Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

User authentication without Session state in ASP.NET

One of the requirements proposed for an ASP.NET application is that we have Session state disabled globally. (This is not negotiable.)

Another requirement is that we have some means for user authentication. I'm thinking of using ASP.NET's membership provider model.

Is it possible to have user authentication without Session State?

The specific user-authentication examples we're looking for are:

  • User goes to website unauthenticated
  • User enters registration information (contact fields, etc)
  • For the remainder of their session, user has access to certain content thanks to their registered status

Is there a way to do this with cookies?

Can this be done securely, so the cookie can not be easily spoofed?

Is there built-in functionality in ASP.NET to support this, or will we need to roll our own method?

like image 720
frankadelic Avatar asked Apr 03 '09 23:04

frankadelic


People also ask

What is session state in asp net?

ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides a way to persist variable values for the duration of that session. By default, ASP.NET session state is enabled for all ASP.NET applications.

What is AspNetCore session cookie?

Session uses a cookie to track and identify requests from a single browser. By default, this cookie is named . AspNetCore.

What is session state?

What Does Session State Mean? Session state, in the context of . NET, is a method keep track of the a user session during a series of HTTP requests. Session state allows a developer to store data about a user as he/she navigates through ASP.NET web pages in a . NET web application.

How do I set authentication cookies?

The auth cookie should always be HttpOnly. The only way would be to make an AJAX request and let the cookie be set server-side, in which case you need to ensure you are passing any credentials over SSL. You can set HttpOnly on the cookie instance before it's saved.


2 Answers

ASP.NET Forms authentication does not use SessionState. It uses a cookie to store the authentication ticket.

You can also force the authentication ticket to be sent over SSL channel by editing the web.config file.

All the functionality you need is available built-in in ASP.NET.

http://msdn.microsoft.com/en-us/library/aa480476.aspx

like image 75
mmx Avatar answered Oct 01 '22 20:10

mmx


Sure, a cookie will do this.

Think of the fundamentals. Session State is managed by cookies anyway.

Here's what you do.

When they log in, you take their userid, and a timeout (so the login only lasts for, say, 30 minutes or whatever).

Take that string, and hash it.

(java, not important tho)

String cookie = userid + ":" + timeString + ":" + md5(userid + ":" + timeString + ":" + "secretpassword");

Then, when the request hits your site, check the cookie. First check it for integrity.

String parts[] = cookie.split(":");
String newHash = md5(parts[0] + ":" + parts[1] + ":" + "secret password");
if (!newHash.equals(parts[2])) {
    // boom, cheater!
}

Then check the time string to see if they're still "logged in", and go from there.

Make sure if you do the time thing to update the cookie on every request.

like image 29
Will Hartung Avatar answered Oct 04 '22 20:10

Will Hartung