Scott Hanselman's Computer Zen - How to get Cookieless FormsAuthentication to work with self-issued FormsAuthenticationTickets and custom UserData

First time here? Check out the site's "greatest hits" or read a post from the archives. Feel free to leave a comment or ask a question, and consider subscribing to the latest posts via RSS or e-mail. Thanks for visiting!

« How to show multiple columns in an ASP.N... | Main | Review: Garmin Nuvi 350 GPS »

How to get Cookieless FormsAuthentication to work with self-issued FormsAuthenticationTickets and custom UserData

Posted in ASP.NET

Short answer: You can't.

I have an application that issues FormsAuthTickets like this...

// Create the authentication ticket                                    
FormsAuthenticationTicket authTicket = new
            FormsAuthenticationTicket(1,   //version
            userName,                    // user name
            DateTime.Now,                                //creation
            DateTime.Now.AddMinutes(Timeout),  //Expiration
            false,                      //Persistent
            MYPRIVATEANDVERYIMPORTANTDATA);
 
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the cookie as data.
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket);            

...that was written in .NET 1.1. (FYI - It could have just as easily been written in .NET 2.0, there's nothing special here, but I want to write this code to support (be run under) both 1.1 and 2.0.)

The built-in ASP.NET helper functions SetAuthCookie and GetAuthCookie have been expanded to handle Cookieless formsauth in .NET 2.0. So, if I used have used these methods in 1.1 I'd get the new funcitonality when my app was run under 2.0. However, I wanted to include UserData - extra encrypted context stuff - in my FormsAuthenticatonTicket, so the only choice was to issue the cookie myself.

For many of us, the promise of a cookieless Session AND cookieless FormsAuthentication is very exciting:

If you issue your own cookie like I do, adding it to Response.Cookies yourself as I do, your ASP.NET application won't get cookieless FormsAuthentication.

The problem is, System.Web.Security.FormsAuthentication.SetAuthCookie(String, Boolean) doesn’t allow the setting of UserData. (only String.Empty is passed in on creation of the ticket)

To be clear – if I could use SetAuthCookie and GetAuthCookie (the public static interfaces) I'd have been fine and received the new functionality. However, the UserData support is where this important scenario falls down. I thought I could roll this myself, but all the classes I need are very internal and more than a little icky.

A Microsoft ASP.NET insider said:

There isn't an API that allows the use of UserData with cookieless tickets. Unfortunately UserData was [not included] in the cookieless forms auth implementation.

Conclusion: If you want cookieless FormsAuthentication you must use SetAuthCookie. Full stop. Until then I will find somewhere else to store my UserData.

Posted at 2006-07-20 05:31 PM by Scott
Comments [2]
Permalink

Tracked by:
"Interesting Finds: Some leftovers from last week" (Jason Haley) [Trackback]

Friday, July 21, 2006 9:45:43 PM (Pacific Standard Time, UTC-08:00)

Scott,

haven't tried this with userData, but you can set a cookieless forms ticket by creating a FormsAuthenticationTicket, encrypt it to as string and do a redirect with this format:

~/Page?{0}={1}

{0} = forms auth ticket name
{1} = encrypted ticket string

dominick

dominick

Tuesday, July 25, 2006 2:03:02 AM (Pacific Standard Time, UTC-08:00)

in addition you have to set enableCrossAppRedirects to true - and it works with userData.

dominick

Comments are closed.