Organizational Research By

Surprising Reserch Topic

forms authentication understanding context user identity

forms authentication understanding context user identity  using -'c#,,forms-authentication'

Since documentation on this process is very vague and confusing (or old), I wanted to verify that I was doing it correctly and not missing any steps.

I am trying to create a secure login system, that expires on browser-close.

-- in my web.config I have the following --

<authentication mode="Forms">
      <forms loginUrl="~/Login.aspx" defaultUrl="Index.aspx" name=".ASPXFORMSAUTH" timeout="100" />
      <allow users="?" />
    <machineKey decryption="AES" validation="SHA1" validationKey.......... />

So I have a login form with username/password textbox and this button:

<asp:Button ID="LoginButton" runat="Server" OnClick="Login_Authenticate" Text="Sign in" />

Inside Login_Authenticate I do the following:

protected void Login_Authenticate(object sender, EventArgs e){
string userName = UserName.Text;
string password = Password.Text;

bool Authenticated = false;

// Here's code that makes sure that Username and Password is CORRECT
if(AuthClass.Authenticate(userName, password)){
 Authenticated = true;
// error checking does happen here.

if (Authenticated)
  FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(30), rememberUserName, String.Empty, FormsAuthentication.FormsCookiePath);
  string encryptedCookie = FormsAuthentication.Encrypt(ticket);
  HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedCookie);
  cookie.Expires = DateTime.Now.AddMinutes(30);
  //FormsAuthentication.RedirectFromLoginPage(userName, false);


--- in the MasterPage.master.cs I have the following check in Page_Init() ---

if (Context.User.Identity.IsAuthenticated)
      int userid = (int)Session["userid"];
      if (userid == null)
        userid = GetUserID(Context.User.Identity.Name);
        if (userid != null)
          Session["userid"] = userid;

--- GLOBAL.ASAX ; some code that I am not quite sure is correct or know what it does

protected void Application_AuthenticateRequest(object sender, EventArgs e)
        // look if any security information exists for this request
        if (HttpContext.Current.User != null)
            // see if this user is authenticated, any authenticated cookie (ticket) exists for this user
            if (HttpContext.Current.User.Identity.IsAuthenticated)
                // see if the authentication is done using FormsAuthentication
                if (HttpContext.Current.User.Identity is FormsIdentity)
                    // Get the roles stored for this request from the ticket
                    // get the identity of the user
                    FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
                    //Get the form authentication ticket of the user
                    FormsAuthenticationTicket ticket = identity.Ticket;
                    //Get the roles stored as UserData into ticket
                    string[] roles = { };
                    //Create general prrincipal and assign it to current request

                    HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);

--- from then on, on every page, I use the Session userid to gather the user information and content and make sure the user has proper authentication and group-role permissions.

Is this all correct? Or do I have to Decrypt anything somewhere?

Is this enough to make a secure user login? Or should I not bother with forms authentication and find my own way to make my own cookies and manage it myself?

asked Sep 16, 2015 by nimisha.jagtap
0 votes

Related Hot Questions

4 Answers

0 votes
answered Sep 16, 2015 by akhilesh
0 votes
answered Sep 16, 2015 by vimaldas2005
0 votes
answered Sep 16, 2015 by sujata naik
0 votes
answered Sep 16, 2015 by gauravsinghal83