );
// Create the IPrinciple instance
IPrincipal principal = new GenericPrincipal(id, roles);
// Set the context user
Context.User = principal;
}
}
Solution 2 - asp.net
Answer Update on number of down votes casted for this post, Properway of creating a cookie with user information as follows,
Cookie validation on page load of login page,
if (HttpContext.Current.User.Identity.IsAuthenticated)
Cookie creation during authenticated user Login,
FormsAuthentication.SetAuthCookie(txtUserName.Text.Trim(), true);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
txtUserName.Text.Trim(),
DateTime.Now,
(chkRemember.Checked) ? DateTime.Now.AddHours(6) : DateTime.Now.AddHours(2),// Specify timelimit as required
true,
string.Empty,
FormsAuthentication.FormsCookiePath);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
cookie.Expires = (chkRemember.Checked) ? DateTime.Now.AddHours(6) : DateTime.Now.AddHours(2);
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);
Below is a Down voted answer - Reason adding an encrypted password in a cookie.
the other way of creating a cookie,
HttpCookie toolCookie = new HttpCookie("xyz");
toolCookie["UserName"] = userName;
toolCookie["Password"] = StringCipher.Encrypt(password, "#!");
toolCookie.Expires = DateTime.Now.AddMinutes(chkRemember.Checked ? 30 : -30);
Request.Cookies.Add(toolCookie);
Get the Existing cookie details
HttpCookie user = Request.Cookies["xyz"];
if(user != null)
{
string username = user["UserName"];
string password = user["Password"] != null ? StringCipher.Decrypt(user["Password"], "#!")
}
here Datasecurity is a static class.
Encrypt and Decrypt function Encrypt & Decrypt