Reputation: 4010
IsAuthenticated is always false when including HttpCookie subkeys or not encrypting
Okay, I've been assigned with authenticating used on a login page. I've been working on this for quite a while and decided to clean up it up. The problem that I faced is one of those problems where exceptions aren't thrown, no error is generated, and everything looks okay, but when you try to use a function, it gives back a result that you don't want.
The code I used looks very similar to code from this page:
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx
I've used the code from the demo in my project:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
username,
DateTime.Now,
DateTime.Now.AddMinutes(30),
isPersistent,
userData,
FormsAuthentication.FormsCookiePath);
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie myCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
// Create the cookie.
Response.Cookies.Add(myCookie);
So if I logged in, everything works and the below code evaluates to true: HttpContext.Current.User.Identity.IsAuthenticated;
However, if I wanted to include subkeys to myCookie using either versions:
myCookie.Values.Add("userName", "patrick"); //version 1
myCookie.Values["userName"] = "patrick"; //version 2
Then you add to the cookies collection:
Response.Cookies.Add(myCookie);
Then refresh the page after login:
//This always set to false even after successful log on
HttpContext.Current.User.Identity.IsAuthenticated;
No clue why!
I wanted to do something where I don't have to add the encryption value to the httpcookie immediately:
//IsAuthenticated doesn't work = false
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormCookieName);
cookie.Values.Add("encryptTicket", encTicket);
It's just weird that adding subkeys don't work at all. And that I am forced to encypt a ticket in order to make it work. What I mean, is that IsAuthenticated is false all the time, logged in and authenticated or not. Can anyone try to explain what's going on with this? I have a working solution, but any insight would be helpful.
Upvotes: 0
Views: 816
Answers (1)
Reputation: 4010
Okay, think I figured this out. It's because of how my web.config was set up for forms authentication. Using the forms tag.
The FormsAuthenticationTicket looks at that tag for specific information, and if I didn't create a cookie off of it, it wouldn't authenticate me. This was also defaulted to cookieless mode to UseCookies.
But anyways, after I create a cookie off of that, then I become authenticated and then a new session is created for me. After that, I can then provide any extra cookies I want and let the website use them as needed. But as long as that AuthCookie (in my case .ASPXAUTH) is valid, so is my authentication session.
In fact, when I tried to make a cookie session end when the browser closed, by setting the expiration date to MinValue for the cookie and the ticket, I wasn't able to authenticate either! I had to make the ticket last longer than the actual cookie so that the ticket doesn't expire before the cookie does.
The ticket information is really a configuration used to make the cookie, and after cookie creation, the browser is what defines how the cookies are used.
Upvotes: 0
Related Questions
- Forms Authentication - Require SSL - Setting Authentication Cookie Fails
- formsauthenticationticket is decrypted with previous login data
- Setting HttpCookie as HttpOnly
- System.Web.Security.FormsAuthentication.Encrypt returns null
- User still not authenticated after AuthCookie is added
- Error with HttpCookie in Asp.net MVC
- FormsAuthentication.Decrypt always returns null in one of the web servers
- FormsAuthentication authCookie is null only for some users
- mvc custom httpcookie used to authorize
- HttpCookie works locally but not on server