Reputation: 267040
How can I create an authentication cookie, but w/o asp.net formsauthentication?
Do we know the algorithm that asp.net uses to create the authentication cookie (when using forms authentication?)
Can we basically create our own copy implementation? if so, how?
What does it use to generate the encrypted cookie value, I know it uses whatever you pass into the SetAuthCookie call (which is usually the userID/username).
Upvotes: 1
Views: 632
Answers (1)
Reputation: 56500
The forms authentication take uses the membership identifier, a unique value provided by the configured membership provider. It then takes that value, plus any user data set in the ticket turns it into a binary blob, adds an issue date, an expiry date and depending on the configuration either signs it with an HMAC using the machine key, signs and encrypts it with the machine key, or does nothing at all (bad idea!).
It then writes the cookie out as an HTTP only cookie.
Then on each request it loads it in, validates it, uses the membership identifier to lookup the user, and populates the user details on that thread. If sliding ticket expiry is set it will refresh the cookie to have a new expiry date.
Upvotes: 6
Related Questions
- AspNetCore alternative for System.Web.Security.FormsAuthenticationTicket
- How can I manually create a authentication cookie instead of the default method?
- Secure Authentication cookie Asp.Net
- .NET 'secure' cookies using authentication mode = none
- Authentication Cookie in asp.net
- Cookie and Authentication -ASP.net
- ASP.NET Authentication cookie
- Cookie-based Forms Authentication with Cookies disabled
- Making a secure login cookie
- Setting a Forms Authentication cookie from a .NET client application