I did a little analysis on formsauthenticaion and found that formsauthenticationticket is used to add custom data to the cookies

I have tried the below code to understand the workings of formsauthenticationticket

http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx - this seems to be not working.

i spent 2 hrs in learning but in vain. can any one

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Security" %>
<script runat="server">

  private void Login_Click(Object sender, EventArgs e)
  {
    // Create a custom FormsAuthenticationTicket containing
    // application specific data for the user.

    string username     = UserNameTextBox.Text;
    string password     = UserPassTextBox.Text;
    bool   isPersistent = PersistCheckBox.Checked;

    if (Membership.ValidateUser(username, password))
    {
      string userData = "ApplicationSpecific data for this user.";

      FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
        username,
        DateTime.Now,
        DateTime.Now.AddMinutes(30),
        isPersistent,
        userData,
        FormsAuthentication.FormsCookiePath); - what we are trying todo here?

      // Encrypt the ticket.
      string encTicket = FormsAuthentication.Encrypt(ticket); - what we are trying todo here?

      // Create the cookie.
      Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));

      // Redirect back to original URL.
      Response.Redirect(FormsAuthentication.GetRedirectUrl(username, isPersistent)); - what we are trying todo here?
    }
    else
    {
      Msg.Text = "Login failed. Please check your user name and password and try again.";
    }
  }

</script>
<html>
<head>
    <title>Forms Authentication Login</title>
</head>
<body>
    <form runat="server">
        <span style='BACKGROUND: #80ff80'>
          <h3>Login Page</h3>
        </span>
        <asp:Label id="Msg" ForeColor="maroon" runat="server" /><P>
        <table border=0>
            <tbody>
                <tr>
                    <td>Username:</td>
                    <td><asp:TextBox id="UserNameTextBox" type="text" runat="server" /></td>
                    <td>
                      <asp:RequiredFieldValidator id="RequiredFieldValidator1"
                                                  runat="server" ErrorMessage="*"
                                                  Display="Static"
                                                  ControlToValidate="UserNameTextBox" />
                    </td>
                </tr>
                <tr>
                    <td>Password:</td>
                    <td><asp:TextBox id="UserPassTextBox" TextMode="Password" runat="server" /></td>
                    <td>
                      <asp:RequiredFieldValidator id="RequiredFieldValidator2"
                                                  runat="server" ErrorMessage="*"
                                                  Display="Static"
                                                  ControlToValidate="UserPassTextBox" />
                    </td>
                </tr>
                <tr>
                    <td>Check here if this is <u>not</u><br>a public computer:</td>
                    <td><asp:CheckBox id="PersistCheckBox" runat="server" autopostback="true" /></td>
                </tr>
            </tbody>
        </table>
        <input type="submit" value="Login" runat="server" onserverclick="Login_Click" />
    </form>
</body>
</html>

can any one look in the code and give me some help in the analysis of formsauthentication using custom data

its pretty urgent . please help

Hey,

there are a few things you need to be aware of.

1) The "Membership" class details with users and authentication.

2) The "FormsAuthentication" class deals with remembering an authenticated used between different pages. It does with by writing a value into the users cookie, this value is a secure ticket. To allow it to be secure, it is encrypted (going back to the line you high lighted).

3) The "FormsAuthenticationTicket" class produces the ticket used by the previous class to store in the cookie. You do not really need to play with this class yourself, as the FormsAuthentication class handles it all for you (if you want it to .. example below)

Below is some useful advice i posted to the ASP.NET usenet board.

The FormAuthentication class is the one that creates the encrypted ticket in
the cookie. Thus the following checks to see if a user is valid, if so it
"logs" them in by providing the secure cookie

1    if(Membership.ValidateUser("test", "test123"))
2    {
3        Forms.SetAuthCookie("test");
4    }
5    

 Sorry, there is an error in my code, it should read:  

1    if(Membership.ValidateUser("username", "somePassword"))
2    {
3        FormsAuthentication.SetAuthCookie("username");
4    }
5    

Taz

 The "FormsAuthentication" class deals with remembering an authenticated used between different pages. It does with by writing a value into the users cookie, this value is a secure ticket. To allow it to be secure, it is encrypted (going back to the line you high lighted).

which means that

the value of a secure ticket in a users cookies is readable,  when it is not encrypted. ok

then how we can read the value of  secure ticket in a users cookies

Hi,

firstly you need to ask why you want to read the secure ticket. I do not believe that it contains anything useful. Lookup the FormsAuthentication class on msdn2 to figure out how, I have not done it before but there are class members provided.

 Taz

It has some significiant , because what is the purpose of encrypt and decrypt() in formasuthentication.

Ganesh,

This post might help:

http://geekswithblogs.net/vivek/archive/2006/09/14/91191.aspx

Regards,

Vivek

Now, I got the answers for all my questions in my mind, It was superb help from you.

well one more clarification. I am not still conviced about the solution for these doubts

<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/private/login.aspx" protection ="All" timeout="20" path="/" slidingExpiration="true" timeout = "1">
forms >

1. timeout -> it is not working

2. path - > I dont understand for what it is and what it does

Ganesh,

Why are you suing two timeout values in the config snippedt you pasted?

<forms name=".ASPXAUTH" loginUrl="/private/login.aspx" protection ="All" timeout="20" path="/" slidingExpiration="true" timeout = "1">

I have given a short explanation on the "path" property in my blog, anyways here is it again:

Path tag is used to specify the path where the cookies issued by the web application would be stored. "/" is the recommened setting (also the default).

Hope this helps,

Vivek

i am sorry, it is only one timeout = "1"

after 1 minute the page is not redirected to the login page

i dont really understands by giving path = "/" - what is happening ?

Path sets the FormsCookiePath property of the FormsAuthentication class. This specifies the virtual path which will get transmitted within the cookie (you can see this value when you open the cookie).

-Vivek

i didn't get it

Ganesh,

See this extract from MSDN regarding Path property:

The virtual path to transmit with the cookie. The default is the path of the current request.