One of the requirements proposed for an ASP.NET application is that we have Session state disabled globally. (This is not negotiable.)
Another requirement is that we have some means for user authentication. I'm thinking of using ASP.NET's membership provider model.
Is it possible to have user authentication without Session State?
The specific user-authentication examples we're looking for are:
Is there a way to do this with cookies?
Can this be done securely, so the cookie can not be easily spoofed?
Is there built-in functionality in ASP.NET to support this, or will we need to roll our own method?
ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides a way to persist variable values for the duration of that session. By default, ASP.NET session state is enabled for all ASP.NET applications.
Session uses a cookie to track and identify requests from a single browser. By default, this cookie is named . AspNetCore.
What Does Session State Mean? Session state, in the context of . NET, is a method keep track of the a user session during a series of HTTP requests. Session state allows a developer to store data about a user as he/she navigates through ASP.NET web pages in a . NET web application.
The auth cookie should always be HttpOnly. The only way would be to make an AJAX request and let the cookie be set server-side, in which case you need to ensure you are passing any credentials over SSL. You can set HttpOnly on the cookie instance before it's saved.
ASP.NET Forms authentication does not use SessionState
. It uses a cookie to store the authentication ticket.
You can also force the authentication ticket to be sent over SSL channel by editing the web.config
file.
All the functionality you need is available built-in in ASP.NET.
http://msdn.microsoft.com/en-us/library/aa480476.aspx
Sure, a cookie will do this.
Think of the fundamentals. Session State is managed by cookies anyway.
Here's what you do.
When they log in, you take their userid, and a timeout (so the login only lasts for, say, 30 minutes or whatever).
Take that string, and hash it.
(java, not important tho)
String cookie = userid + ":" + timeString + ":" + md5(userid + ":" + timeString + ":" + "secretpassword");
Then, when the request hits your site, check the cookie. First check it for integrity.
String parts[] = cookie.split(":");
String newHash = md5(parts[0] + ":" + parts[1] + ":" + "secret password");
if (!newHash.equals(parts[2])) {
// boom, cheater!
}
Then check the time string to see if they're still "logged in", and go from there.
Make sure if you do the time thing to update the cookie on every request.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With