ASP.net Authentication question

[Simon Harvey]

Hi everyone,

I'm hoping that someone can help me with the following:

I don't know to much about asp.net security, but I've copied the following
code out of one of microsofts security books. What I'm trying to achieve is
allow a user access to a secured directory only once his details have been
validated. The directory in question "/secure/" is specified in a location
element of the web.config file. The code in question is in my login page and
is:

if(SystemUserLogic.validateUser(username, password)){

authTicket = new FormsAuthenticationTicket(username, false, 15);
encryptedTicket = FormsAuthentication.Encrypt(authTicket);
authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Redirect("secure/index.aspx");

}


The problem is that asp.net is denying access to the secure directory even
once I have do the above.

Can anyone see what I have missed out?

Am I right in thinking that this is all I have to do?

Thanks to anyone who can help

Simon

 

[Simon Harvey]

What a complete baboon. I was forgetting to add the cookie to the response!

Simon

 

[Guest]

The snipeet below is from MSDN library's arcticle

From Solution Explorer, open global.asax.
Switch to code view and add the following using statements
to the top of the file:
using System.Web.Security;
using System.Security.Principal;

Locate the Application_AuthenticateRequest event handler
and add the following code to obtain the forms
authentication cookie from the cookie collection passed
with the request.
// Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies
[cookieName];

if(null == authCookie)
{
// There is no authentication cookie.
return;
}

Add the following code to extract and decrypt the
authentication ticket from the forms authentication
cookie.
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt
(authCookie.Value);
}
catch(Exception ex)
{
// Log exception details (omitted for simplicity)
return;
}

if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}

Add the following code to parse out the pipe separate list
of role names attached to the ticket when the user was
originally authenticated.
// When the ticket was created, the UserData property was
assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[]
{'|'});

Add the following code to create a FormsIdentity object
with the user name obtained from the ticket name and a
GenericPrincipal object that contains this identity
together with the user's role list.
// Create an Identity object
FormsIdentity id = new FormsIdentity( authTicket );

// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id,
roles);
// Attach the new principal object to the current
HttpContext object
Context.User = principal;