Roles cookie being removed after every page request. RSS

• • Reply
  

  JThompkins

  Member

  27 Points

  9 Posts

  Roles cookie being removed after every page request.

  Nov 08, 2010 03:36 PM|LINK

  <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">Our websites are configured to use forms-based security and roles.  We have enabled cacheRolesInCookie=true in the web.config.</div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">   <roleManager enabled="true" cacheRolesInCookie="true" cookieName=".XXX_ASPXROLES" ></div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">  </div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">This worked fine, until recently (not sure when it stopped).  Now, instead of seeing a .XXX_ASXPROLES cookie being created, I see the opposite:</div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">    Set-Cookie: .AdminPortalASPXROLES=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly</div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">This header is being returned in every page response.  </div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">Any idea what could be causing this?  Could it have something to do with the recent ASP.NET Security Patch (http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx)?</div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">Thanks,</div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">Jim</div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div>

  Our websites are configured to use forms-based security and roles.  We have enabled cacheRolesInCookie=true in the web.config.

     <roleManager enabled="true" cacheRolesInCookie="true" cookieName=".XXX_ASPXROLES" >

  This worked fine, until recently (not sure when it stopped).  Now, instead of seeing a .XXX_ASXPROLES cookie being created, I see the opposite:

      Set-Cookie: .AdminPortalASPXROLES=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly

  This header is being returned in every page response.  

  Any idea what could be causing this?  Could it have something to do with the recent ASP.NET Security Patch (http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx)?

  Thanks,

  Jim

  
  

  
  

  asp asp.net login cookies asp .NET role provider asp .net security

• • Reply
  

  tarnbridge

  Member

  2 Points

  1 Post

  Re: Roles cookie being removed after every page request.

  Nov 23, 2012 04:24 PM|LINK

  Hi,

  I'm a bit late on replying on this, but just spent the afternoon looking into this.

  Basically what it looks like is happening is when the RoleManagerModule (HttpModule) is trying to generate the cookie contents it calls

  ((RolePrincipal)HttpContext.User).ToEncryptedTicket()

  This ticket is exceeding 4096 bytes (max length of the cookie) and then proceeding to call

  Roles.DeleteCookie()

  
  In my system I have very few roles. I suspect it's simply serializing the entire RolePrincipal instance.

  Not sure at this point what the work around is but perhaps a custom RoleManagerModule or a custom role provider.

  Hope this is of some help.

   

  Tim