Re: How to do forms authentication with cookieless=UseUri?

From: gnewsgroup <gnewsgroup@xxxxxxxxx>
Date: Fri, 25 Jan 2008 20:38:28 -0800 (PST)

On Jan 25, 6:22 pm, bruce barker
<brucebar...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

you are confusing session and authentication. they are unrelated.

forms authentication create a login ticket and stores it in a cookie or the
url. session also creates a session ticket and stores it in a cookie or the
url. they can both use cookies, uri or be configured differently.

storing the login ticket in session just reduces the number of tickets sent
to the client.

cookie is slighty more secure (if you use https) because its not in the url.

the most secure is to not use forms authentication but rather a secure one
like kerberos or basic over https. then you store the login in the session,
and on every session fetch, check the the login matches the authenticated
user (thus preventing session hijacks)

-- bruce (sqlwork.com)

Thank you very much for the clarification. Right now, I am storing
the authentication ticket in a cookie like so:

Session.Add("UserName", username);
FormsAuthenticationTicket ticket =
new FormsAuthenticationTicket(1, username, DateTime.Now,
DateTime.Now.AddMinutes(20), false, "someuserdatahere");
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.Cookies.Add(cookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(username,
false));

So, according to what you suggested, I could simply do:

Session.Add("authentication_ticket", encryptedTicket);

to stick it into the session and leave out the cookie part?
.

References:
- How to do forms authentication with cookieless=UseUri?
  - From: gnewsgroup
- Re: How to do forms authentication with cookieless=UseUri?
  - From: gnewsgroup
- Re: How to do forms authentication with cookieless=UseUri?
  - From: bruce barker

Prev by Date: Re: Using IIS w/ASP .NET 2.0 Web Application Projects
Next by Date: RE: Data TAble declaration Problem
Previous by thread: Re: How to do forms authentication with cookieless=UseUri?
Next by thread: aspx and novell ldap login
Index(es):
- Date
- Thread

Relevant Pages

Re: newbie question on forms auth with custom data
... i was thinking you could set the cookie expiration to your session timeout value, ... and so it must expire when the ticket does - so I was ... > Can someone supply some sample code to store some ...
(microsoft.public.dotnet.framework.aspnet)
Re: newbie question on forms auth with custom data
... i was thinking you could set the cookie expiration to your session timeout ... to remove the cookie. ... and so it must expire when the ticket does - so I was ... course the session and tickets don't expire at the same time...argh. ...
(microsoft.public.dotnet.framework.aspnet)
Re: Recyling of sessionID in ASP.NET 2.0
... session tickets are only recycled for the same browser. ... The formsauthentication ticket (cookie) is also getting recycled along ... Forms authentication ticket is issued if the user selects save me option ...
(microsoft.public.dotnet.framework.aspnet)
Re: Non persistent cookie timeout?
... what are you using the Session object ... > persistent cookie, and expires only if the browser is closed. ... > // Now encrypt the ticket. ... > string encryptedTicket = FormsAuthentication.Encrypt; ...
(microsoft.public.dotnet.framework.aspnet)
Re: Sessions vs Cookies
... There is a session cookie which simply allows the server to identify the client and retrieve relevant session data for it. ... If cookies can be read or forged, it makes little odds whether you have the master key or all the little keys,. ... Suppose you only send the PHPSESSID: Now you cannot change a thing on the server, even if you have the 'master key'. ...
(comp.lang.php)