Solved

Looking for Forms authentication cookies

Posted on 2004-10-21
297 Views
Last Modified: 2012-08-13
My app uses forms authentication, i.e. it looks up the user in a database and does

    FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)

to show he's authenticated. I thought this generated a cookie, but I can't see one. Am I right to expect one?

0
Question by:crescendo
    10 Comments
     
    LVL 28

    Accepted Solution

    by:
    Hi crescendo,

    the RedirectFromLoginPage does not creates the cookie ( read the text copied from MSDN )
    Redirects an authenticated user back to the originally requested URL.

    [Visual Basic]
    Overloads Public Shared Sub RedirectFromLoginPage( _
       ByVal userName As String, _
       ByVal createPersistentCookie As Boolean _
    )

    [C#]
    public static void RedirectFromLoginPage(
       string userName,
       bool createPersistentCookie
    );

    [C++]
    public: static void RedirectFromLoginPage(
       String* userName,
       bool createPersistentCookie
    );

    [JScript]
    public static function RedirectFromLoginPage(
       userName : String,
       createPersistentCookie : Boolean
    );

    Parameters
    userName
    Name of the user for cookie authentication purposes. This does not need to map to an account name and will be used by URL Authorization.
    createPersistentCookie
    Specifies whether or not a durable cookie (one that is saved across browser sessions) should be issued.
    Remarks
    The RedirectFromLoginPage method redirects to the return URL key specified in the query string. For example, in the URL http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, caller.aspx is the return URL that RedirectFromLoginPage redirects to. If the return key does not exist, RedirectFromLoginPage redirects to Default.aspx. ASP.NET automatically adds the return URL when the browser is redirected to the login page specified in the loginUrl attribute in the <forms> Element configuration directive. The method issues an authentication ticket and does a SetForms with the ticket, using the appropriately configured cookie name for the application as part of the redirect response.


    BUT the creation of the cookie is made by GetAuthCookie
    Creates an authentication cookie for a given user name. This does not set the cookie as part of the outgoing response, so that an application can have more control over how the cookie is issued.

    [Visual Basic]
    Overloads Public Shared Function GetAuthCookie( _
       ByVal userName As String, _
       ByVal createPersistentCookie As Boolean _
    ) As HttpCookie

    [C#]
    public static HttpCookie GetAuthCookie(
       string userName,
       bool createPersistentCookie
    );

    [C++]
    public: static HttpCookie* GetAuthCookie(
       String* userName,
       bool createPersistentCookie
    );

    [JScript]
    public static function GetAuthCookie(
       userName : String,
       createPersistentCookie : Boolean
    ) : HttpCookie;

    Parameters
    userName
    Name of the authenticated user. This does not have to map to a Windows account.
    createPersistentCookie
    Specifies whether or not a durable cookie (a cookie that is saved across browser sessions) should be issued. Cookie path defaults to'/'.

    Regards!
    B..M
    0
     
    LVL 9

    Author Comment

    by:crescendo
    Hi

    I'm still lost. Do I need to do more than "RedirectFromLoginPage"? I'm not doing a GetAuthCookie. And what is the "appropriately configured cookie name for the application"?

    Thanks, as always

    Neil
    0
     
    LVL 28

    Expert Comment

    by:mmarinov
    crescendo,

    in your web config you have line like this
    <forms name="401kApp" loginUrl="/login.aspx">
    the name attribute is:
    Specifies the HTTP cookie to use for authentication. By default, the value of name is .ASPXAUTH. If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each application's Web.config file.

    B..M
    0
     
    LVL 28

    Expert Comment

    by:mmarinov
    crescendo,

    what is your approach of getting this cookie ?

    B..M
    0
     
    LVL 9

    Author Comment

    by:crescendo
    OK. Yes, I have a unique name in the <forms> tag.

    In terms of "getting" this cookie, I was just looking in the Cookies folder, expecting to see it there. I have a cookie viewer which parses out the information in the cookie too.

    Just to be sure, are you saying that a cookie is not automatically generated in the RedirectFromLoginPage?
    0
     
    LVL 9

    Author Comment

    by:crescendo
    PS, if I sound confused, it's because I am! I've never had to dig around in this area before.
    0
     
    LVL 4

    Expert Comment

    by:vinhthuy_nguyen
    hi buddy,
    By default, your cookie will store on C:\Documents and Setting\Your account\Cookie. You can easily find it with the localhost@ in the beginning.
    and as Mmarinov say, I think that RedirectFromLoginPage will generate cookie if you give a TRUE value in the second parameter.
    If I were you, I will give the point to Mmarinov, he make it very clear about the story, buddy. :-)
    Just my thinking, hope it don't sound confused too.
    BTW,my curious, can you give the name of your cookie viewer software ?
    0
     
    LVL 9

    Author Comment

    by:crescendo
    Guys and Gals

    I'm still not sure whether I should be seeing a cookie or not.

    1.  Do I need to do more than "RedirectFromLoginPage" in order to authenticate a user? Logic says no, as my existing code works and the user is not passed back to the login page again.

    2.  Should I expect to see a cookie in my Cookies folder if I set the second parameter to 'False'? The documentation says it uses cookies but I can't see one unless I set the parameter to True.
    0
     
    LVL 4

    Expert Comment

    by:vinhthuy_nguyen
    Hi buddy,
    1. No, RedirectFromLoginPage is a function to redirect you to your expect page after you've been authenticated.
    I think "If  FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text)  = true "  is the method to authenticate a user.
    2. With the RedirectFromLoginPage, only when you set to TRUE , cookie will be created on your machine.
    But if the parameter is False, a session Cookie will be issued and store on server memory and will expire when you close the browser.
    Hope this help you.





    0
     
    LVL 9

    Author Comment

    by:crescendo
    <<I think "If  FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text)  = true "  is the method to authenticate a user.>>

    There is a distinction between "authenticating" a user, and telling the system that the user is authenticated.

    I'm authenticating the user myself, against a database, so I just need to tell the system that the user is OK. RedirectFromLoginPage does this for me, as well as returning the user to the expected page.

    "FormsAuthentication.Authenticate" does the actual authentication, but only if you use one of the standard ASP.NET methods, such as keeping user names and passwords in a file.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    AJAX ModalPopupExtender has a required property "TargetControlID" which may seem to be very confusing to new users. It means the server control that will be extended by the ModalPopup, for instance, if when you click a button, a ModalPopup displays,…
    Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
    In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now