.NET Forms Authentication and Blank UserData

I recently had to retrofit someone else’s .NET Forms Authentication code to use custom roles. In the past, I’ve had a lot of success using the UserData field of the FormsAuthenticationTicket to store a delimited string of roles, then using the AuthenticateRequest method of Global.asax to set the custom roles for the user.

However, it wasn’t working properly, and I went through a couple agonizing hours of pulling my hair out before I got to the cause of the problem. But first, a note about the clue: when I set the custom FormsAuthenticationTicket, I set the version attribute to “1”. However, when I inspected the returned ticket in AuthenticateRequest, the version was “2”. Funny? I thought so. The ticket was encrypted (of course), so I couldn’t really inspect the raw data, but the only other difference between what I was setting and what I was retrieving was the blank UserData field.

It turns out that the login routine called FormsAuthentication.RedirectFromLoginPage() – which effectively overwrote my nice custom ticket, and replaced it with Mr. Generic Ticket with no UserData, and thus no roles.

Moral: if you are setting a custom ticket, make sure you do a normal Response.Redirect(string) call, NOT FormsAuthentication.RedirectFromLoginPage(), or else you’ll overwrite your ticket.


1 Response to “.NET Forms Authentication and Blank UserData”

  1. 1 arne June 18, 2008 at 11:49 pm

    Brilliant, I also noticed to version change from “1” to “2” but wasn’t expecting “Mr. Generic” to overide my nice little userData.

    Thank you for your inofs!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

TwitterCounter for @anthonyrstevens
Add to Technorati Favorites

RSS Feed

View Anthony Stevens's profile on LinkedIn

%d bloggers like this: