• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 309
  • Last Modified:

Looking for Forms authentication cookies

My app uses forms authentication, i.e. it looks up the user in a database and does

    FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)

to show he's authenticated. I thought this generated a cookie, but I can't see one. Am I right to expect one?

0
crescendo
Asked:
crescendo
  • 5
  • 3
  • 2
1 Solution
 
mmarinovCommented:
Hi crescendo,

the RedirectFromLoginPage does not creates the cookie ( read the text copied from MSDN )
Redirects an authenticated user back to the originally requested URL.

[Visual Basic]
Overloads Public Shared Sub RedirectFromLoginPage( _
   ByVal userName As String, _
   ByVal createPersistentCookie As Boolean _
)

[C#]
public static void RedirectFromLoginPage(
   string userName,
   bool createPersistentCookie
);

[C++]
public: static void RedirectFromLoginPage(
   String* userName,
   bool createPersistentCookie
);

[JScript]
public static function RedirectFromLoginPage(
   userName : String,
   createPersistentCookie : Boolean
);

Parameters
userName
Name of the user for cookie authentication purposes. This does not need to map to an account name and will be used by URL Authorization.
createPersistentCookie
Specifies whether or not a durable cookie (one that is saved across browser sessions) should be issued.
Remarks
The RedirectFromLoginPage method redirects to the return URL key specified in the query string. For example, in the URL http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, caller.aspx is the return URL that RedirectFromLoginPage redirects to. If the return key does not exist, RedirectFromLoginPage redirects to Default.aspx. ASP.NET automatically adds the return URL when the browser is redirected to the login page specified in the loginUrl attribute in the <forms> Element configuration directive. The method issues an authentication ticket and does a SetForms with the ticket, using the appropriately configured cookie name for the application as part of the redirect response.


BUT the creation of the cookie is made by GetAuthCookie
Creates an authentication cookie for a given user name. This does not set the cookie as part of the outgoing response, so that an application can have more control over how the cookie is issued.

[Visual Basic]
Overloads Public Shared Function GetAuthCookie( _
   ByVal userName As String, _
   ByVal createPersistentCookie As Boolean _
) As HttpCookie

[C#]
public static HttpCookie GetAuthCookie(
   string userName,
   bool createPersistentCookie
);

[C++]
public: static HttpCookie* GetAuthCookie(
   String* userName,
   bool createPersistentCookie
);

[JScript]
public static function GetAuthCookie(
   userName : String,
   createPersistentCookie : Boolean
) : HttpCookie;

Parameters
userName
Name of the authenticated user. This does not have to map to a Windows account.
createPersistentCookie
Specifies whether or not a durable cookie (a cookie that is saved across browser sessions) should be issued. Cookie path defaults to'/'.

Regards!
B..M
0
 
crescendoAuthor Commented:
Hi

I'm still lost. Do I need to do more than "RedirectFromLoginPage"? I'm not doing a GetAuthCookie. And what is the "appropriately configured cookie name for the application"?

Thanks, as always

Neil
0
 
mmarinovCommented:
crescendo,

in your web config you have line like this
<forms name="401kApp" loginUrl="/login.aspx">
the name attribute is:
Specifies the HTTP cookie to use for authentication. By default, the value of name is .ASPXAUTH. If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each application's Web.config file.

B..M
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
mmarinovCommented:
crescendo,

what is your approach of getting this cookie ?

B..M
0
 
crescendoAuthor Commented:
OK. Yes, I have a unique name in the <forms> tag.

In terms of "getting" this cookie, I was just looking in the Cookies folder, expecting to see it there. I have a cookie viewer which parses out the information in the cookie too.

Just to be sure, are you saying that a cookie is not automatically generated in the RedirectFromLoginPage?
0
 
crescendoAuthor Commented:
PS, if I sound confused, it's because I am! I've never had to dig around in this area before.
0
 
vinhthuy_nguyenCommented:
hi buddy,
By default, your cookie will store on C:\Documents and Setting\Your account\Cookie. You can easily find it with the localhost@ in the beginning.
and as Mmarinov say, I think that RedirectFromLoginPage will generate cookie if you give a TRUE value in the second parameter.
If I were you, I will give the point to Mmarinov, he make it very clear about the story, buddy. :-)
Just my thinking, hope it don't sound confused too.
BTW,my curious, can you give the name of your cookie viewer software ?
0
 
crescendoAuthor Commented:
Guys and Gals

I'm still not sure whether I should be seeing a cookie or not.

1.  Do I need to do more than "RedirectFromLoginPage" in order to authenticate a user? Logic says no, as my existing code works and the user is not passed back to the login page again.

2.  Should I expect to see a cookie in my Cookies folder if I set the second parameter to 'False'? The documentation says it uses cookies but I can't see one unless I set the parameter to True.
0
 
vinhthuy_nguyenCommented:
Hi buddy,
1. No, RedirectFromLoginPage is a function to redirect you to your expect page after you've been authenticated.
I think "If  FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text)  = true "  is the method to authenticate a user.
2. With the RedirectFromLoginPage, only when you set to TRUE , cookie will be created on your machine.
But if the parameter is False, a session Cookie will be issued and store on server memory and will expire when you close the browser.
Hope this help you.





0
 
crescendoAuthor Commented:
<<I think "If  FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text)  = true "  is the method to authenticate a user.>>

There is a distinction between "authenticating" a user, and telling the system that the user is authenticated.

I'm authenticating the user myself, against a database, so I just need to tell the system that the user is OK. RedirectFromLoginPage does this for me, as well as returning the user to the expected page.

"FormsAuthentication.Authenticate" does the actual authentication, but only if you use one of the standard ASP.NET methods, such as keeping user names and passwords in a file.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now