Manual Sign Out in ASP.NET Forms Authentication

July 28, 2008 at 10:03 AMAmer Gerzic

Recently I have been developing numerous applications in ASP.NET and Flex Builder 3. For security I utilized forms authentication as provided by ASP.NET engine. At first, everything worked well until there was a need to manually sign out current user. Quick look into MSDN documentation revealed SignOut() method of FormsAuthentication class. The documentation promised that this method signs out the user and redirects the client to login page. Considering the fact that I did not care about redirect (Flex application was running on the client side, so that redirection did not have any effect), I was hoping that the method would still perform desired effect and "de-authenticate" (I know, I know, that is not even a word) current user. At first, it seemed to work, but debugging revealed that even though this method removed authentication cookie, it did not sign out the user. User's identity was still marked as authenticated and subsequent calls to the Http handler would be considered authenticated. Furthermore, the session object was still valid, so that existing session information was still available. Quick look into MSDN revealed Session.Abandon() method, which would destroy session object upon execution. However, even though the session object was destroyed, client calls to ASP.NET web application were still considered authenticated. It was time to search the web to see if other developers faced the same issue.

After some research I ran into following Microsoft article: http://support.microsoft.com/kb/900111. The article explains that FormsAuthentication.SignOut() method does not prevent cookie reply attack, which essentially means that the cookie, even though it was destroyed, it was considered to be valid and all calls to the application that utilized this particular cookie were considered authenticated. The same article presented some possible workarounds, but it did not satisfy my needs. It bugged me that in order to prevent the access to secure parts of the application (even after log off), I had to track the security on client side (in addition to server side). So I tried following code:

/* Create new session ticket that expires immediately */
FormsAuthenticationTicket ticket =
    new FormsAuthenticationTicket(
        1,
        context.User.Identity.Name,
        DateTime.Now,
        DateTime.Now,
        false,
        Guid.NewGuid().ToString()); 

/* Encrypt the ticket */
string encrypted_ticket = FormsAuthentication.Encrypt(ticket); 

/* Create cookie */
HttpCookie cookie = new HttpCookie(
    FormsAuthentication.FormsCookieName,
    encrypted_ticket); 

/* Add cookie */
context.Response.Cookies.Add(cookie); 

/* Abandon session object to destroy all session variables */
context.Session.Clear();
context.Session.Abandon();

Essentially the code replaces old cookie with new security cookie that expires immediately, which performs user sign out. In addition, all session variables are destroyed and new session is created so that old session cannot be reused. However, it is essential to mention that the technique presented in this post does not prevent Cookie Reply Attack. The old cookie is still valid for the duration specified in FormsAuthenticationTicket constructor.

Posted in: ASP.NET

Tags: ,

Setting up debugging environment - ASP.NET and Flex Builder

July 11, 2008 at 9:07 PMAmer Gerzic

Unlike Silverlight, Flex Builder does not integrate with Visual Studio programming environment. Therefore, debugging ASP.NET or Flex applications can become very cumbersome, especially when they become very large. However, with Flex Builder 3, Adobe has made possible to utilize built in ASP.NET web server (Cassini) to debug Flex applications. Following post describes one possible way to set up both environments to make debugging easier.

More...

Posted in: .NET | Adobe Flex | ASP.NET

Tags: , , ,

Adobe Flex and ASP.NET authentication using HTTPService and IHttpHandler

June 27, 2008 at 8:45 AMAmer Gerzic

Lately, Adobe Flex has been getting more and more attention in programming community. Especially after the launch of open source version of Flex SDK developers are able to make rich Internet applications (RIA) using Flex, which (as everybody knows) produces a flash file (swf) that can be used in any web application. The article will focus on the following topics:

  1. Communication between Action Script (HTTPService) and .NET (HTTP Handler);
  2. Security - securing HTTP Handler calls from unauthorized access;
  3. ASP.NET Forms Authentication and Authorization through Flex;
  4. ASP.NET Handlers and session management;

It is assumed that the reader is familiar with basic concepts of ASP.NET handlers, forms authentication, and Adobe's Action Script.
More...

Posted in: Adobe Flex | ASP.NET | C#

Tags: , , , , ,

Displaying IEnumerable .NET Collection with Crystal Reports

February 26, 2008 at 11:41 AMAmer Gerzic

In my previous post Displaying .NET DataSet with Crystal Reports I discussed one way to report the data that does not come directly from a database. In this way, it is possible to preform more complex data analysis and present the result using Crystal Report engine. Following post addresses similar issue. However, here, the data to be presented is not stored in a DataSet, but rather in a .NET Collection, which implements IEnumerable interface.
More...

Posted in: .NET | ASP.NET | C# | Crystal Reports

Tags: , ,

Displaying .NET DataSet with Crystal Reports

February 26, 2008 at 8:36 AMAmer Gerzic

Couple of days ago, I started playing with Crystal Reports engine included with Visual Studio.NET. After creating several reports using SQL Express database, I started wondering how to create reports that require more sophisticated data analysis. At first, my thoughts were to utilize stored procedures to create report result, and and then display the result using Crystal Report engine. However, it turned out that Crystal Report engine has some limitations when it comes down to stored procedures. Crystal Reports documentation states that stored procedures can be utilized if they contain at most one SQL SELECT statement. In addition, the documentation states that no return parameters can be utilized (parameters declared by SQL keyword OUT, or INOUT). Clearly, complicated data analysis cannot be performed using single SELECT statement. Considering these limitations, I immediately started to investigate options to present a structure using Crystal Reports. At first, I considered a .NET containers, but Crystal Reports engine did not seem to provide any convenient way of displaying such structures. In addition, I noticed that every report that I designed, required the structure of the data to be known at report design time. At that time, two options came to my mind:
More...

Posted in: .NET | ASP.NET | C# | Crystal Reports

Tags: , ,