Best IT Recipes

Saving More Information Using FormsAuthentication.SetAuthCookie

I use aspx and C # to set authentication cookie for login.

FormsAuthentication.SetAuthCookie(UserName, True)

I want to store more information in the same cookie. Can I add values ​​to this cookie for authentication, or do I need to use a second http cookie?

I am mainly looking to store user Id , so I can access the database using the row line of the user table

Thanks Eden

+42
c # asp.net-mvc forms-authentication
Jul 19 '09 at 14:20
source share
6 answers

You can add user data to FormsAuthenticationTicket, and then generate the cookie yourself.

Here is an example in the MSDN documentation for FormsAuthenticationTicket .

EDIT

Please note that when creating a ticket you need to set a timeout, which in general you want to be the same as the value configured in web.config. Unfortunately, in Framework 3.5 or earlier, the FormsAuthentication class does not publish this timeout publicly. For a workaround, use one of the methods described in the response to this feedback element to connect .

UPDATE

That the Connect feedback element no longer exists, unfortunately. I would like to briefly describe what kind of technique this is.

Yes, it’s unfortunate that Microsoft has canceled the historical elements of Connect. IIRC, the two methods they proposed:

  • Use the WebConfigurationManager to read the appropriate configuration section and get the timeout value.

  • Create a cookie with FormsAuthentication.GetAuthCookie , decrypt it with FormsAuthentication.Decrypt and check the generated FormsAuthenticationTicket .

Or upgrade to .NET 4.x, where there is a FormsAuthentication.Timeout property.

See this question for more information.

+47
Jul 19 '09 at 16:36
source share

You can put whatever you want into the auth cookie if you find this useful. However, if you post sensitive information, you should at least encrypt it, but I would recommend that you do not post sensitive information there. You can do something like:

 Forms.SetAuthCookie (UserName + "|" + UserId, true);

Then, when you need a username or user ID, it is. Just upload a cookie and analyze the values ​​you need.

Again, I would advise you not to do this, especially since it is presented above . However, it is possible. You must create access methods to pull the data:

 public int CurrentUserId { get { int userId = 0; if (HttpContext.Current.Request.IsAuthenticated) { userId = Convert.ToInt32(HttpContext.Current.User.Identity.Name.Split('|')[1]); } return userId; } } public string CurrentUserName { get { string userName = string.Empty; if (HttpContext.Current.Request.IsAuthenticated) { userName = HttpContext.Current.User.Identity.Name.Split('|')[0]; } return userName; } }
+15
Jul 19 '09 at 15:06
source share

Yes, it's wise to use "|" put more information. If Microsoft has another overloaded method

 public static void SetAuthCookie(String userName, bool createPersistentCookie, string userData)`

Then our life will be much simpler, our code will be more secure.

+3
Jun 27 '12 at 23:00
source share

Pass this user id as the parameter userName.

 FormsAuthentication.SetAuthCookie(userId, True)

How do you guarantee your outbound tickets?

+1
Jul 19 '09 at 15:00
source share

You can store additional information in the UserData FormsAuthenticationTicket property:

 using Newtonsoft.Json; using System.Web; using System.Web.Security; public class LoggedInUser { public string FirstName { get; set; } = null; public bool IsAdmin { get; set; } = false; } public static class Authentication { static void SignIn( HttpContextBase context, string emailAddress, bool rememberMe, LoggedInUser user = null) { var cookie = FormsAuthentication.GetAuthCookie( emailAddress.ToLower(), rememberMe); var oldTicket = FormsAuthentication.Decrypt(cookie.Value); var newTicket = new FormsAuthenticationTicket( oldTicket.Version, oldTicket.Name, oldTicket.IssueDate, oldTicket.Expiration, oldTicket.IsPersistent, JsonConvert.SerializeObject(user ?? new LoggedInUser())); cookie.Value = FormsAuthentication.Encrypt(newTicket); context.Response.Cookies.Add(cookie); } static void SignOut(HttpContextBase context) { FormsAuthentication.SignOut(); } static LoggedInUser GetLoggedInUser() { if (HttpContext.Current.User?.Identity?.Name != null && HttpContext.Current.User?.Identity is FormsIdentity identity) return JsonConvert.DeserializeObject<LoggedInUser>(identity.Ticket.UserData); return new LoggedInUser(); } }

Further reading: https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/forms-authentication-configuration-and-advanced-topics-cs#step-4 -storing-additional data-in-ticket user

0
Dec 07 '18 at 16:07
source share

You can set a timeout based on the value in web.config using FormsAuthentication.Timeout.TotalMinutes .

-one
Mar 18 '13 at 21:47
source share


More articles:


All Articles