FormsAuthenticationTicket UserData returns empty for roles

StackOverflow https://stackoverflow.com/questions/22675584

  •  22-06-2023
  •  | 
  •  

Question

I have a simple code, which is based on article

but my code doesn't work, and I don't know where is my fault. I use non membership API. Please help with advise:
Button_Click:

 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, txtUsername.Text, DateTime.Now, DateTime.Now.AddMinutes(1), true, role, FormsAuthentication.FormsCookiePath);
 HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
 if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
 Response.Cookies.Add(cookie);
 FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);

Global.asax - Application_AuthenticateRequest

 if (HttpContext.Current.User != null)
 {
    if (HttpContext.Current.User.Identity.IsAuthenticated)
    {
       if (HttpContext.Current.User.Identity is FormsIdentity)
       {
         FormsIdentity formsIdentity = (FormsIdentity)HttpContext.Current.User.Identity;
         FormsAuthenticationTicket ticket = formsIdentity.Ticket;
         string userData = ticket.UserData;
         string[] roles = userData.Split(',');
         HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(formsIdentity, roles);
       }
   }
 }

web.config

 <system.web>
    <compilation debug="true" targetFramework="4.0" />
  <authentication mode="Forms">
    <forms loginUrl="login.aspx"
           timeout="1"
           slidingExpiration="true"
           cookieless="AutoDetect"
           protection="All"
           defaultUrl="logined.aspx"
           path="/">
    </forms>        
  </authentication>
  <authorization>
    <deny users="?"/>
  </authorization>
 </system.web>
 <location path="default.aspx">
 <system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
 </system.web>
 </location>
 <location path="register.aspx">
 <system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
 </system.web>
 </location>
 <location path="adminPage.aspx">
 <system.web>
  <authorization>
    <allow roles="Admin"/>
    <deny users="*"/>
  </authorization>
 </system.web>
 </location>

In debugger I see that string role isn't got from Button_Click method into Application_AuthenticateRequest. So, if role in Button_Click is equal "Admin" for it's username then in Application_AuthenticateRequest the same variable as ticket.userData is equal "". Why is this happens?

Était-ce utile?

La solution

The problem is you do not need to call RedirectFromLoginPage if you create FormsAuthenticationTicket manullay.

 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, 
     txtUsername.Text, 
     DateTime.Now, DateTime.Now.AddMinutes(1), 
     true, 
     role, 
     FormsAuthentication.FormsCookiePath);
 HttpCookie cookie = new HttpCookie(
     FormsAuthentication.FormsCookieName, 
     FormsAuthentication.Encrypt(ticket));
 if (ticket.IsPersistent) 
     cookie.Expires = ticket.Expiration;
 Response.Cookies.Add(cookie);

/* Delete this line
 FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);  */
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top