IsAuthenticated works on browser - but not with Air client!

Question

My login code, after authentication:

var authTicket = new FormsAuthenticationTicket(
                1,
                userName,
                DateTime.Now,
                DateTime.Now.AddMinutes(20), // expiry
                false,
                roles,
                "/");
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
Response.Cookies.Add(cookie);

and, thanks to Darin Dimitrov, I have a custom Authorize attribute:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class TJAuthorize : AuthorizeAttribute {
    public override void OnAuthorization(AuthorizationContext filterContext) {
        string cookieName = FormsAuthentication.FormsCookieName;

        if (!filterContext.HttpContext.User.Identity.IsAuthenticated ||
                filterContext.HttpContext.Request.Cookies == null || filterContext.HttpContext.Request.Cookies[cookieName] == null) {
                    HandleUnauthorizedRequest(filterContext);
            return;
        }

        var authCookie = filterContext.HttpContext.Request.Cookies[cookieName];
        var authTicket = FormsAuthentication.Decrypt(authCookie.Value);
        string[] roles = authTicket.UserData.Split(',');

        var userIdentity = new GenericIdentity(authTicket.Name);
        var userPrincipal = new GenericPrincipal(userIdentity, roles);

        filterContext.HttpContext.User = userPrincipal;
        base.OnAuthorization(filterContext);
    }

This all works beautifully when I'm working in a browser session. But now I am working with a Flash/Adobe Air client, and the authentication attribute is causing a failure. By putting debug statements into the code, I can tell that:

filterContext.HttpContext.User.Identity.IsAuthenticated

is false - even after a successful login!

Why should there be any difference between using a browser client and an Air client? And how do I fix this?

EDIT: Another clue: after putting in some more debug statements, I have found that the filterContext.HttpContext.User.Identity is not correctly set when making the call from Air - the Name property comes out blank! Session ID is correct, cookie ID is correct - but the User.Identity is not set. Any ideas why this might be happening?

score 4 · Accepted Answer · answered Jul 06 '11 at 13:46

4

Perhaps HttpCookieMode (http://msdn.microsoft.com/en-us/library/system.web.httpcookiemode.aspx) is set to the wrong value?

Default is UseDeviceProfile ... what happens when you force it to UseCookies ?

answered Jul 06 '11 at 13:46

davidkomer

3,020
2
23
58

Amazing - I added `cookieless="UseCookies"` to the `` tag in ``, and now it works! You genius, you! :) – Shaul Behr Jul 06 '11 at 16:12
Yay!! Thank G-d! ... it was a team effort- great work Shaul! Thanks @vnuk for helping us think in the right direction too! – davidkomer Jul 06 '11 at 16:51

score 2 · Answer 2 · answered Jul 05 '11 at 17:07

2

It's a longshot, but IsAuthenticated depends on client's ASPXAUTH cookie (or whatever you've named id) being sent with request. Make sure that flash/air is sending that cookie (by wireshark or any other network tool)

answered Jul 05 '11 at 17:07

Vnuk

2,673
1
32
49

Yep, good thought, but I am sending the ASPXAUTH cookie, have checked that it's the same as what's being returned after authentication... – Shaul Behr Jul 06 '11 at 08:27
There must be something different in air request. Capture both requests with wireshark and compare them. – Vnuk Jul 06 '11 at 08:39
I'm working with Shaul on this... we're using Charles and there are no differences in the Cookies (there are differences in other parameters though) – davidkomer Jul 06 '11 at 08:51
Looking at code posted above, anything other then cookie problem doesn't make sense, at least to me. On each request aspnet must authenticate request, and it can only be done via auth cookie. – Vnuk Jul 06 '11 at 09:11
This is puzzling indeed. Obviously aspnet has problems on authorization but if session and auth cookie is sent I don't know of anything else. When you get really desperate download .net debug symbols and step through aspnet code. – Vnuk Jul 06 '11 at 09:52
This looks like a useful page: http://smehrozalam.wordpress.com/2009/01/01/using-customprincipal-with-forms-authentication-in-aspnet/ – davidkomer Jul 06 '11 at 10:44

score 0 · Answer 3 · answered Jul 06 '11 at 10:51

0

Does the HttpContext.User.Identity show up in the Application_AuthorizeRequest in global.asax?

answered Jul 06 '11 at 10:51

davidkomer

3,020
2
23
58

Same behavior as elsewhere - when called from browser, yes; when called from Air, no. – Shaul Behr Jul 06 '11 at 12:33

IsAuthenticated works on browser - but not with Air client!

3 Answers3

Linked