locked
State Management and Forms Authentication RRS feed

  • Question

  • User1843806588 posted

    I've configured my application to deny just about everything from unauthenticated users.  So, if you've not authenticated, you only have access to ~/Accounts/Login.aspx.  I require users to have cookies enabled and Session cookies.  When I block cookies on my client browser, the app consistently keeps me from authenticating - which is sort of what I want.

    What I would like to happen is that at this point the user is notified that they need to enable cookies.  Before, I tried writing cookies and checking the data, but that process was ignored.  The idea was that I would redirect the user to a page that would tell them to enable cookies.

    So, .NET can tell whether or not cookies and Session cookies are enabled.  How can I manipulate the behavior?  I presume this has something to do with the Forms Authentication process.

    TIA.

    Friday, July 27, 2012 2:46 PM

All replies

  • User-1404016747 posted

    You can check to see if the client has cookies enabled client side using JavaScript like so:

    <script language="javascript">
    <!--
        var tmpcookie = new Date();
        chkcookie = (tmpcookie.getTime() + '');
        document.cookie = "chkcookie=" + chkcookie + "; path=/";
        if (document.cookie.indexOf(chkcookie,0) < 0) {
            window.location = 'nocookies.html';
        }
    //-->
    </script>
    

     Server side check this post out:
    http://forums.asp.net/t/1044823.aspx

    Friday, July 27, 2012 2:57 PM
  • User1843806588 posted

    Thanks for the reply, jprochazka.

    I'll try that out as well.

    But at this point, I really need to understand what .NET is doing and how I can work with it.  Regardless of my code attempts, the web app does what it wants to do and it doesn't appear to be connected to my manipulation of cookies.  The logic of the situation is already there in .NET, I just need to learn how to manipulate it.

    Friday, July 27, 2012 3:05 PM
  • User-1404016747 posted

    You could try and set a cookie on ~/Accounts/Login.aspx during Page_Load then check if the cookie value is there on the Click event to log in. If you are not able to get the value you set for the cookie Response.Redirect them somewhere telling them to enable cookies.

    I would also use the JavaScript in conjunction with this idea being the JavaScript is client side and will redirect before they try and log in where as to check server side they will need to post back the form.

    Basically in .NET cookies go like so:
    A user visits a page a cookie is set containing a value. In order to referance this value .NET will have to process the page once again server side meaning a page refresh, click event, etc. will be required before it is able to check for the cookie and it's value. So if you are creating your cookie on the login page you will not be able to check for the cookie until the login is attempted. An example of code you can use in your login page during the page load event:

    If Page.IsPostBack Then
                ' Check if cookie exists.
                If Not Request.Cookies("TestCookie") = True Then
                    ' Cookie appears to have not been set on the intial page load.
                    ' Kill their session.
                    Session.Contents.RemoveAll()
                    ' Redirect them.
                    Response.Redirect("nocookies.html")
                End If
            Else
                ' Check if cookie exists.
                If Not Request.Cookies("TestCookie") = True Then
                    ' Cookie does not exist so create it.
                    Dim cookie As HttpCookie = New HttpCookie("TestCookie")
                    cookie.Value = True
                    cookie.Expires = DateTime.Now.AddDays(1)
                    Response.Cookies.Add(cookie)
                End If
            End If

     

    JavaScript on the other hand being client side...
    Can write the cookie and its value. Check the value and write again to the value with no page reload.

    Friday, July 27, 2012 3:13 PM
  • User1843806588 posted

    Yeah, that's what I did - sans the Javascript.

    I found that the redirect would not work - something in the forms authentication was pre-empting the Page_Load event and keeps the user on Login.aspx.

    On top of that, I found that with IE I could write the cookie even though cookies were blocked and also the user could authenticate with cookies allowed - even though my code could not write the cookie, (and I verified this visually on the file system).

    It's very strange, so I'm trying to figure out exactly what forms authentication is doing.

    Friday, July 27, 2012 3:23 PM
  • User-1404016747 posted

    You could possibly try to programatically log the user out if the cookie does not exist on page load.

    EDIT:
    I added a line to the above code to remove all the session varaiables from their session if the cookie does not exist. This should log them out of the system if you want to give it a try.

    Friday, July 27, 2012 3:30 PM
  • User-1404016747 posted

    I see what it is doing now. The the login is fired after page_load...
    Your using a <asp:Login> control right?
    Try to remove the session on the page you redirect to explaining they need cookies enabled.

    In Login.aspx.vb in the Page_Load event:

            If Page.IsPostBack Then
                ' Check if cookie exists.
                If Not Request.Cookies("TestCookie") = True Then
                    ' Cookie appears to have not been set on the intial page load.
                    Response.Redirect("nocookies.aspx")
                End If
            Else
                ' Check if cookie exists.
                If Not Request.Cookies("TestCookie") = True Then
                    ' Cookie does not exist so create it.
                    Dim cookie As HttpCookie = New HttpCookie("TestCookie")
                    cookie.Value = True
                    cookie.Expires = DateTime.Now.AddDays(1)
                    Response.Cookies.Add(cookie)
                End If
            End If

    In the Page_Load event for nocookies.aspx.vb add:

    Session.Contents.RemoveAll()

    This might do the trick.
    A user loads the login page .NET tries to set a cookie.
    When they post the login for Page.IsPostBack is triggered and a check to see if the cookie is there is done.
    If the cookie value "TestCookie" is not set to true they are redirected to nocookies.aspx.
    The user is logged after this Page_Load event is fired.
    BUT we can remove their session during Page_Load on nocookies.aspx effectivly logging them out right away.

    Friday, July 27, 2012 3:57 PM
  • User1843806588 posted

    Ok, I tried this and I think it's still being preempted by an event before page_load.

    Yes, I'm using the <asp:login> control.

    I placed "Session.Contents.RemoveAll()" on the first line on Page_Load.  Then, I write the cookie:

            '   Destroy cookies:
            Session.Contents.RemoveAll()
    
            '   Write the cookie:
            Dim prodCookie As HttpCookie = New HttpCookie("cookie_check")
            myCookie("check") = "YES"
            myCookie.Expires = DateTime.Now.AddDays(1)
            Response.Cookies.Add(prodCookie)

    Then, I check if it's a postback and set the redirect and a session variable so I can see what's happening:

                If Page.IsPostBack Then
                    '   Check for cookies:
    (the compiler didn't like If Not Request.Cookies("TestCookie") = True Then)
     If HttpContext.Current.Request.Cookies("cookie_check") Is Nothing Then Session("AuthenticationErrorMessage") = "COOKIES ARE BLOCKED!" Label4.Text = Session("AuthenticationErrorMessage") Response.Redirect("~/NoAccess.aspx") Else Label4.Text = "Cookies Are Not Blocked." End If



    Then, I compile and push to the server.  With cookies blocked, you try to authenticate and it does a postback, (as far as I can see).  When the page refreshes, Label4's text reads, "Label" so I know that the if ispostback isn't even being hit.

    Any ideas?

    Monday, July 30, 2012 4:45 PM
  • User-1404016747 posted

    Did you try sending them to the no cookies page after the cookie check and on page load for the no cookie page destroy the session?
    The login process should be completed before redirecting them to the no cookies page they are directed to if the cookie wasn't able to be written so destroying the session there should end it.

    Wednesday, August 1, 2012 12:24 AM
  • User1843806588 posted

    Yes, I did everything you suggested.  On page load, I have an if statement that sets the value of a label on Login.aspx.  When you try to authenticate, you get put on Login.aspx and that label does not reflect th emodified text.  That tells me that whatever it's doing is before Page_Load.

    Wednesday, August 1, 2012 4:24 PM