Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.net MVC FormsAuthentication cookie missing

I'm writing an ASP.net MVC 5 application using FormsAuthentication. I had everything up and working properly using FormsAuthentication.SetAuthCookie(user.Email, model.RememberMe).

However, I wanted to create a custom ticket so I could store some extra information in the UserData field of the ticket. This is how I'm creating my ticket and storing it in a cookie:

var ticket = new FormsAuthenticationTicket(1, user.Email, DateTime.Now, DateTime.Now.AddMinutes(FormsAuthentication.Timeout.Minutes), model.RememberMe, user.AuthToken);
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) { Domain = FormsAuthentication.CookieDomain, Path = FormsAuthentication.FormsCookiePath, HttpOnly = true, Secure = FormsAuthentication.RequireSSL };
HttpContext.Response.Cookies.Add(cookie);

This creates an encrypted ticket and sends it to the browser. I've verified with developer tools and Fiddler that the ticket is present in the browser and that it is sent back to the server on the subsequent requests.

But authentication is now broken. Also, the cookie is not available in Application_AuthenticateRequest or Application_PostAuthenticateRequest events. When I use the debugger to explore Context.Request.Cookies it is not present in the list.

Oddly enough the cookie does exist if I step back in the pipeline and check it in Application_BeginRequest:

void Application_BeginRequest(object sender, EventArgs e)
{
    // Auth cookie exists in the collection here! Ticket decrypts successfully
    HttpCookie authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
    if (authCookie == null)
        return;
    var encTicket = authCookie.Value;
    var ticket = FormsAuthentication.Decrypt(encTicket);
}

void Application_AuthenticateRequest(object sender, EventArgs e)
{
    // Auth cookie missing from the cookies collection here!
    HttpCookie authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
    if (authCookie == null)
        return;

    var encTicket = authCookie.Value;
    var ticket = FormsAuthentication.Decrypt(encTicket);
    using (var db = new BadgerContext())
    {
        var user = db.Users.OfType<RegisteredUser>().FirstOrDefault(x => x.UserName == ticket.Name);
        if (ticket.UserData != user.AuthToken)
        {
            FormsAuthentication.SignOut();
            Response.Redirect(FormsAuthentication.DefaultUrl);
        }
    }
}

So it appears that something is stripping my custom FormsAuthenticationTicket out of the cookies after BeginRequest but before AuthenticateRequest. Unfortunately, this breaks authentication altogether on the site.

Any ideas what is causing this behavior when I create a custom ticket? Am I doing something wrong with my cookie creation?

like image 513
Sam Avatar asked Mar 19 '23 08:03

Sam


1 Answers

Check in the .config file the inside the system.web node, the httpRuntime tag.

<httpRuntime targetFramework="4.5" />

as same as main web site

like image 114
Linzy lin Avatar answered Mar 27 '23 18:03

Linzy lin