Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where is .ASPXAUTH cookie

In javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,

I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,

if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.

Thanks

like image 869
Costa Avatar asked May 19 '10 14:05

Costa


People also ask

What is .aspxauth cookie?

This cookie is a 'session cookie' and tells us that you are actively using our website. .ASPXAUTH. The ASPXAUTH cookie is used to determine if a user is authenticated.

What does Formsauthentication SetAuthCookie do?

The SetAuthCookie method adds a forms-authentication ticket to either the cookies collection, or to the URL if CookiesSupported is false . The forms-authentication ticket supplies forms-authentication information to the next request made by the browser.

What is FormsAuthenticationTicket?

The FormsAuthenticationTicket class is used to create an object that represents the authentication ticket that is used by forms authentication to identify an authenticated user.

How does ASP.NET forms authentication work?

Form Authentication is a token-based system. When users log in, they receive a token with user information that is stored in an encrypted cookie. When a user requests an ASP.NET page via the browser, the ASP.NET verifies whether the form authentication token is available.


2 Answers

The authentication cookie is marked with http-only, meaning it cannot be accessed by javascript. If you want to check is the user is authenticated, simply output a javascript variable, an hidden field or whatever you prefer from your code-behind. You can then check this easily in JS.

like image 81
Julien Lebosquain Avatar answered Oct 13 '22 22:10

Julien Lebosquain


There is a .ASPXAUTH cookie set, you are obviously correct. It is used to determine if a user if logged in.

To get what you need look over your web.config for the config section:

<authentication mode="Forms">
      <forms
                loginUrl="~/login.aspx"
                protection="All"
                timeout="30"
                name="ExampleSite.FormsAuthentication"
                path="/"
                requireSSL="false"
                slidingExpiration="true"
                defaultUrl="index.aspx"
                cookieless="UseDeviceProfile"
                enableCrossAppRedirects="false"
                />
    </authentication>

When the user is successfully authenticated a cookie will be set based off the name="ExampleSite.FormsAuthentication" parameter. It will expire after logging out or after the session expires. You will see a cookie on Chrome/FFX or whatever browser you are using called ExampleSite.FormsAuthentication with an encrypted value. Obviously the name parameter you are using will be different and not ExampleSite.FormsAuthentication but you get the idea.

You could always check and see if the cookie exists. As mentioned be careful of the http-only (with relation to JS). As you can also override that value in the web.config so you can access it with JS.

<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />
like image 27
subv3rsion Avatar answered Oct 13 '22 22:10

subv3rsion