5

I have an ASP.NET website that uses Forms authentication

    <authentication mode="Forms">
        <forms name="NewsCoreAuthentication" loginUrl="~/Default.aspx" defaultUrl="~/Default.aspx" protection="Validation" timeout="300" domain="someRootDomain.com" />
    </authentication>

I need to identify if user is authenticated on web page after it was rendered to client. To accomplish this I thought that I can read document.cookie and check if ".ASPXAUTH" is there. But the problem is that even if I am signed in this value is empty.

How can I check that user is authenticated? Why document.cookie is empty?

Thank you for answers. blowdart helped me to understand why authentication ticket is not accessible from client script.

Improve this question
1
  • @pavlo, you can check from the client. there is a mechanism specifically designed my MS to do exactly that from client script. It is clean and fast, there is no disk activity, it just reads the cookie for you and returns a boolean. see my answer before you give up. Commented Mar 1, 2010 at 17:35

3 Answers 3

Reset to default
3

The reason it's blank is because the cookie is protected by being marked as HttpOnly. This means it cannot be accessed via script. Turning this off is a very very bad idea, as XSS vulnerabilities in your site could expose it to cookie theft, so I'm not going to tell you how you can do it.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, you are right. This answer helped me. I can add a flag to cookie myself to identify if user is authenticated.
Kinda surprised that no one mentioned that the cookie name would be NewsCoreAuthentication and not .ASPXAUTH, too, although it would be irrelevant with the HttpOnly flag enabled, I suppose.
0

As others have said, the auth ticket is and SHOULD be httponly.

The best way to do this is to use ApplicationServices. The JSON authentication endpoint exposes IsLoggedIn and I have noticed your concern regarding server load. The overhead of a call to a static endpoint that simply checks the cookie for you is negligible. Really.

So, If you are using MsAjax, just enable application services and call Sys.Services.AuthenticationService.IsLoggedIn.

If you want to do this from raw javascript here is the codez ;-)

Add this segment to you config file

  <system.web>
     ------------
  </system.web>
  <system.web.extensions>
    <scripting>
      <webServices>
        <authenticationService enabled ="true" requireSSL="false"/>
      </webServices>
    </scripting>
  </system.web.extensions>

The page....

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title></title>

    <script type="text/javascript">
        function createXHR() {
            // a memoizing XMLHttpRequest factory.
            var xhr;
            var factories = [
                    function() { return new XMLHttpRequest(); },
                    function() { return new ActiveXObject("Msxml2.XMLHTTP"); },
                    function() { return new ActiveXObject("Msxml3.XMLHTTP"); },
                    function() { return new ActiveXObject("Microsoft.XMLHTTP"); } ];
            for (var i = 0; i < factories.length; i++) {
                try {
                    xhr = factories[i]();
                    // memoize the factory so we don't have to look for it again.
                    createXHR = factories[i];
                    return xhr;
                } catch (e) { }
            }
        }

        function isLoggedIn() {
            var xhr = createXHR();
            xhr.open("POST", "/Authentication_JSON_AppService.axd/IsLoggedIn", true);
            xhr.onreadystatechange = function() {
                if (this.readyState === 4) {
                    if (this.status != 200) {
                        alert(xhr.statusText);
                    } else {
                        alert("IsLoggedIn = " + xhr.responseText);
                    }
                    xhr = null;
                }
            };
            xhr.setRequestHeader("content-type", "application/json");
            xhr.send(null);
        }
    </script>

</head>
<body>
    <input type="button" value="IsLoggedIn?" onclick="isLoggedIn()" />
</body>
</html>
Improve this answer

Comments

-1

Number one... this is a bad idea. There is absolutely no security in checking if a user is authorized on the client side. None.

But if you really want to do this... do the check in code behind, and push a value to the client that can be read via Javascript. Something akin to:

RegisterClientScript("isvalidated", "var isUserAuthenticated = " + UserAuthenticated);

You see the problem now? You could do the same thing in AJAX... but it has the same problem.

OK, I can see doing this as a simple convenience for the user... showing certain links if they are authorized for instance. But it is not secure in any way shape or form. Just do yourself a favor and handle this in code-behind.

Improve this answer

2 Comments

A good remark and advice but the reason why I need this check on client is because pages are processed just by IIS (htm and html). AJAX is a good idea but as the load on web site is high I can't afford a call to ASP.NET page (or handler). After check I will show in IFRAME some page that is secured. So this flag in cookie does not cause security issue. Thank you for answer!
There is nothing dangerous about httpOnly=false on an Auth cookie since it encrypted and signed for tampering. I need this because I need to submit the auth cookie to a SingleR service that will do the decryption and verification (through shared keys that are kept private) of the cookie before authenticating the user on a .NET core site for auth reuse from a WebForms app. So just provide the answer on how to set httpOnly=false on the Auth cookie if you know. The second guessing of what the intent is, is not helpfull.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.