Can anyone give me an example (or point me in the right direction) on how to store custom data in an ASP.NET Membership cookie?
I need to add some custom properties like UserID and URLSlug to the cookie and be able to retrieve the information in the same way one would retrieve the Username.
Edit:
I used Code Poet's example and came up with the following.
When I set a breakpoint at Dim SerializedUser As String = SerializeUser(userData) the value of userData is right. It has all the properties I expect it to have.
The problem I'm now running into is that when I get to Dim userdata As String = authTicket.UserData (breakpoint), the value is "". I'd love to figure out what I'm doing wrong.
Here's the code.
Imports System
Imports System.Web
Imports System.Web.Security
Namespace Utilities.Authentication
Public NotInheritable Class CustomAuthentication
Private Sub New()
End Sub
Public Shared Function CreateAuthCookie(ByVal userName As String, ByVal userData As Domain.Models.UserSessionModel, ByVal persistent As Boolean) As HttpCookie
Dim issued As DateTime = DateTime.Now
''# formsAuth does not expose timeout!? have to hack around the
''# spoiled parts and keep moving..
Dim fooCookie As HttpCookie = FormsAuthentication.GetAuthCookie("foo", True)
Dim formsTimeout As Integer = Convert.ToInt32((fooCookie.Expires - DateTime.Now).TotalMinutes)
Dim expiration As DateTime = DateTime.Now.AddMinutes(formsTimeout)
Dim cookiePath As String = FormsAuthentication.FormsCookiePath
Dim SerializedUser As String = SerializeUser(userData)
Dim ticket = New FormsAuthenticationTicket(0, userName, issued, expiration, True, SerializedUser, cookiePath)
Return CreateAuthCookie(ticket, expiration, persistent)
End Function
Public Shared Function CreateAuthCookie(ByVal ticket As FormsAuthenticationTicket, ByVal expiration As DateTime, ByVal persistent As Boolean) As HttpCookie
Dim creamyFilling As String = FormsAuthentication.Encrypt(ticket)
Dim cookie = New HttpCookie(FormsAuthentication.FormsCookieName, creamyFilling) With { _
.Domain = FormsAuthentication.CookieDomain, _
.Path = FormsAuthentication.FormsCookiePath _
}
If persistent Then
cookie.Expires = expiration
End If
Return cookie
End Function
Public Shared Function RetrieveAuthUser() As Domain.Models.UserSessionModel
Dim cookieName As String = FormsAuthentication.FormsCookieName
Dim authCookie As HttpCookie = HttpContext.Current.Request.Cookies(cookieName)
Dim authTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)
Dim userdata As String = authTicket.UserData
Dim usersessionmodel As New Domain.Models.UserSessionModel
usersessionmodel = DeserializeUser(userdata)
Return usersessionmodel
End Function
Private Shared Function SerializeUser(ByVal usersessionmodel As Domain.Models.UserSessionModel) As String
Dim bf As New Runtime.Serialization.Formatters.Binary.BinaryFormatter()
Dim mem As New IO.MemoryStream
bf.Serialize(mem, usersessionmodel)
Return Convert.ToBase64String(mem.ToArray())
End Function
Private Shared Function DeserializeUser(ByVal serializedusersessionmodel As String) As Domain.Models.UserSessionModel
Dim bf As New Runtime.Serialization.Formatters.Binary.BinaryFormatter()
Dim mem As New IO.MemoryStream(Convert.FromBase64String(serializedusersessionmodel))
Return DirectCast(bf.Deserialize(mem), Domain.Models.UserSessionModel)
End Function
End Class
End Namespace
Here's where I create all the magic. This method is in a "BaseController" class that inherits System.Web.Mvc.Controller
Protected Overrides Function CreateActionInvoker() As System.Web.Mvc.IActionInvoker
If User.Identity.IsAuthenticated Then ''# this if statement will eventually also check to make sure that the cookie actually exists.
Dim sessionuser As Domain.Models.UserSessionModel = New Domain.Models.UserSessionModel(OpenIdService.GetOpenId(HttpContext.User.Identity.Name).User)
HttpContext.Response.Cookies.Add(UrbanNow.Core.Utilities.Authentication.CustomAuthentication.CreateAuthCookie(HttpContext.User.Identity.Name, sessionuser, True))
End If
End Function
And here's how I try and retrieve the info.
Dim user As Domain.Models.UserSessionModel = CustomAuthentication.RetrieveAuthUser
First of all ASP.Net Membership providers don't write any cookies, Authentication cookies are written by FormsAuthentication.
And secondly, why interfere into authentication cookie at all. You can do this in a seperate cookie altogether. Here's how you can do that.
Writing the keys-values into cookie.
//create a cookie
HttpCookie myCookie = new HttpCookie("myCookie");
//Add key-values in the cookie
myCookie.Values.Add("UserId", "your-UserId");
myCookie.Values.Add("UrlSlug", "your-UrlSlug");
//set cookie expiry date-time, if required. Made it to last for next 12 hours.
myCookie.Expires = DateTime.Now.AddHours(12);
//Most important, write the cookie to client.
Response.Cookies.Add(myCookie);
Reading the keys-values from cookie.
//Assuming user comes back after several hours. several < 12.
//Read the cookie from Request.
HttpCookie myCookie = Request.Cookies["myCookie"];
if (myCookie == null)
{
//No cookie found or cookie expired.
//Handle the situation here, Redirect the user or simply return;
}
//ok - cookie is found.
//Gracefully check if the cookie has the key-value as expected.
if (!string.IsNullOrEmpty(myCookie.Values["UserId"]))
{
string UserId= myCookie.Values["UserId"].ToString();
//Yes UserId is found. Mission accomplished.
}
if (!string.IsNullOrEmpty(myCookie.Values["UrlSlug"]))
{
string UrlSlug = myCookie.Values["UrlSlug"].ToString();
//Yes key2 is found. Mission accomplished.
}
If at all you need to disturb the
authentication cookie, though not
advisable, This is how you may do it.
Writing the keys-values into cookie.
//create a cookie
HttpCookie myCookie = FormsAuthentication.GetAuthCookie("UserName", true);
//Add key-values in the cookie
myCookie.Values.Add("UserId", "your-UserId");
myCookie.Values.Add("UrlSlug", "your-UrlSlug");
//set cookie expiry date-time, if required. Made it to last for next 12 hours.
myCookie.Expires = DateTime.Now.AddHours(12);
//Most important, write the cookie to client.
Response.Cookies.Add(myCookie);
Reading the keys-values from cookie.
//Assuming user comes back after several hours. several < 12.
//Read the cookie from Request.
HttpCookie myCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (myCookie == null)
{
//No cookie found or cookie expired.
//Handle the situation here, Redirect the user or simply return;
}
//ok - cookie is found.
//Gracefully check if the cookie has the key-value as expected.
if (!string.IsNullOrEmpty(myCookie.Values["UserId"]))
{
string UserId= myCookie.Values["UserId"].ToString();
//Yes UserId is found. Mission accomplished.
}
if (!string.IsNullOrEmpty(myCookie.Values["UrlSlug"]))
{
string UrlSlug = myCookie.Values["UrlSlug"].ToString();
//Yes key2 is found. Mission accomplished.
}
Depending on the scenario, using a separate cookie might be a viable option, but in my opinion is sub optimal for several reasons including the simple fact that you have to manage multiple cookies as well as managing the lifetime of the cookie.
The most reliable strategy for incorporating custom information into your forms ticket is to leverage the userData field of the ticket. That is exactly what it is there for.
You can easily store custom data in the userData field of the ticket.
There are a few concerns to be aware of regarding the size of the data to be stored in the ticket that are explained here
And here is a small class that can help in the task of storing custom data in your forms ticket.
Related
I have a simple login page as below:
protected void btnLogIn_Click(object sender, EventArgs e)
{
FormsAuthentication.Initialize();
string CS = ConfigurationManager.ConnectionStrings["IS"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
con.Open();
SqlCommand cmd = new SqlCommand("Select Roles from tblRegisteredUsers where Email=#Email and Password=#Password",con);
cmd.Parameters.AddWithValue("#Email", txtEmail.Text);
cmd.Parameters.AddWithValue("#Password", txtPassword.Text);
SqlDataReader rdr = cmd.ExecuteReader();
if(rdr.Read())
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
txtEmail.Text,
DateTime.Now,
DateTime.Now.AddMinutes(30),
true,
rdr.GetString(0),
FormsAuthentication.FormsCookiePath);
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,hash);
if(ticket.IsPersistent) cookie.Expires=ticket.Expiration;
Response.Cookies.Add(cookie);
string returnUrl = Request.QueryString["returnUrl"];
if(returnUrl==null) returnUrl="/";
Response.Redirect(returnUrl);
}
else
{
lblMessage.Text = "Invalid Email/Password.Please try again.";
}
rdr.Close();
}
}
I have used folder level roles authentication with each folder having its own web.config file.I am sure that the user gets authenticated successfully because the see the username in loginName.This is definitely a redirection issue.What can i do to redirect the users to my Homepage after successful login?
Is anybody still helping me on this?
just a suggestion. you may redirect to homepage or if required then create a global variable and maintain the last visited page url in it. hope it helps
string returnUrl = Request.QueryString["returnUrl"];
I think your query string fetch null value thats why it statifises the IF condition and take the return URL as '/' so it redirects to current page.
Put a debug point near the highlighted portion and see what value you are getting for return url
Instead of
string returnUrl = Request.QueryString["returnUrl"];
if(returnUrl==null) returnUrl="/";
Response.Redirect(returnUrl);
just write
Response.Redirect(<"your url for the homepage">);
Eg
For MVC application it will be Response.Redirect("/home/index");
You will have to redirect to another page like this:
Response.Redirect("myhomepage.aspx");
you need to provide your page name with .aspx extension at the end unlike that in MVC where you needed to provide the URL.
I am writing an MVC 4 web application with custom authentication and authorisation. When a user logs into the site, I create a a FormsAuthenticationTicket and store it in a cookie
public void SignIn(string userName, bool createPersistentCookie, string UserData)
{
if (String.IsNullOrEmpty(userName)) throw new ArgumentException("Value cannot be null or empty.", "userName");
// Create and tuck away the cookie
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddDays(15), createPersistentCookie, UserData);
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(authTicket);
//// Create the cookie.
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
HttpContext.Current.Response.Cookies.Add(faCookie);
}
The UserData string will be a pipe delimited string and it will always contain at least two items, UserID | UserRole. A user can be assigned to one or more roles, therefore, the UserData could look like this UserID | UserRole | UserRole | UserRole
I then have my own custom generic principal in Global.asax
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// Get the authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
// If the cookie can't be found, don't issue the ticket
if (authCookie == null) return;
// Get the authentication ticket and rebuild the principal
// & identity
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
string[] UserData = authTicket.UserData.Split(new Char[] { '|' });
GenericIdentity userIdentity = new GenericIdentity(authTicket.Name);
GenericPrincipal userPrincipal = new GenericPrincipal(userIdentity, UserData);
Context.User = userPrincipal;
}
This all works fine, however, within my application, if a user has multiple roles, when they log in, I need to list their roles, and then let them select only one role to go and perform functionality based on the selected role.
I was thinking, to do this, maybe I could pass the role the user selects to a method, get their FormsAuthenticationTicket and update the UserData to reflect the role they have choosen. For example, a UserData string is created with 1|Manager|Applicant, then I need to list both roles and ask the user which role they want to perform functionality under, they select Manager and I then update their UserData within their FormsAuthenticationTicket to 1|Manager.
Is this even possible, or maybe there is a better way of doing this?
Any help would be greatly appreciated.
Thanks everyone.
You could always change FormsAuthenticationTicket.
HttpCookie cookie = FormsAuthentication.GetAuthCookie(Username, true);
var ticket = FormsAuthentication.Decrypt(cookie.Value);
var newticket = new FormsAuthenticationTicket(ticket.Version,
ticket.Name,
ticket.IssueDate,
ticket.Expiration,
true,
"new user data",
ticket.CookiePath);
cookie.Value = FormsAuthentication.Encrypt(newticket);
cookie.Expires = newticket.Expiration.AddHours(24);
HttpContext.Current.Response.Cookies.Set(cookie);
As I said in my comment, I feel this is very poor usability. However, if you're determined to do this, then Dzenan's approach would work (you essentially just strip out all the other roles after the user has selected which role he wants).
Another approach would be to add an additional field to your userdata, which is SelectedRole. Then create a custom IPrincipal that includes this field.
Another approach would be to store it as your own cookie, although I would make sure that you validate that you aren't setting a role that the user is not authorized for (ie if you set SelectedRole=Admin make sure the user has an Admin role before you use it).
I have been working on a web application that is setup on IIS 7 as one of several applications and web services operating under the DefaultWebSite. When developing on localhost, my FormsAuthentication cookie persists; however, when published on the server the cookie(s) are not persistent. I am using SQLServer sessions, and have validation keys in the web config to rule out application pool recycling. I have been trying to figure this out for a while now with no luck...please help!
Here is some code below:
<forms name=".OPTFORMSTEST" loginUrl="~/Secure/Login.aspx" defaultUrl="~/Default.aspx" timeout="240" path="/" slidingExpiration="false" protection="All" />
Public Shared Function DoLogin(ByVal strUsername As String, ByVal isPersistent As Boolean)
Dim authTicket As FormsAuthenticationTicket
Dim authCookie As HttpCookie
Dim strUserData As String = strUsername
Dim intTimeoutPersist As Integer = 43200 '(30 days)
Dim intTimeoutNonPersist As Integer = 300 '(5 hours)
Dim intRtn As Integer = 1
Dim strCookiePath As String = Current.Request.Url.AbsolutePath.Remove(Current.Request.ApplicationPath.Length)
Try
'set cookie timout period and create auth ticket based on isPersistent
If isPersistent Then
'create a persistent ticket
authTicket = New FormsAuthenticationTicket(1, strUsername, _
DateTime.Now(), _
DateTime.Now.AddMinutes(intTimeoutPersist), _
True, strUserData)
Else
'create a temp ticket
authTicket = New FormsAuthenticationTicket(1, strUsername, _
DateTime.Now(), _
DateTime.Now.AddMinutes(intTimeoutNonPersist), _
False, strUserData)
End If
'create encrypted string for user data
Dim strEncr As String = FormsAuthentication.Encrypt(authTicket)
'create cookie
authCookie = New HttpCookie("OPTFORMSTEST", strEncr)
'set cookie expiration based on the auth ticket
If isPersistent Then
authCookie.Expires = authTicket.Expiration
End If
Current.Response.Cookies.Add(authCookie)
Catch ex As Exception
intRtn = -1
End Try
Return intRtn
End Function
After some experimenting, I found out that the RedirectFromLoginPage method was creating another cookie when used from the production box. I replaced with a Response.Redirect and only one cookie was created and it was persistent.
Is there a way to detect the AD credentials of a user and use them to create a NetworkCredential object that can be used to query a webservice? An excerpt of my code is below, basically I'm querying a GIS database through a webservice and the webservice requires Windows AD authentication.
Currently this is a manual process and so we just hardcode our own AD credentials into the variables up top and it works fine but I'd like the page the detect someone's AD credentials and use them to create the NetworkCredential object so we can have our internal customers use the page as well.
Public Function getJSON(ByVal url As String) As String
Dim HTMLSource As String = ""
Dim Request As WebRequest = WebRequest.Create(url)
Request.Credentials = New NetworkCredential(username, password, domain)
Dim Response As WebResponse = Request.GetResponse
Dim SR As StreamReader
SR = New StreamReader(Response.GetResponseStream)
HTMLSource = SR.ReadToEnd
SR.Close()
Return HTMLSource
End Function
Let to user delegate his Kerberos credential to your server/service, extract that during authentication, impersonate and perform your request on behalf of the user.
FormsAuthenticationUserData userData = new FormsAuthenticationUserData(member.Id, member.Role, member.Gender);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, member.UserName, DateTime.Now, DateTime.Now.AddHours(24), true, userData.Serialize());
string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
faCookie.Expires = DateTime.Now.AddHours(25);
Response.Cookies.Add(faCookie);
string redirectUrl = FormsAuthentication.GetRedirectUrl(member.UserName, false);
Response.Redirect(redirectUrl, true);
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
try
{
WebIdentity identity = new WebIdentity(authTicket.Name, authTicket.UserData);
WebPrincipal currentMember = new WebPrincipal(identity);
Context.User = currentMember;
}
catch
{
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
Response.End();
}
}
}
the user cannot login when client date time is greater than server date time (make cookie null and cannot login)
what is solution?
thanx a lot!
After reading your comment, this is expected behaviour that cannot be changed. The system is doing what it is meant to. You could set the cookie expire later or use a rolling timeout, however, I see no reason for the machine datetime to be out by so far.
This technique avoids using the browser's date/time completely.
Set the FormsAuthentication cookie to never expire, or to expire after 100 years.
Store the actual expiration based on server time in the authenticationTicket.Expiration property. See here.
After the server authenticates a request, it should check the authenticationTicket.Expiration to see if it has expired. I'm not 100% sure the system does this automatically, you may have to hook into the Application_AuthenticateRequest event and do it yourself.
If it has expired, the web server should deny the request; render an HTTP 403 status code and a set-cookie header to remove the cookie at that point.