0

I'm using cookies to pass user information for authentication as seen in this question. Everything was working fine, until our team upgraded our computers and are now on windows 10. Now my cookie is not found in global.asax.cs's Application_PostAuthenticateRequest.

Here's my code trying to send the cookie:

private void AddUserDataToCookies(User user)
    {
        var serializeModel = new WebUserSerializeModel
        {
            FirstName = user.Person.FirstName,
            MiddleName = user.Person.MiddleName,
            LastName = user.Person.LastName,
            CredentialNumber = user.CredentialNumber,
            Roles = user.Roles.Select(role => role.Name).ToList(),
            Permissions = user.Permissions.Select(perm => perm.PrimaryKey).ToList()
        };

        var userData = new JavaScriptSerializer().Serialize(serializeModel);
        var authTicket = new FormsAuthenticationTicket(1, user.CredentialNumber, DateTime.Now, DateTime.Now.AddMinutes(15), false, userData);
        var encryptedTicket = FormsAuthentication.Encrypt(authTicket);

        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
        {
            Secure = true,
            HttpOnly = true
        };

        Response.Cookies.Add(cookie);

        var requestCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
    }

The cookie shows up in request cookie. But when I try in my global.asax, it doesn't. My global asax code is below.

protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
    {
        var cookie = Request.Cookies[FormsAuthentication.FormsCookieName];

        if (cookie != null)
        {
            try
            {
                var authTicket = FormsAuthentication.Decrypt(cookie.Value);

                if (authTicket != null)
                {
                    var serializer = new JavaScriptSerializer();
                    var serializeModel = serializer.Deserialize<WebUserSerializeModel>(authTicket.UserData);

                    var user = new WebUser(serializeModel.FirstName, serializeModel.LastName)
                    {
                        MiddleName = serializeModel.MiddleName,
                        CredentialNumber = serializeModel.CredentialNumber,
                        Roles = serializeModel.Roles,
                        Permissions = serializeModel.Permissions
                    };

                    HttpContext.Current.User = user;
                }
            }
            catch (CryptographicException ex)
            {
                Logger.Error("Error while decrypting cookie post authentication.", ex);
                FormsAuthentication.SignOut();
                HttpContext.Current.User = null;
            }
        }
    }

Does anyone have any ideas why changing to Windows 10 may have causes this issue? I'm somewhat new to ASP.NET and web development in general.

EDIT - by removing Secure = true when creating my cookie I was able to get it to work. I'm investigating why this is the case before I add an answer and I welcome any insights.

tree fiddy
  • 1
  • 4

1 Answers1

0

As mentioned in my edit, the problem was that Secure was set to true when creating my cookie but I did not have SSL enabled when running locally, unlike, I guess, on my old workstation. The code in my controller currently looks like:

private void AddUserDataToCookies(User user)
    {
        var serializeModel = new WebUserSerializeModel
        {
            FirstName = user.FirstName,
            MiddleName = user.MiddleName,
            LastName = user.LastName,
            CredentialNumber = user.CredentialNumber,
            Roles = user.Roles,
            Permissions = user.Permissions
        };

        var userData = new JavaScriptSerializer().Serialize(serializeModel);
        var authTicket = new FormsAuthenticationTicket(1, user.CredentialNumber, DateTime.Now, DateTime.Now.AddMinutes(FormsAuthentication.Timeout.Minutes), false, userData, FormsAuthentication.FormsCookiePath);
        var encryptedTicket = FormsAuthentication.Encrypt(authTicket);

        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
        {
            HttpOnly = true,
            Secure = true
        };

        if (Request.IsLocal)
        {
            cookie.Secure = false;
        }

        Response.Cookies.Add(cookie);
    }

Leaving Request.IsLocal is a bit ugly but it's good enough for now until we decide if we want to implement SSL for everyone locally.

At least it was an easy fix.

tree fiddy
  • 1
  • 4