FormsAuthenticationTicket UserData returns empty for roles

StackOverflow https://stackoverflow.com/questions/22675584

  •  22-06-2023
  •  | 
  •  

Question

I have a simple code, which is based on article

but my code doesn't work, and I don't know where is my fault. I use non membership API. Please help with advise:
Button_Click:

 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, txtUsername.Text, DateTime.Now, DateTime.Now.AddMinutes(1), true, role, FormsAuthentication.FormsCookiePath);
 HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
 if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
 Response.Cookies.Add(cookie);
 FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);

Global.asax - Application_AuthenticateRequest

 if (HttpContext.Current.User != null)
 {
    if (HttpContext.Current.User.Identity.IsAuthenticated)
    {
       if (HttpContext.Current.User.Identity is FormsIdentity)
       {
         FormsIdentity formsIdentity = (FormsIdentity)HttpContext.Current.User.Identity;
         FormsAuthenticationTicket ticket = formsIdentity.Ticket;
         string userData = ticket.UserData;
         string[] roles = userData.Split(',');
         HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(formsIdentity, roles);
       }
   }
 }

web.config

 <system.web>
    <compilation debug="true" targetFramework="4.0" />
  <authentication mode="Forms">
    <forms loginUrl="login.aspx"
           timeout="1"
           slidingExpiration="true"
           cookieless="AutoDetect"
           protection="All"
           defaultUrl="logined.aspx"
           path="/">
    </forms>        
  </authentication>
  <authorization>
    <deny users="?"/>
  </authorization>
 </system.web>
 <location path="default.aspx">
 <system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
 </system.web>
 </location>
 <location path="register.aspx">
 <system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
 </system.web>
 </location>
 <location path="adminPage.aspx">
 <system.web>
  <authorization>
    <allow roles="Admin"/>
    <deny users="*"/>
  </authorization>
 </system.web>
 </location>

In debugger I see that string role isn't got from Button_Click method into Application_AuthenticateRequest. So, if role in Button_Click is equal "Admin" for it's username then in Application_AuthenticateRequest the same variable as ticket.userData is equal "". Why is this happens?

Was it helpful?

Solution

The problem is you do not need to call RedirectFromLoginPage if you create FormsAuthenticationTicket manullay.

 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, 
     txtUsername.Text, 
     DateTime.Now, DateTime.Now.AddMinutes(1), 
     true, 
     role, 
     FormsAuthentication.FormsCookiePath);
 HttpCookie cookie = new HttpCookie(
     FormsAuthentication.FormsCookieName, 
     FormsAuthentication.Encrypt(ticket));
 if (ticket.IsPersistent) 
     cookie.Expires = ticket.Expiration;
 Response.Cookies.Add(cookie);

/* Delete this line
 FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);  */
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top