0

I tried implementation ASP.NET role-based authorization for my project, but I never found cookie is saved in client browser. I tried some testing code like,

RolePrincipal rolePrincipal = new RolePrincipal(new GenericIdentity("a"));
string text1 = rolePrincipal.ToEncryptedTicket();

There's no roles in this such simple RolePrincipal object and Roles.CookieProtectionValue is set to 'none'. However the length of text1 is 4,688 which is larger than 4,096, so it fails to push the cookie into client browser.

It does not make sense otherwise it's not possible to use cookie to cache the roles.

What's wrong with it?

Thanks

Here's related sections in web.config

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" name=".TestAUTH"/>
</authentication>
<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
         enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
         maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
         applicationName="/" />
  </providers>
</membership>

<profile>
  <providers>
    <clear/>
    <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
  </providers>
</profile>

<roleManager enabled="true" cookieName=".TestROLE" cookieProtection="None" cacheRolesInCookie="true" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="false" >
  <providers>
    <clear/>
    <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
    <!--<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />-->
  </providers>
</roleManager>
Johnny
  • 1
  • 2
  • check this post http://stackoverflow.com/questions/836043/does-the-asp-net-rolemanager-really-cache-the-roles-for-a-user-in-a-cookie-if-so you shouldnt have to do this manually let .net sort it out for you – Luke Baughan Aug 22 '12 at 17:32
  • Thank you! I don't want to do this manually either but I cannot see cookies for roles in client browser after I called IsInRole and GetRolesForUser, so I did some testing like the sample code, I think I have the similar setting with the post you shared, just I cannot get the cookie generated...That's weird – Johnny Aug 22 '12 at 18:43
  • Could you post your web.config section relating to membership - happy to double check it for you. – Luke Baughan Aug 22 '12 at 18:45
  • Thanks a lot! I updated content of web.config in the original post, most of them are default settings. And cookie '.TestAUTH' is able to find in client browser.. – Johnny Aug 22 '12 at 18:52
  • Added an answer to show explicitly what I *think* you need to do ;o) – Luke Baughan Aug 22 '12 at 19:35

3 Answers3

0

Try adding default provider, so from this:

<roleManager enabled="true" cookieName=".TestROLE" cookieProtection="None" cacheRolesInCookie="true" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="false" >
  <providers>
    <clear/>
    <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
    <!--<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />-->
  </providers>
</roleManager>

to this:

<roleManager defaultProvider="AspNetSqlRoleProvider" enabled="true" cookieName=".TestROLE" cookieProtection="None" cacheRolesInCookie="true" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="false" >
  <providers>
    <clear/>
    <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
    <!--<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />-->
  </providers>
</roleManager>
Luke Baughan
  • 4,658
  • 3
  • 31
  • 54
  • I just tried adding defaultProvider to web.config, unfortunately it's still the old way without cookie generated – Johnny Aug 22 '12 at 19:52
  • just to be sure - you have got some roles defied and have associated to the user youre logging in as? – Luke Baughan Aug 22 '12 at 20:22
  • yes I have one role admin assigned to my testing user account, I have debugged to get the correct value from GetRoleForUser and IsInRole function – Johnny Aug 22 '12 at 20:48
  • Looking at the accepted answer here http://stackoverflow.com/questions/3282999/asp-net-custom-roleprovider-not-resepecting-cacherolesincookie-true it looks like its only used when IsInRole is called - could you try calling that instead and let me know whether the cookie is generated/used? – Luke Baughan Aug 22 '12 at 21:06
  • It seems to be the bug of .net framework 4.5, when I uninstalled .net framework 4.5 and re-installed framework 4.0, the cookie is back. The length of the cookie text generated in v4.5 is 10 times longer than v4.0... – Johnny Aug 23 '12 at 03:16
0

Unfortunately this is by design due to changes in the underlying types in .NET 4.5. You can turn off storing of user roles in cookies to prevent this issue (http://msdn.microsoft.com/en-us/library/system.web.security.roles.cacherolesincookie.aspx).

https://connect.microsoft.com/VisualStudio/feedback/details/759157/net-4-5-binaryformatter-serialization-generates-too-long-string

Johnny
  • 1
  • 2
  • I have updated resolution of this bug as it is fixed and fix will be available soon via Windows Update. Thanks for reporting this issue. Much appriciated – Anand Nov 12 '12 at 22:37
-1

fyi:

Microsoft has recently published an update which fixes this issue.

See KB 2750147

smai
  • 1