November 07, 2006

Cookies and FormsAuthentication


Cookies are simply a file stored in the client machine which are sent up and down to and from the server with every Request and Response.

The Cookie is used to store some client information such as details of their past session. It allows the Client to return to a webpage and have information already available to them without having to start from scratch.
The Cookie is first sent down from the Server and is stored somewhere on the Client's hard-drive.
It's up to the Web Application developer to do the Cookie processing on the Server side. The Cookie can be accessed from the Request as the Cookie is a property of the HttpRequest, Request.Cookie["cookiename"];

One problem I've encountered with Cookies is that all the cookies associated with your application get Posted from the Client on each Request, this adds to the amount of data sent as you can imagine. There is a solution however, in order to ensure a Cookie is only sent from Client to Server when a certain page is open you must create the Cookie with it's path set to that page;
HttpCookie rememberLogin = new HttpCookie("rememberLogin", rememberLogin.Expires = DateTime.Now.AddDays(5);
rememberLogin.Path = Request.Path;



Who Are You?
There are 2 main types Windows and Forms.

Windows Authentication

This will use the clients credentials i.e. their actual windows login that they are presently using, allowing your server side app to examine who the client actually is.
Note that the client will usually have to pass their credentials onto the Server, this can be done in code adding their credentials, System.Net.CredentialCache.DefaultCredentials, to the HttpRequest with the following:
for a .NET Remoting call:
IDictionary channelProperties = ChannelServices.GetChannelSinkProperties(_remoteObject);
channelProperties["credentials"] = System.Net.CredentialCache.DefaultCredentials;

For all of this to work you muse have "Integrated Windows Authentication" (only) enabled on the Server or a subdirectory within the Server.
If you also have "Anonymous Access" enabled then Windows Authentication will not work, if you must have "Anonymous Access" enabled as well for some reason then follow these 3 steps:
1. Create a subdirectory and set it's Security settings to "Integrated Windows Authentication" e.g. "MyIntegratedDir". This subdirectory will then work as you'd expect and you can use Windows Authentication on this directory.
2. Add an entry to the Web.config to tell IIS Security to permit Anonymous users access to the particular directory.
<location path="MyIntegratedDir">
<allow users="?"/>
3. Place you Custom Authorization code within this directory i.e. probably in an aspx page

FormsAuthentication is not directly related to Cookies but they can work together.

You can access the FormsAuthentication information from code using the FormsAuthenticationTicket.
By querying this object you can redirect etc to other pages depending on roles etc.
The FormsAuthenticationTicket object can then be passed to the Cookie constructor in order to save the information, this means the Client does not have to provide the information on each page, the Cookie is sent up and down to the Server ensuring the Client has access.


In the web.config you can specify what groups or who you wish to allow or deny from your website, you can break your website down into subfolders, this is known as Authorization i.e. What you are allowed to do.

No comments: