This post originated from an RSS feed registered with .NET Buzz
by Scott Hanselman.
Original Post: Cookieless Forms Authentication
Feed Title: Scott Hanselman's ComputerZen.com
Feed URL: http://radio-weblogs.com/0106747/rss.xml
Feed Description: Scott Hanselman's ComputerZen.com is a .NET/WebServices/XML Weblog. I offer details of obscurities (internals of ASP.NET, WebServices, XML, etc) and best practices from real world scenarios.
A couple people emailed me wanting to know how I did Cookie-less
Forms Auth. I've not validated that it's 100% perfect, and it's slightly
different than this article at CodeProject.
The first step is noticing that Forms Authentication in the .NET Framework creates
a cookie, and there's no way to get around it. Therefore, doing Forms Auth in
a cookieless way requires extra work. ;) Acceptance is the first step.
I can't give you all the code as it's internal to us, but here's the gist:
>publicstaticvoid Login(string userName, string password) { HttpContext
ctx = HttpContext.Current; //
// ** LOG THEM INTO WHATEVER YOU NEED TO LOG THEM INTO HERE
// Log.Debug(String.Format("Logging
in {0} with password {1}",userName,password)); ctx.Session["AuthenticatedAs"]
= userName; //create
a valid ticket for forms authentication FormsAuthenticationTicket
tkt = new FormsAuthenticationTicket(1,userName,
DateTime.Now,DateTime.Now.AddMinutes(30), false,
"whatever you want custom data here"); //get
the string representation of the ticket ctx.Session[Constants.ASPNETAUTHTICKET]
= FormsAuthentication.Encrypt(tkt); }>>
Assume that you made sure their name and password are kosher. Then,
I create a FormsAuthenticationTicket manually and give it some timeout value, in this
case, thirty minutes. Then, I stick the Base64'ed ticket in the Session Object
rather than the Cookies collecti>on. Since
we're using Cookieless Session State, the Session is managed via an SessionID in the
URL
In the Global.asax, I grab AcquireRequestState (seemed like a reasonable place) and
delgate it to a Ticket Renewal routine that also makes sure they have a valid AuthTicket.
>if (ctx.Session[Constants.ASPNETAUTHTICKET]
!= null)
{
Log.Debug("User has an ASP.NET
Auth Ticket in their Session object"); //Make
sure the ticket is valid. It should be impossible for it to be invalid.
string AuthTicket
= (string)ctx.Session[Constants.ASPNETAUTHTICKET];
FormsAuthenticationTicket
tkt = FormsAuthentication.Decrypt(AuthTicket); if (tkt
== null)
{
Log.Error(String.Format("Invalid
FormsAuthenticationTicket! Value: {0}",AuthTicket));
SiteSecurity.Logoff(); returnfalse;
}
Log.Debug("Start Renewing
FormsAuthenticationTicket");
tkt = FormsAuthentication.RenewTicketIfOld(tkt);
ctx.Session[Constants.ASPNETAUTHTICKET]
= FormsAuthentication.Encrypt(tkt);
Log.Debug("End Renewing
FormsAuthenticationTicket"); Log.Info("User is
LOGGED IN to ASP.NET and has a VALID AUTHTICKET"); }>
If anyone has any thoughts about making this better, let me know.
I'm not sure if I need to Renew the ticket EVERY request. Renew doesn't appear
to be the most performant thing.>
P.S. Check out HttpResponse.ApplyAppPathModifier when
you make URLs on the server side. It "adds a session ID to the virtual path
if the session is using cookieless session state and returns the combined path. If
cookieless session state is not used, ApplyAppPathModifier returns the original
virtual path." Needless to say, it's invaluable when dealing with cookieless
sessions.>
Previous Topic
