Menu
I am using aspx and c# for a setting a authentication cookie for a login.
FormsAuthentication.SetAuthCookie(UserName, True) I want to store more information in the same cookie. Can I add values to this authentication cookie or do I have to use a second http cookie?
Basically I'm looking for away to store the User's Id so I may be able to access the database using the users table row key
Thanks, Eden
715
The SetAuthCookie method adds a forms-authentication ticket to either the cookies collection or the URL if CookiesSupported is false . The forms-authentication ticket supplies forms-authentication information to the next request made by the browser.
Form Authentication is a token-based system. When users log in, they receive a token with user information that is stored in an encrypted cookie. When a user requests an ASP.NET page via the browser, the ASP.NET verifies whether the form authentication token is available.
FormsAuthenticationTicket(Int32, String, DateTime, DateTime, Boolean, String, String) Initializes a new instance of the FormsAuthenticationTicket class with cookie name, version, directory path, issue date, expiration date, persistence, and user-defined data.
Forms authentication enables user and password validation for Web applications that do not require Windows authentication. With forms authentication, user information is stored in an external data source, such as a Membership database, or in the configuration file for an application.
You can add user data to the FormsAuthenticationTicket, then generate the cookie yourself.
There's an example in the the MSDN documentation for FormsAuthenticationTicket.
EDIT
Note that when creating the ticket, you need to set the timeout, which in general you will want to be the same as the value configured in web.config. Unfortunately, in the Framework 3.5 or earlier, the FormsAuthentication class does not expose this timeout publicly. For a workaround, use one of the techniques described in the response to this connect feedback item.
UPDATE
That Connect feedback item is no longer there, sadly. Wish you had briefly described what the techniques were.
Yes, it's a pity Microsoft has discarded historical Connect items. IIRC, the two techniques they suggested were:
Use WebConfigurationManager to read the relevant configuration section and get the timeout value.
Create a cookie using FormsAuthentication.GetAuthCookie, decrypt it using FormsAuthentication.Decrypt and inspect the generated FormsAuthenticationTicket.
Or upgrade to .NET 4.x where there is a FormsAuthentication.Timeout property.
See this question for more info
189
You can put whatever you want in the auth cookie as long as it's useful to you. That said, if you're putting sensitive information you should, at the very least, encrypt it, but I'd recommend against putting sensitive information there. You can do something like:
Forms.SetAuthCookie (UserName + "|" + UserId, true); Then, whenever you need the username or the user id, it is there. Just load the cookie and parse out the values you need.
Again, I'd advise against doing this, especially as I have it presented above. That said, it is possible. You should create accessor methods to pull the data back out:
public int CurrentUserId { get { int userId = 0; if (HttpContext.Current.Request.IsAuthenticated) { userId = Convert.ToInt32(HttpContext.Current.User.Identity.Name.Split('|')[1]); } return userId; } } public string CurrentUserName { get { string userName = string.Empty; if (HttpContext.Current.Request.IsAuthenticated) { userName = HttpContext.Current.User.Identity.Name.Split('|')[0]; } return userName; } } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
