0

I have searched on this subject and am just getting more confused.

We have a Forms Authentication web application. I have changed the old FormsAuthentication.SetCookie statement to instead create a GenericPrincipal containing a FormsIdentity, then I have added a couple of custom claims, then I write a sessionsecuritytokentocookie using SessionAuthenticationModule. I am getting slightly confused with FederatedAuthentication - I am using FederatedAuthentication.SessionAuthenticationModule to write the token but I think this is the same as just using Modules("SessionAuthenticationModule") in my case?

Anyway, the authentication works fine but my custom claims are not being recreated. I am not using membership providers or role providers - does that matter?

I have read about SessionAuthenticationModules, ClaimsAuthenticationManagers, ClaimsTransformationModules but I am no longer certain which of these I should be using or how? Currently I just add my claims where the old login code was (I haven't got time to rewrite the whole login process) and I was expecting these claims to be recreated automatically on each request.

What do I need to do - obviously I do not want to have to go to the database every time to rebuild them - I thought they were being stored in the cookie and recreated automatically.

webnoob
  • 15,747
  • 13
  • 83
  • 165
user2047485
  • 391
  • 5
  • 20

2 Answers2

1

Your approach is fine - you create a ClaimsPrincipal with all the claims you need and write out the session cookie. No need for a claims authentication manager.

possible gotchas:

  • make sure you set the authentication type when creating the ClaimsIdentity - otherwise the client will not be authenticated
  • by default session cookies require SSL (the browser won't resend the cookie over plain text). This can be changed but is not recommended.
leastprivilege
  • 18,196
  • 1
  • 34
  • 50
0

You need custom ClaimsAuthenticationManager, it will be called once and add claims. Don't forget to register this custom class in your application:

public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        //works only with one default identity
        //In contra to a a default implementation modify incomingPrincipal by adding claims) 
        if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
        {
            ClaimsIdentity claimsIdentity = incomingPrincipal.Identity as ClaimsIdentity;
            if (claimsIdentity != null)
            {
                IEnumerable<Claim> claims = new Claim[] { };
                claims = claims.Concat(CreateIdsClaims(incomingPrincipal.Identity.Name));
                claims = claims.Concat<Claim>(CreateRoleClaims(GetRolesByName(incomingPrincipal.Identity.Name)));
                claimsIdentity.AddClaims(claims);
            }

            return incomingPrincipal;
        }

        return null;
    }
Danila Polevshchikov
  • 2,228
  • 2
  • 24
  • 35
  • when you say "called once" - once per request? So each request has to rebuild the claims? Why is my security token not storing these claims in the cookie so I don't have to rebuild them on each request. Sure I could use a server cache but I thought these would be cached in a cookie on the client? – user2047485 Mar 15 '13 at 14:40
  • Also, I have tried getting this ClaimsAuthenticationManager to work but can't get it to fire. I have registered it in the web.config using but it does not fire. – user2047485 Mar 15 '13 at 15:13