Vulnerability in EPiServer.Forms
I'm having a little problem automatically logging a user in after we've forced them to change their password (as part of the login process).
This is what I'm doing at the moment:
Common.Settings.DefaultSecurity.AuthenticateUser("username", "password", out loggedInUser);
AuthenticateUser returns true, an .EPiServerLogin cookie is added to the Response, and the user is redirected to the start page, but when they get there they get bounced back to the log in screen and the .EPiServerLogin cookie is removed, presumably because the auth cookie isn't accepted.
Does anybody know if the IUser.UserName is the right field to use when setting the auth cookie, or whether there is an EPiServer implementation of FormsAuthentication I should be using, or perhaps I have to create a custom FormsAuthenticationTicket with some specific fields which EPiServer requires?
Any help much appreciated,
Validating users: bool credentialsAreValid = System.Web.Security.Membership.ValidateUser(username, password);// orbool credentialsAreValid = System.Web.Security.FormsAuthentication.Authenticate(username, password); // NOTE: Only verifies credentials, does not log user in
Authentication (logging in) a user:EPiServer.Security.PrincipalInfo.CurrentPrincipal = EPiServer.Security.PrincipalInfo.CreatePrincipal(username);
When using FormsAuthentication.SetAuthCookie("username",false) the "false" value indicates that the cookie should not be persisted. A cookie is deleted (invalidated) on the client when the user is logged out or when the cookie expires. Non-persisted cookies expire when the browser session ends.
Are you using HTTPS for the login page but HTTP for the pages visible to authenticated users? Do you have <forms .. RequireSSL="true"> in your web.config? If so, the cookie you set is invalidated when switching from HTTPS to HTTP during login.