In javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,
I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,
if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.
Thanks
This cookie is a 'session cookie' and tells us that you are actively using our website. .ASPXAUTH. The ASPXAUTH cookie is used to determine if a user is authenticated.
The SetAuthCookie method adds a forms-authentication ticket to either the cookies collection, or to the URL if CookiesSupported is false . The forms-authentication ticket supplies forms-authentication information to the next request made by the browser.
The FormsAuthenticationTicket class is used to create an object that represents the authentication ticket that is used by forms authentication to identify an authenticated user.
Form Authentication is a token-based system. When users log in, they receive a token with user information that is stored in an encrypted cookie. When a user requests an ASP.NET page via the browser, the ASP.NET verifies whether the form authentication token is available.
The authentication cookie is marked with http-only, meaning it cannot be accessed by javascript. If you want to check is the user is authenticated, simply output a javascript variable, an hidden field or whatever you prefer from your code-behind. You can then check this easily in JS.
There is a .ASPXAUTH cookie set, you are obviously correct. It is used to determine if a user if logged in.
To get what you need look over your web.config for the config section:
<authentication mode="Forms">
<forms
loginUrl="~/login.aspx"
protection="All"
timeout="30"
name="ExampleSite.FormsAuthentication"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="index.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"
/>
</authentication>
When the user is successfully authenticated a cookie will be set based off the name="ExampleSite.FormsAuthentication" parameter. It will expire after logging out or after the session expires. You will see a cookie on Chrome/FFX or whatever browser you are using called ExampleSite.FormsAuthentication with an encrypted value. Obviously the name parameter you are using will be different and not ExampleSite.FormsAuthentication but you get the idea.
You could always check and see if the cookie exists. As mentioned be careful of the http-only (with relation to JS). As you can also override that value in the web.config so you can access it with JS.
<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With