Customizing the Authentication Cookie
You can use the authentication cookie to store encrypted and validated custom data such as a description of the users’ role in your ASP.NET applications
The authentication cookie, also known as the authentication ticket, is issued when an application redirects its users to a login page. The user enters her credentials and is given a ticket. The display of the login page is governed by an HTTP module, which in the case of successful authentication, redirects the user to the originally requested page. The authentication ticket has a relatively short lifetime (a customizable default duration of 30 minutes) and doesn’t contain any extra or application-specific data. The ticket is a highly secured piece of information because it can be encrypted, validated against tampering with, and even transmitted over a secure HTTPS channel. (This last feature is only supported on ASP.NET 1.1 and newer.) For this reason, it sometimes makes sense to want to store some custom data in it—for example, the role of the user in the application. How can that be accomplished? Easy, just access the cookie and change its properties.
The ASP.NET Forms authentication is designed to make the use of the authentication cookie completely transparent to programmers. The idea is that you declaratively point users to a login page, within which the ID and password can be collected and the identity verified. If the user is known, then you’re expected to call a static method on the FormsAuthentication class—RedirectFromLoginPage—to redirect to the originally requested page. In doing so, that is before the actual redirection takes place, the authentication is issued. If you want to put your hands on the ticket, you must replace the RedirectLoginPage call with a local function. Wrap the following code in a new routine and call it instead of RedirectLoginPage:
// Get the redirect URL string redirectURL; redirectURL = FormsAuthentication.GetRedirectUrl(userName, false); // Create the cookie FormsAuthentication.SetAuthCookie(userName, false); // Retrieve the cookie string cookieName = FormsAuthentication.FormsCookieName; HttpCookie c = Response.Cookies[cookieName]; // Modify the cookie : // Redirect Response.Redirect(redirectURL);
The code above performs four basic operations: obtain the redirect URL, create the authentication cookie, retrieve and modify the cookie from the Response object, and finally redirect to the original URL. The basic tasks are accomplished through ad hoc methods on the FormsAuthentication class. In particular, the SetAuthCookie method creates and attaches the cookie to the cookie's collection of the outgoing response. The method is void and does not perform a redirect. To retrieve and programmatically access the cookie, you simply extract it by name from the Cookies collection of the HttpResponse class.
Once you hold a cookie object, you can modify its duration, as shown below:
c.Expires = DateTime.Now.AddMinutes(minutes); Likewise, you can add custom data to the cookie. c.Values["Role"] = "guest";
Using cookies requires some support from the client browser. In ASP.NET 1.x, cookies are mandatory, and there’s no way to avoid their use as long as you intend to take advantage of the built-in authentication framework.
In ASP.NET 2.0, the core API also supports cookieless semantics. More precisely, the whole API has been reworked to make it expose a nearly identical programming interface but support dual semantics—cookied and cookieless.
