 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Security / March 2008Reconnect to a session and authenticate.
I have an asp.net application using forms authentication. On one of my pages I use a control that does not return the cookies in firefox. (the creator of the control will remain nameless) I can include the session cookie "ASP.NET_SessionId" and the cookie “CD” placed by the forms authentication in the querystring. The Question is how do I reconnect to the session and reauthenticate when this page posts back so my session vars are there.  SignatureJerry Hi Jerry, From your description, I understand you want to programmatically restore a certain session connection or forms authentication connection in your code (by supplying the sessionID or authentication info) , correct? Based on my understanding, for forms authentication, it is quite easy to regenerate the authentication state, you can simply call the following method to make the current user be authenticated again(supply the username): FormsAuthentication.SetAuthCookie(username, true); However, for session state, it is always done(validate client cookie) by the built-in session state module. If you put the session state info(such as ID) in querystring, runtime will not know it. You can try manually add the cookie (that contain the sessionID you previously stored) into ASP.NET response. If this not work, you may have a look at creating a custom SessionIDManager, that can help you add your own code logic to read and generate sessionID: #Overcoming IE Bug with a Custom SessionIDManager http://blogs.microsoft.co.il/blogs/dorony/ #SessionIDManager Class http://msdn2.microsoft.com/en-us/library/system.web.sessionstate.sessionidma nager(VS.80).aspx #ASP.NET 2.0 Training : Customizing the Session State Mechanism http://www.exforsys.com/tutorials/asp.net-2.0/asp.net-2.0-customizing-the-se ssion-state-mechanism.html Hope this helps. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- >From: =?Utf-8?B?SmVycnkgQw==?= <jerryed@nospam.nospam> >Subject: Reconnect to a session and authenticate. >Date: Mon, 3 Mar 2008 14:43:01 -0800 >I have an asp.net application using forms authentication. On one of my pages >I use a control that does not return the cookies in firefox. (the creator of >the control will remain nameless) I can include the session cookie >"ASP.NET_SessionId" and the cookie “CDâ€?placed by the forms authentication in >the querystring. The Question is how do I reconnect to the session and >reauthenticate when this page posts back so my session vars are there. Steven, Thank you for your reply, I solved this problem by adding the cookies and doing a server transfer. To me it is much simpler. If Not IsNothing(Request.QueryString("SessionID")) Then 'if the Qstring is there If IsNothing(Request.Cookies("CD")) Then 'if the cookie I want is missing 'add the Cookies Response.Cookies.Add(New HttpCookie("CD", Request.QueryString("cdAuth"))) Response.Cookies.Add(New HttpCookie("ASP.NET_SessionId", Request.QueryString("SessionID"))) 'do the server transferr now the cookies are there Server.Transfer("UploadMultipleAssets.aspx", True) End If End If SignatureThank you Jerry > Hi Jerry, > [quoted text clipped - 78 lines] > >the querystring. The Question is how do I reconnect to the session and > >reauthenticate when this page posts back so my session vars are there. That's great! Thanks for sharing this with us. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- >From: =?Utf-8?B?SmVycnkgQw==?= <jerryed@nospam.nospam> >References: <6A0F7399-8AD4-47C7-ABB5-BA02BE97BFD3@microsoft.com> <TTJd7#bfIHA.1500@TK2MSFTNGHUB02.phx.gbl> >Subject: RE: Reconnect to a session and authenticate. >Date: Tue, 4 Mar 2008 08:19:02 -0800 >Steven, > [quoted text clipped - 17 lines] > > End If Steven, The solution I posted did not work in all cases. I used the custom session Id manager in the link. Now the question is how do I restore the authentication without sending the user name in the Qstring. I do store the forms auth cookie in the query string. How do I use it the authenticate. Thank you SignatureJerry > Hi Jerry, > [quoted text clipped - 78 lines] > >the querystring. The Question is how do I reconnect to the session and > >reauthenticate when this page posts back so my session vars are there. Hi Jerry, As for restorting FormsAuthentication state, I think it's much easier than session since the FormsAuthentication.SetAuthCookie method I mentioned earlier can help regenerate the authenticate cookie. Therefore, I think what you need to do is just store the username in a custom cookie item. And later when you need to regenerate the authenticate state, just read the username from that cookie item and call the FormsAuthentication.SetAuthCookie, how do you think? Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- >From: =?Utf-8?B?SmVycnkgQw==?= <jerryed@nospam.nospam> >References: <6A0F7399-8AD4-47C7-ABB5-BA02BE97BFD3@microsoft.com> <TTJd7#bfIHA.1500@TK2MSFTNGHUB02.phx.gbl> >Subject: RE: Reconnect to a session and authenticate. >Date: Wed, 5 Mar 2008 07:43:03 -0800 >Steven, > [quoted text clipped - 33 lines] >> >> #SessionIDManager Class http://msdn2.microsoft.com/en-us/library/system.web.sessionstate.sessionidma >> nager(VS.80).aspx >> >> #ASP.NET 2.0 Training : Customizing the Session State Mechanism http://www.exforsys.com/tutorials/asp.net-2.0/asp.net-2.0-customizing-the-se >> ssion-state-mechanism.html >> [quoted text clipped - 11 lines] >> >> Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif >> ications. >> [quoted text clipped - 31 lines] >> >the querystring. The Question is how do I reconnect to the session and >> >reauthenticate when this page posts back so my session vars are there. Steven, Thank you for your reply, I used : Dim authTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Request.QueryString("cdAuth")) Dim userName As String = authTicket.Name FormsAuthentication.SetAuthCookie(userName, True) So I did not have to put the user name in the Qstring. This way I put the encripted ticket in the Qstring and then decryped the ticket and retrieved the name and used SetAuthcookie. SignatureJerry Thanks for your reply Jerry, Cool, that's also a good approach since you only store the encrypted ticket in client side. Thanks for sharing this. Best regards, Steven Cheng Microsoft MSDN Online Support Lead Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- >From: =?Utf-8?B?SmVycnkgQw==?= <jerryed@nospam.nospam> >Subject: RE: Reconnect to a session and authenticate. >Date: Thu, 6 Mar 2008 06:48:02 -0800 >Steven, > [quoted text clipped - 10 lines] >encripted ticket in the Qstring and then decryped the ticket and retrieved >the name and used SetAuthcookie.
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.