Click here to Skip to main content
12,826,151 members (27,461 online)
Click here to Skip to main content


51 bookmarked
Posted 13 May 2008

Secure Persistent ASP.NET Forms Authentication

, 27 Aug 2008 LGPL3
An ASP.NET system for having two authentication cookies, one secure and one insecure, to have multiple tiers of security by folder.
' Copyright (c) 2008 Pathfinder Software, LLC.  All Rights Reserved.
' Pathfinder Software <>
' PartialAuthenticationSystem is distributed under the terms of the GNU Lesser General Public License (GPL)

' PartialAuthenticationSystem is free software: you can redistribute it and/or modify
' it under the terms of the GNU Lesser General Public License as published by
' the Free Software Foundation, either version 3 of the License, or
' (at your option) any later version.

' PartialAuthenticationSystem is distributed in the hope that it will be useful,
' but WITHOUT ANY WARRANTY; without even the implied warranty of
' GNU Lesser General Public License for more details.

' You should have received a copy of the GNU Lesser General Public License
' along with PartialAuthenticationSystem.  If not, see <>.

Imports System.Security.Principal
Imports System.Web.Security

Public Class PartialAuthenticationModule
    Implements IHttpModule

    Public Sub Dispose() Implements System.Web.IHttpModule.Dispose
    End Sub

    Public Sub Init(ByVal context As System.Web.HttpApplication) Implements System.Web.IHttpModule.Init
        AddHandler context.AuthenticateRequest, AddressOf AuthenticateRequest
    End Sub

    Private Function GetTicket(ByVal context As HttpContext) As FormsAuthenticationTicket
        If PartialAuthentication.RequireSSL AndAlso Not context.Request.IsSecureConnection Then
            Return Nothing
        End If

        Dim cookie As HttpCookie = context.Request.Cookies(PartialAuthentication.IdentityCookieName)
        If cookie Is Nothing Then
            Return Nothing
            Return PartialAuthentication.Decrypt(cookie.Value)
        End If
    End Function

    Private Sub AuthenticateRequest(ByVal sender As System.Object, ByVal e As System.EventArgs)
        Dim application As HttpApplication = sender
        Dim context As HttpContext = application.Context

        If context.User Is Nothing OrElse context.User.Identity Is Nothing Then
            Dim ticket As FormsAuthenticationTicket = GetTicket(context)
            If Not ticket Is Nothing Then
                Dim roleList As String() = Nothing
                If Roles.Enabled Then
                    roleList = Roles.GetRolesForUser(ticket.Name)
                End If

                context.User = New GenericPrincipal(New GenericIdentity(ticket.Name, "Partial"), roleList)

                PartialAuthentication.RenewTicketIfOld(context, ticket)
            End If
        Else 'Already have a user from forms authentication
            Dim ticket As FormsAuthenticationTicket = GetTicket(context)
            If Not ticket Is Nothing Then
                If ticket.Name <> context.User.Identity.Name Then
                    PartialAuthentication.RenewTicketIfOld(context, ticket)
                End If
            End If
        End If
    End Sub

End Class

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.


This article, along with any associated source code and files, is licensed under The GNU Lesser General Public License (LGPLv3)


About the Author

Software Developer (Senior) Pathfinder Software
United States United States
No Biography provided

You may also be interested in...

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170326.1 | Last Updated 27 Aug 2008
Article Copyright 2008 by BrantBurnett
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid