Trying to figure out forms authentication

From: Randall Parker <NOtechieSPAMpundit_please@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 04 Dec 2005 22:36:52 -0800

Some questions on forms authentication:

1) Can one do one's own checking of username and password and totally bypass calling FormsAuthentication.Authenticate?

2) does the "new FormsAuthenticationTicket" create a cookie?

3) Can one send the cookie back to the browser just by doing the new call on the FormsAuthenticationTicket?

4) Does a session object contain nothing more than what is in the browser cookie?

5) Does the session object get created fresh from every forms submit using the browser's cookie that ASP.Net requests from the browser on every page submit?

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconformsauthenticationcredentials.asp

    void SubmitBtn_Click(Object Source, EventArgs e)
    {
        // Pull credentials from form fields and try to authenticate.
        if (FormsAuthentication.Authenticate(UserName.Value,
                UserPassword.Value))
        {
            FormsAuthenticationTicket ticket = new
                FormsAuthenticationTicket(UserName.Value, false, 5000);

            FormsAuthentication.RedirectFromLoginPage(UserName.Value,
                Persist.Checked);
        }
    }
.

Follow-Ups:
- RE: Trying to figure out forms authentication
  - From: Venkat_KL
- Re: Trying to figure out forms authentication
  - From: Steve C. Orr [MVP, MCSD]

Prev by Date: CompareValidator not working
Next by Date: Re: Trying to figure out forms authentication
Previous by thread: CompareValidator not working
Next by thread: Re: Trying to figure out forms authentication
Index(es):
- Date
- Thread

Relevant Pages

Re: Attempt to de-mystify AJAX
... "Hyperlinks" always open a new browser window. ... key (cookie) is still there and still contains the original value. ... You can get the cookies from the HTTP_COOKIE CGI environment variable. ...
(comp.databases.pick)
Re: NSA Used Cookies to Track Visitors Web Activities?
... Could unwittingly installing a compromised browser open the doors wide to cookie-based intrusions? ... A cookie itself is unlikely to be a virus, but if the browser code is written in C, it is very likely to have arrays that are susceptible to "buffer overrun" Sometimes a clever enough person can use such a bug to cause executable code stored in an allegedly non-executable file to replace code in your browser or operating system. ... an external intruder coming in over an Internet connection, presumably that intruder would have access to the cookies on one's machine. ...
(comp.sys.mac.system)
Re: Great SWT Program
... Every browser I've ever ... server when requesting any URLs from that server. ... doesn't send the cookie. ... every so often nail the ones that got by adblock, ...
(comp.lang.java.programmer)
Re: Cookies from ASP.NET app not persisting even when enabled!
... > I'm new to ASP.NET and have been developing a small app at work to test ... > and the authorization cookie is saved as expected on the local machine. ... any browser OTHER THAN the one on the development ...
(microsoft.public.dotnet.framework.aspnet)
RE: A technique to mitigate cookie-stealing XSS attacks
... Everyone interested in preventing XSS should review and understand ... remote procedure call instruction encoding where the browser or its OS ... browsers SHOULD adopt support for "client-side ... This new HTTPOnly security feature would simply stop cookie hijacking ...
(Bugtraq)