Reputation: 539
FormsAuthenticationTicket isn't storing UserData
I'm relatively new to .NET and am trying to figure out FormsAuthentication. I've gone through a few different tutorials and every time I hit the same problem. For some reason the UserData isn't being stored in the ticket. When I setup a break on the ticket in the Global.aspx.cs the UserName is there but the UserData is an empty string and the Version is set to 2 when it is specified as 1. Another odd thing is that every authenticated user is allowed to access the pages in my Admin_Content folder when the web.config specifies that only Administrators can.
Login.aspx
UserFull user = ManageUsers.login(loginTemplate.UserName, loginTemplate.Password);
if (user != null)
{
string[] roles = { user.role };
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
1,
userName,
DateTime.Now,
DateTime.Now.AddDays(30),
true,
roles[0],
FormsAuthentication.FormsCookiePath
);
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
FormsAuthentication.SetAuthCookie(encryptedTicket, true);
Response.Redirect("Admin_Content/Admin.aspx");
}
Global.aspx.cs Application_AuthenticateRequest
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = (id.Ticket);
if (!string.IsNullOrEmpty(ticket.UserData))
{
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id, roles);
}
}
}
}
Main web.config
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<roleManager enabled="true"></roleManager>
<authentication mode="Forms">
<forms name="AOTMP_Demo" loginUrl="Login.aspx"
protection="All" path="/" cookieless="UseCookies"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<configuration>
Admin_Content folder's web.config
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Upvotes: 2
Views: 7550
Answers (2)
Reputation: 4480
Try changing
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
FormsAuthentication.SetAuthCookie(encryptedTicket, true);
To
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
Response.Cookies.Add(cookie);
I believe FormsAuthentication.SetAuthCookie is already calling FormsAuthentication.Encrypt internally, so you're probably winding up with a malformed cookie.
Upvotes: 0
Reputation: 1060
You should not do this... because it creates a new authorization ticket.
FormsAuthentication.SetAuthCookie();
Instead set the cookie explicitly
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
cookie.Expires = authTicket.Expiration;
Request.Cookies.Add(cookie);
Then it will be available in the global.asax
var userData = ((FormsIdentity)HttpContext.Current.User.Identity).Ticket.UserData;
Upvotes: 2
Related Questions
- UserData property of FormsAuthenticationTicket is empty despite being set
- formsauthenticationticket is decrypted with previous login data
- FromsAuthenticationTicket.UserData is always empty and authentication cookie does not retain value
- User still not authenticated after AuthCookie is added
- FormsAuthenticationTicket is null
- FormsAuthenticationTicket UserData returns empty for roles
- Storing UserData in memory
- Asp.Net MVC FormsAuthenticationTicket
- What am I doing wrong with my FormsAuthenticationTicket?
- Can't set FormsAuthenicationTicket.UserData in cookieless mode