Scott Hanselman

How to get Cookieless FormsAuthentication to work with self-issued FormsAuthenticationTickets and custom UserData

July 21, '06 Comments [2] Posted in ASP.NET
Sponsored By

Short answer: You can't.

I have an application that issues FormsAuthTickets like this...

// Create the authentication ticket                                   

FormsAuthenticationTicket authTicket = new

            FormsAuthenticationTicket(1,   //version

            userName,                    // user name

            DateTime.Now,                                //creation

            DateTime.Now.AddMinutes(Timeout),  //Expiration

            false,                      //Persistent

            MYPRIVATEANDVERYIMPORTANTDATA);

 

// Now encrypt the ticket.

string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

// Create a cookie and add the encrypted ticket to the cookie as data.

HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket);           

...that was written in .NET 1.1. (FYI - It could have just as easily been written in .NET 2.0, there's nothing special here, but I want to write this code to support (be run under) both 1.1 and 2.0.)

The built-in ASP.NET helper functions SetAuthCookie and GetAuthCookie have been expanded to handle Cookieless formsauth in .NET 2.0.  So, if I used have used these methods in 1.1 I'd get the new funcitonality when my app was run under 2.0. However, I wanted to include UserData - extra encrypted context stuff - in my FormsAuthenticatonTicket, so the only choice was to issue the cookie myself.

For many of us, the promise of a cookieless Session AND cookieless FormsAuthentication is very exciting:

  <sessionState cookieless="true"/>
  <authentication mode="Forms">
   <forms name=".SOMEAUTH"
             loginUrl="default.aspx"
             protection="All"
             timeout="30"
             path="/Whatever"
             requireSSL="false"
             slidingExpiration="true"
             defaultUrl="default.aspx"
             cookieless="UseUri" />
  </authentication>

If you issue your own cookie like I do, adding it to Response.Cookies yourself as I do, your ASP.NET application won't get cookieless FormsAuthentication.

The problem is, System.Web.Security.FormsAuthentication.SetAuthCookie(String, Boolean) doesn’t allow the setting of UserData. (only String.Empty is passed in on creation of the ticket)

To be clear – if I could use SetAuthCookie and GetAuthCookie (the public static interfaces) I'd have been fine and received the new functionality. However, the UserData support is where this important scenario falls down. I thought I could roll this myself, but all the classes I need are very internal and more than a little icky.

A Microsoft ASP.NET insider said:

There isn't an API that allows the use of UserData with cookieless tickets.  Unfortunately UserData was [not included] in the cookieless forms auth implementation.

Conclusion: If you want cookieless FormsAuthentication you must use SetAuthCookie. Full stop. Until then I will find somewhere else to store my UserData.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Saturday, July 22, 2006 5:45:43 AM UTC
Scott,

haven't tried this with userData, but you can set a cookieless forms ticket by creating a FormsAuthenticationTicket, encrypt it to as string and do a redirect with this format:

~/Page?{0}={1}

{0} = forms auth ticket name
{1} = encrypted ticket string

dominick
Tuesday, July 25, 2006 10:03:02 AM UTC
in addition you have to set enableCrossAppRedirects to true - and it works with userData.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.