IsAuthenticated is always false when including HttpCookie subkeys or not encrypting

StackOverflow https://stackoverflow.com/questions/16849757

Question

Okay, I've been assigned with authenticating used on a login page. I've been working on this for quite a while and decided to clean up it up. The problem that I faced is one of those problems where exceptions aren't thrown, no error is generated, and everything looks okay, but when you try to use a function, it gives back a result that you don't want.

The code I used looks very similar to code from this page:

http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx

I've used the code from the demo in my project:

  FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
    username,
    DateTime.Now,
    DateTime.Now.AddMinutes(30),
    isPersistent,
    userData,
    FormsAuthentication.FormsCookiePath);

  // Encrypt the ticket.
  string encTicket = FormsAuthentication.Encrypt(ticket);

  HttpCookie myCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)

  // Create the cookie.
  Response.Cookies.Add(myCookie);

So if I logged in, everything works and the below code evaluates to true: HttpContext.Current.User.Identity.IsAuthenticated;

However, if I wanted to include subkeys to myCookie using either versions:

  myCookie.Values.Add("userName", "patrick"); //version 1
  myCookie.Values["userName"] = "patrick";  //version 2

Then you add to the cookies collection:

  Response.Cookies.Add(myCookie);

Then refresh the page after login:

  //This always set to false even after successful log on
  HttpContext.Current.User.Identity.IsAuthenticated;

No clue why!

I wanted to do something where I don't have to add the encryption value to the httpcookie immediately:

 //IsAuthenticated doesn't work = false
 HttpCookie cookie = new HttpCookie(FormsAuthentication.FormCookieName);
 cookie.Values.Add("encryptTicket", encTicket);

It's just weird that adding subkeys don't work at all. And that I am forced to encypt a ticket in order to make it work. What I mean, is that IsAuthenticated is false all the time, logged in and authenticated or not. Can anyone try to explain what's going on with this? I have a working solution, but any insight would be helpful.

Was it helpful?

Solution

Okay, think I figured this out. It's because of how my web.config was set up for forms authentication. Using the forms tag.

The FormsAuthenticationTicket looks at that tag for specific information, and if I didn't create a cookie off of it, it wouldn't authenticate me. This was also defaulted to cookieless mode to UseCookies.

But anyways, after I create a cookie off of that, then I become authenticated and then a new session is created for me. After that, I can then provide any extra cookies I want and let the website use them as needed. But as long as that AuthCookie (in my case .ASPXAUTH) is valid, so is my authentication session.

In fact, when I tried to make a cookie session end when the browser closed, by setting the expiration date to MinValue for the cookie and the ticket, I wasn't able to authenticate either! I had to make the ticket last longer than the actual cookie so that the ticket doesn't expire before the cookie does.

The ticket information is really a configuration used to make the cookie, and after cookie creation, the browser is what defines how the cookies are used.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top