What am I doing wrong with my FormsAuthenticationTicket?

I am trying to recreate my cookie that is usually generated by FormsAuthentication.SetAuthCookie () and what is in webconfig.

<authentication mode="Forms">
            <forms loginUrl="~/Account/LogOn" protection="All" timeout="20160" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="false" defaultUrl="default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
        </authentication>

      

However, I want to send another piece of data, as I understand it, I need to make my own FormsAuthenticationTicket to add this data (or combine it all with the username in SetAuthCookie and split).

So I'm trying to make it secure (or more secure) like the one it makes from webconfig has the same values ​​as the one generated from webconfig.

So this is what I have so far

 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, "chobo2", DateTime.Now, DateTime.Now.AddYears(10), true, "test");
            string encTicket = FormsAuthentication.Encrypt(ticket);
            Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));

      

However, I'm still not sure what it is using. Is it using stuff from webconfig? As it does not ask for cookieName or timeout.

When I look at this cookie through a web developer, it says that it is not secure and will expire at the end of the session.

When I look at the file generated with webconfig, it has an expiration date of 12 October and still says that it is not secure (assuming it references SSL).

Also I am still confused about userData. How can I add this value later? How to add more than once after data processing?

Do I always have to decrypt (i.e. call the decryption method) to decrypt the cookie or does it do it automatically.

What encryption is the default cookie?

thank

+2


source to share


1 answer


You need to manually set all of these properties on the forms authentication ticket. You can access most of the values ​​through static accessors in the FormsAuthentication class. The configuration parameters in the web.config file are only used when using FormsAuthentication.GetAuthCookie or FormsAuthentication.SetAuthCookie.

User data can be retrieved by retrieving and decrypting the forms authentication ticket and then using the accessor for the UserData attribute on the decrypted ticket.

You always need to decrypt the ticket to access user data.



http://msdn.microsoft.com/en-us/library/ms998310.aspx contains information about encryption and validation ciphers, but by default the ticket is encrypted using AES and verified using SHA1 (HMACSHA1).

http://support.microsoft.com/kb/910443 contains additional information and links that may answer any other questions you may have.

+3


source







All Articles