Extend forms authentication to use a custom http header for ticket
https://stackoverflow.com/questions/10022246
-
29-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
I have a wcf webhttp service which uses forms authentication to authenticate users. This works fine if the ticket comes in the cookie collection or in the url.
But now I want to send the string of the forms auth ticket in a custom http header and change the forms auth module to check for that header instead of the cookie.
I think it should be easy to extend forms auth to achive this, but could not find any resources of how to. Can you point me in the right direction ?
here's how my authentication flow would work,
- A client calls the authenticate method with the username and pwd
- Service returns the encrypted ticket string
- Client send the received ticket string in a http header with every subsequent request
- Service checks for auth header and validates the auth ticket
المحلول
FormAuthentication module is not extendible, but you could write your own authentication. It is very simple:
Authentication(2):
var formsTicket = new FormsAuthenticationTicket(
1, login, DateTime.Now, DateTime.Now.AddYears(1), persistent, String.Empty);
var encryptedFormsTicket = FormsAuthentication.Encrypt(formsTicket);
//return encryptedFormsTicket string to client
Service call with attached ticket(4):
var ticket = FormsAuthentication.Decrypt(encryptedFormsTicket)
//extract authentication info from ticket: ticket.Name
نصائح أخرى
I am not sure this is the way to go (elegance-wise), but what about adding an event in global.asax.cs for Application BeginRequest and taking the string from the header and injecting a cookie into the Request yourself (Forms authentication should then pick that up).
Something like:
protected void Application_BeginRequest()
{
// Your code here to read request header into cookieText variable
string cookieText = ReadCookieFromHeader();
var cookieData = FormsAuthentication.Decrypt(cookieText);
if (!cookieData.Expired)
{
HttpContext.Current.Request.Cookies.Add(new HttpCookie(cookieData.Name, cookieText));
}
}
DISCLAIMER: Please note that I didn't test this, just throwing a possible approach your way!
