[Mono-list] Current state of FormsAuthentication
Ilya Kharmatsky
ilyak@mainsoft.com
Sun, 06 Mar 2005 18:49:01 +0200
This is a multi-part message in MIME format.
--------------060608060903090102060008
Content-Type: multipart/alternative;
boundary="------------050407030105050604070602"
--------------050407030105050604070602
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi!
We found regression in latest version of Forms Authentication - in case
when the FormsAuthenticationTicket is not persistent (created with
FormsAuthentication.SetAuthCookie("userName", false))
the HttpRequest.IsAuthenticated will return false.
Attached possible patch (in FormsAuthenticationModule.cs) and test case.
Thanks,
Ilya Kharmatsky.
Gonzalo Paniagua Javier wrote:
>On Wed, 2005-03-02 at 11:45 -0700, Jesse Pasichnyk wrote:
>
>
>>I am working on developing an ecommerce site with mono/postgres and am
>>having some issues with the a Forms based security login area.
>>
>>
>
>
>Last mono release shipped with a regression that might make
>FormsAuthentication fail.
>
>You can get a new System.Web.dll from
>http://www.go-mono.com/archive/1.0.6/System.Web.dll or
>http://www.go-mono.com/archive/1.1.4/System.Web.dll
>
>-Gonzalo
>
>
>_______________________________________________
>Mono-list maillist - Mono-list@lists.ximian.com
>http://lists.ximian.com/mailman/listinfo/mono-list
>
>
>
--------------050407030105050604070602
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi!<br>
<br>
We found regression in latest version of Forms Authentication - in case<br>
when the FormsAuthenticationTicket is not persistent (created with <br>
FormsAuthentication.SetAuthCookie("userName", false)) <br>
the HttpRequest.IsAuthenticated will return false.<br>
<br>
Attached possible patch (in FormsAuthenticationModule.cs) and test
case. <br>
<br>
Thanks,<br>
Ilya Kharmatsky.<br>
<br>
Gonzalo Paniagua Javier wrote:
<blockquote cite="mid1110070103.31447.11.camel@localhost.localdomain"
type="cite">
<pre wrap="">On Wed, 2005-03-02 at 11:45 -0700, Jesse Pasichnyk wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I am working on developing an ecommerce site with mono/postgres and am
having some issues with the a Forms based security login area.
</pre>
</blockquote>
<pre wrap=""><!---->
Last mono release shipped with a regression that might make
FormsAuthentication fail.
You can get a new System.Web.dll from
<a class="moz-txt-link-freetext" href="http://www.go-mono.com/archive/1.0.6/System.Web.dll">http://www.go-mono.com/archive/1.0.6/System.Web.dll</a> or
<a class="moz-txt-link-freetext" href="http://www.go-mono.com/archive/1.1.4/System.Web.dll">http://www.go-mono.com/archive/1.1.4/System.Web.dll</a>
-Gonzalo
_______________________________________________
Mono-list maillist - <a class="moz-txt-link-abbreviated" href="mailto:Mono-list@lists.ximian.com">Mono-list@lists.ximian.com</a>
<a class="moz-txt-link-freetext" href="http://lists.ximian.com/mailman/listinfo/mono-list">http://lists.ximian.com/mailman/listinfo/mono-list</a>
</pre>
</blockquote>
</body>
</html>
--------------050407030105050604070602--
--------------060608060903090102060008
Content-Type: text/plain;
name="FormAuthModule.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="FormAuthModule.patch"
Index: System.Web.Security/FormsAuthenticationModule.cs
===================================================================
--- System.Web.Security/FormsAuthenticationModule.cs (revision 41482)
+++ System.Web.Security/FormsAuthenticationModule.cs (working copy)
@@ -15,10 +15,10 @@
// distribute, sublicense, and/or sell copies of the Software, and to
// permit persons to whom the Software is furnished to do so, subject to
// the following conditions:
-//
+//
// The above copyright notice and this permission notice shall be
// included in all copies or substantial portions of the Software.
-//
+//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
@@ -65,7 +65,7 @@
string reqPath = context.Request.PhysicalPath;
string loginPath = context.Request.MapPath (loginPage);
context.SkipAuthorization = (reqPath == loginPath);
-
+
FormsAuthenticationEventArgs formArgs = new FormsAuthenticationEventArgs (context);
if (Authenticate != null)
Authenticate (this, formArgs);
@@ -76,13 +76,13 @@
context.User = formArgs.User;
return;
}
-
+
HttpCookie cookie = context.Request.Cookies [cookieName];
if (cookie == null || (cookie.Expires != DateTime.MinValue && cookie.Expires < DateTime.Now))
return;
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt (cookie.Value);
- if (ticket == null || ticket.Expired)
+ if (ticket == null || (ticket.IsPersistent && ticket.Expired))
return;
if (config.SlidingExpiration)
--------------060608060903090102060008
Content-Type: text/plain;
name="FormsAuthTestCase.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="FormsAuthTestCase.txt"
private void Page_Load(object sender, System.EventArgs e)
{
Response.Write("Request.IsAuthenticated "+Request.IsAuthenticated + "<br>");
HttpCookieCollection collection = Response.Cookies;
Response.Write("Before setting forms cookie! <br>");
foreach(string o in collection)
{
Response.Write(collection[o].Name + " " +collection[o].Value + "<br>");
}
FormsAuthentication.SetAuthCookie("userName", false);
collection = Response.Cookies;
Response.Write("After setting forms cookie! <br>");
foreach(string o in collection)
{
Response.Write(collection[o].Name + " " +collection[o].Value + " " + collection[o].Expires + "<br>");
}
}
--------------060608060903090102060008--