In javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,
I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,
if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.
I have a curl script that logs in to two other websites to submit forms from behind the login successfully. However, I've recently tried to use a variation of this script for a third website. It works as far as returning the first page after login but then it treats any further cURL calls as if I haven't logged in. I discovered (well I think) that it's to do with the .ASPXAUTH cookie not being set. I do have a cookiefile and cookiejar setup in my cURL code and it catches the .ASP.NET_SessionID successfully, but not the ASPXAUTH cookie.
I noticed that I can see the .ASPXAUTH cookie value in the headers when I watch "Live HTTP headers" but I can't get my cURL script to return the header with this set-cookie very easily. It seems that the cookie is set on a 302 after login and cURL is not handling this correctly. So I turned off CURLOPT_FOLLOWLOCATION and was trying to handle the redirect myself but I still can't get it right (the server returns a really strange redirect url and I don't think I'm doing this part right)
Here is my code:
[code]....
Due to a bug in Flash, I have to use the ASPXAuth cookie to log a user in on a page that a flash upload script calls after upload. See this page for more information: [URL]
I have to make the ASPXAUTH string "public" in the sense that it will be in the HTML of the page. My question is, how secure is this?
I understand that anyone that can get to the string in the HTML can probably get to it from the cookie just as easily, but let's say someone does have this ASPXAUTH string. Is it possible that they can login as another user using this cookie? Would they be able to decrypt it?
I'm using ASP authentication and the integrated webservice.
The user logins in with Forms authentication on a login page.
To log out, I call the authentication webservice from Silverlight and call logout.
Everything worked OK but now sometimes IE gets crazy and doesn't log out the user anymore.
I used Fiddler and it turns out that the authentication service returns a SetCookie to clear the ASPXAUTH cookie but on the next call IE still has the cookie set.
So off course because the cookie is there the user is authenticated and logs right back in rather than being directed to the login page.
I checked and didn't see any other description of the issue.
I can't reproduce it and my colleagues that have a misbehaving IE have it working fine on one environment and not on the other (one has the issue for DEV and another has the issue for the PreProd server).
I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or is it some debug thing?
View 1 RepliesWithout reading the whole text below, since this is on the ASP.Net side ... basically I think I need to know if there is a way to reduce the size of the forms authentication cookie. When using a DotNet 2.0 website, the ASPXAUTH cookie is about 232 bytes ... when using the same source code but upgraded to DotNet 4.0. the cookie is approximately 264 bytes, setting the ticketCompatabilityMode does not reduce the size since I think the default setting is Framework20. I length of the cookie, including the its' name can not be larger than 256 bytes in order to use it with the "Client Application Services".
I only did a cursory search of the asp.net forums, but will dilligently look for an existing solution.
----- BACKGROUND AND RESEARCH -----
I have been using all three features of client application services (authentication, profiles, and roles) in my windows app (DotNet 3.5 framework) for almost two years now. Up until now, I have not had any problems. This week I hit a brick wall and am pretty stumped with two seperate but related issues.
Issues:
In development, we decided to upgrade our websites/services to DotNet 4.0. All applications upgraded successfully. However we are unable to log into our application using Client Application services. No matter what user we use, Membership.ValidateUser returns false. Since we know the username and passwords, we thought this was strange. When debugging the application, we found that Membership.ValidateUser was throwing an InvalidOperationException (see below for complete exception) stating that the ASPXAUTH property was too long, longer that the schema created in the SQL/CE database. (See below for things tried).
In production .. A user all of the sudden could no longer gain access to the application. Upon inspection, his ASPXAUTH cookie was 264 characters long (9 characters longer than the schemas nvarchar(256)). Even though the user was being authenticated on the "server side", and the JSON query returned "{"d":true}", Membership.ValidateUser returned false. Again, as in the case above, the actual error was ...
Message=@PropValue : String truncation: max=256, len=264 ...
I am assuming I am missing something very simple or that I overlooked a settings. In development, this is not a huge issue as I can release the Dotnet 4.0 websites when I am ready. But now that this has happened to a client on a production system, it is very worrisome.
[code]....
Can somebody explain what ASPXAuth cookie does?
My website uses forms auth and I am trying to create a load balancer (hardware) rule which will keep track of sessions based on the aspxauth cookie. Is it safe assume that the value of the cookie is unique?
I am busy building a shopping cart with cookies. I have datalist which I populate from the cookies with a delete button next to each cookie
[Code]....
Now the problem is that when I hit the delete / remove button to expire the cookie, what happens when repopulating the datalist is that it shows the original cookie with all it's values as well as a new entry where all the values are blank.
I want to change the value in a cookie:
HttpCookie hc = new HttpCookie("HiddenColumns");
hc.Value = customView.HiddenFields;
hc.Expires = DateTime.Now.AddDays(365);
Response.SetCookie(hc);
Or this way:
Response.Cookies["HiddenColumns"].Value = customView.HiddenFields;;
Response.Cookies["HiddenColumns"].Expires = DateTime.Now.AddDays(365);
But when I retrieve the cookie value, it is still old, unless I do postback. I don't want to use Redirect.
I'm trying to use a webservice that first expects the clients to login, to retrieve a cookie to re-use.
This is done through a login(string user, string pass) method on the webservice.
Doing this through a browser works fine, we get a cookie, and we can see the cookie via Fiddler or whatvever proxysniff thingy.
Time to do the same in ASP.Net, so we use the WSDL and generate a nice proxy class, and it works fine to call the login() method, but Never Ever does a cookie get set !
I already used the "cookiejar" technique - which means i create an instance of a CookieContainer and assign it to the proxyclass like this;
var cookies = new CookieContainer(3);
I am a bit baffled here; using IE7, ASP.NET 2.0 and Cassini (the VS built-in web server; although the same thing seems to be true for "real" applications deployed in IIS) I am looking for the session-id-cookie. My test page shows a session id (by printing out Session.SessionId) and Response.Cookies.Keys contains ASP.NET_SessionId. So far so good.
But I cannot find the cookie in IEs cookie-store! Nor does "remove all cookies" reset the session (as it does in FF)... So where - I am tempted to write that four letter word - does IE store that bloody cookie? Or am I missing something? By the way there is no hidden field with a session id either, as far as I can see. If I check in FF there is a cookie called ASP.NET_SessionId as I would expect. And as mentioned above deleting that cookie does start a new session; as I would expect.
When calling Response.Cookie.Add(new HttpCookie("MyCookie", "objValue")); where does the cookie saved? on Client Machine or Server Machine?
EDIT:if saved in Client Machine, how can I read it from javascript then? I tried this kind of script.
function getCookie(c_name) {
var i, x, y, ARRcookies = document.cookie.split(";");
for (i = 0; i < ARRcookies.length; i++) {
[code].....
I cannot get the cookie that I saved from code behind. When I look into the document.cookie object, it is just an empty string.
Scenario:On Page_Init() on code behind. I create a cookie using Response.Cookie.Add(new HttpCookie("MyCookie", "cookieValue"));.
On Client side, I'm trying to read the cookie saved from code behind on page load using the snippet above, but it returns undefined
I have a very simple page with the following logic:
protected void Page_Load(object sender, EventArgs e)
{
if (null == Response.Cookies["UserSettings"].Value)
{
HttpCookie cookie = new HttpCookie("UserSettings");
cookie.Value = "The Big C";
cookie.Expires = DateTime.Now.AddDays(10);
Response.Cookies.Add(cookie);
}
else
{
// got here
}
}
I set a breakpoint in both the if and the else and the else break point never gets hit. The if statement gets hit every time. What could be wrong here?
scene: when I click item in ext:ComboBox and want to set the item selected value to cookie variable. Finally, after I click ext:Button, the ext:Label get cookie value and display it.
But I get a error :Ext.Ajax Communication Failure.
aspx:
<ext:ComboBox ID="ComboBox1" runat="server" StoreID="Store1" Width="100" Editable="false"
DisplayField="name" ValueField="value" Mode="Local" TriggerAction="All`enter code here`" EmptyText="Select a locale...">
.....
aspx.cs
protected void lngIndexChanged(object sender, DirectEventArgs e)
{
//Sets the cookie that is to be used by Global.asax
HttpCookie cookie = new HttpCookie("CultureInfo");
cookie.Value = ComboBox1.SelectedItem.Value ;
Response.Cookies.Add(cookie);
Label1.Text = cookie.Value;
//Set the culture and reload for immediate effect.
//Future effects are handled by Global.asax
Thread.CurrentThread.CurrentCulture = new CultureInfo(ComboBox1.SelectedItem.Value);
Thread.CurrentThread.CurrentUICulture = new CultureInfo(ComboBox1.SelectedItem.Value);
}
i'm trying to create a cookie in my application and i dont no how to do it can any one tell me how to do it
View 2 Repliesin asp.net mvc, how to use session and cookie ?
I am trying to understand how a login session stored and implemented.
I'm reading through the info here: [URL] I have a question about how cookies work.
I am creating a series of web pages where the user follows steps in a tutorial. I want to track in a menu that the user has completed a step. It seems cookies would be the best way to do this. My question is, when you create a cookie and you need to write to the cookie at a later time, does it write to the existing cookie or does it create a new cookie with the existing name? In other words, if I initially create the cookie and set all steps viewed as false, then when they complete a step I go back to the cookie and set a step to true, does this actually write to first cookie or write a new one?
Assume we have three different ASP.NET web applications in our intranet, that all of them have a login page and after authenticating user create a cookie for authenticated user. Is it available to have one page as a login page and create that three application's cookie from here and then redirect user to demanded application?
View 1 RepliesI know that you can't edit incoming cookies. I have a cookie that I just need to read..nothing more but I have a need to remove some characters from its value so that I can parse it. How can I do this? I don't need to send the modified new cookie back in the response, it's just for my server-side consumption and then that's it.
Updated:
figured it out:
HttpCookie facebookAuthCookie = HttpContext.Current.Request.Cookies[facebookCookieName];
string cleanValue = facebookAuthCookie.Value.Replace(""", string.Empty);
HttpCookie cleanedFacebookAuthCookie = new HttpCookie("cleanedFacebookCookie", cleanValue);
We have a cookie management library that writes a cookie containing some sensitive information, encrypted with Rijndael. The cookie encrypts and decrypts fine in unit tests (using Moq), works fine for MVC web applications, but when called from an ASP.net 2.0 website, the cookie cannot be decrypted. "Padding is invalid and cannot be removed."
We are sure that the cookie value is valid because we tested it 10,000 times with random data in a unit test. There is something about what ASP.NET 2.0 does when it reads and writes the cookie that causes trouble.
I'm surprised i couldnt find any answers.
How do i set my sessionid in my cookie to expire at the end of session? (when the browser closes or the user has been inactive for a period of tie).
The two solutions i found were
(httpcookie).Expires = HttpContext.Current.Session.Timeout
Which gave me a compile error so i dont know if the user checked his code before posting. And the other was to set the expire date to 1 day ago which my gut says is wrong. How do i do this?
How do I set cookie expiration time in C#?
I want cookies to expire when the browser is closed. I found in many blogs that giving a previous date as the expiry date will cause the cookie to automatically expire, but that is not working in my case.
I've got a session/coockie from a phpbb forum. But i use in the website asp.net (the website has a different url and domain then the forum).
Can i get the session/coockie from the phpbb forum in the asp.net website?
//Controller code
CookieContainer cookieContainer = new CookieContainer();
//makes new cookie here
cookieContainer.Add(myCookie);
//Service/Facade code
//myCookie gets passed here
How do I pull the cookie out of the container to make sure it's the right cookie?
I say until you log out, session times out or you close the browser. But am I right?
I had an interview today and the interviewer wanted to know if I log into a page and closes the browser (without logging off), what happens to the session.
I said that the session will be orphaned. He says no - because their users are able to connect back to the session by just opening up the browser (using a cookie only). I told him that's a persistent cookie - not a session cookie. And I said that if that's the cause, there is nothing preventing the user from exporting the [persistent] cookie to a another computer and starting the session on that computer.
At first he said you can;t export a cookie but when I explained how, he said that he'll look but since many many people including 2 architects came up with the design, it is unlikely they are all wrong.