Reputation: 6964
How does FormsAuthentication persist sessions across request contexts and what information is persisted?
So, I call FormsAuthentication.SetAuthCookie(model.UserName, true) and redirect to an [Authorize] branded action. Now HttpContext.Current.User.Identity is a FormsIdentity whose properties advise me that I am indeed logged in. Great.
Now I remodel my database, deleting the tables and regenerating them. The name being persisted by FormsAuthentication doesn't even exist any more. But when I refresh the secure web site, the stupid logic still greets me: Hello UserName. Okay... that's cool.
FormsAuthentication is obviously not tied to my data store. Is it storing session information in-process? Or is it encoding all relevant data in to the authentication ticket and letting the client persist it in cookies?
Lastly, is the ticket tied to my membership platform at all? Or is HttpContext.Current.User.Identity.Name just an arbitrary value?
Upvotes: 0
Views: 973
Answers (2)
Reputation: 253
With the default forms authentication configuration a cookie is sent to the client upon successful login. (there are cookieless options)
"Each time a subsequent request is received after authentication, the FormsAuthenticationModule class retrieves the authentication ticket from the authentication cookie, decrypts it, computes the hash value, and compares the MAC value to help ensure that the cookie has not been tampered with."
What you are seeing is the FormsAuthenticationModule finding that the request has a cookie.
The following link is a very detailed overview of the process that I just described. The activity diagram is particularly important to understanding what happens with each request.
I hope that helps.
Explained: Forms Authentication in ASP.NET 2.0
Chris
Upvotes: 1
Reputation: 5801
All relevant data is stored in the authentication ticket and persisted in a cookie on the client side. And HttpContext.Current.User.Identity.Name is stored in another cookie as well. You can see the cookies with firefox by clicking View page info and then security. You will see 2 cookies. One of them is .ASPXAUTH (takes care of authentication), and the other one .ASPXROLES(takes care of membership).
Upvotes: 2
Related Questions
- Where are sessions stored in ASP.net MVC 5 applications?
- How LogonUserIdentity information is passed from browser to server?
- Does Forms authentication remember authentication?
- .net MVC Identity Persists between sessions
- ASP.NET MVC Forms authentication - How it works and persists authentication?
- Sessions and auth in asp.net
- Forms Authentication is persisted between browser sessions
- ASP.NET MVC Session usage
- Persisting/caching data between requests - common approach
- How Does ASP.NET associate a request with a session?