6

I have a wcf webhttp service which uses forms authentication to authenticate users. This works fine if the ticket comes in the cookie collection or in the url.

But now I want to send the string of the forms auth ticket in a custom http header and change the forms auth module to check for that header instead of the cookie.

I think it should be easy to extend forms auth to achive this, but could not find any resources of how to. Can you point me in the right direction ?

here's how my authentication flow would work,

  1. A client calls the authenticate method with the username and pwd
  2. Service returns the encrypted ticket string
  3. Client send the received ticket string in a http header with every subsequent request
  4. Service checks for auth header and validates the auth ticket
Amila
  • 2,779
  • 1
  • 27
  • 31
  • have you tried decompiling the Forms authentication module? You should be able to subclass it and override some of it's methods. Or maybe just write you own completely – cecilphillip May 04 '12 at 11:03
  • Why would you like to send the ticket in a custom header instead of a standard Cookie header? – Wiktor Zychla May 07 '12 at 14:35
  • Coz it looks nicer in an API scenario. Sending cookies does not look natural for an API – Amila May 08 '12 at 17:23
  • Why a custom header? Sending authentication details in a header can be done with "normal" basic auth or windows auth (which uses the "Authorization" header which is intended for the purpose you describe!) – Bjørn van Dommelen May 09 '12 at 14:49

2 Answers2

3

FormAuthentication module is not extendible, but you could write your own authentication. It is very simple:

Authentication(2):


var formsTicket = new FormsAuthenticationTicket(
    1, login, DateTime.Now, DateTime.Now.AddYears(1), persistent, String.Empty);
var encryptedFormsTicket = FormsAuthentication.Encrypt(formsTicket);
//return encryptedFormsTicket string to client

Service call with attached ticket(4):


var ticket = FormsAuthentication.Decrypt(encryptedFormsTicket)
//extract authentication info from ticket: ticket.Name
6opuc
  • 1,176
  • 3
  • 13
  • 21
2

I am not sure this is the way to go (elegance-wise), but what about adding an event in global.asax.cs for Application BeginRequest and taking the string from the header and injecting a cookie into the Request yourself (Forms authentication should then pick that up).

Something like:


protected void Application_BeginRequest()
{
    // Your code here to read request header into cookieText variable
    string cookieText = ReadCookieFromHeader();

    var cookieData = FormsAuthentication.Decrypt(cookieText);

    if (!cookieData.Expired)
    {
        HttpContext.Current.Request.Cookies.Add(new HttpCookie(cookieData.Name, cookieText));
    }
}

DISCLAIMER: Please note that I didn't test this, just throwing a possible approach your way!

Mirko
  • 4,284
  • 1
  • 22
  • 19