Forms Authentication in Web Services

Recently I was working on a project where a Windows Application needed to access Web Application via Web Services. Web Application was using FormsAuthentication. And Windows Application had to "log-in" to the Web Service in order to interact with it. So the solution I found to be working as desired is as follows.
My Web Service has a LogIn method:

public void LogIn(string username, string password)
{
    if (!System.Web.Security.Membership.Provider.ValidateUser(username, password))
    throw new System.Security.SecurityException("Enable to login");

    System.Web.Security.FormsAuthentication.SetAuthCookie(username, true);
}

And my Windows Application has this code to call my Web Service:

private MyWebService myWebService;

private void Form1_Load(object sender, EventArgs e)
{
    MyWebService myWebService = new MyWebService();
    myWebService.CookieContainer = new System.Net.CookieContainer();
    myWebService.LogIn(UsernameTextBox.Text, PasswordTextBox.Text);
}

Note that before calling LogIn methods, i'm setting CookieContainer property of the web service instance.

myWebService.CookieContainer = new System.Net.CookieContainer();

That's the trick to make it work. And it works like a charm.

Tags: .NET, C#, Web Services, Authentication

Feedback

# re: Forms Authentication in Web Services

Aren't soap header ment for that kind of stuff? Putting credentials and method info in one roundtrip? 5/17/2008 9:42 AM | Ramon Smits

# re: Forms Authentication in Web Services

Great tip! Thanks! 10/18/2008 2:49 AM | Fede

# re: Forms Authentication in Web Services

Do you have any idea of why this wont work for me when i call ir from a windows application??
I AM USING the cookiecontainer in my win app

After making a few modifications, i made it work with this code:
<WebMethod()> _ Public Function SignIn(ByVal Nick As String, ByVal Password As String) As Boolean If Not Membership.ValidateUser(Nick, Password) Then Return False Dim ticket As New FormsAuthenticationTicket(1, Nick, Now, Now.AddYears(1), True, "") Dim strEncryptedTicket As String = FormsAuthentication.Encrypt(ticket) Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, strEncryptedTicket) Context.Response.Cookies.Add(cookie) Return True End Function

Any ideas??

Thanks 12/15/2008 4:27 PM | Alexei

# re: Forms Authentication in Web Services

what if i would just want to call AuthCookie.
i do not need to log in to my Vsto solution, but i would like to have User.Identity.Name to be avialable when i call web service from VSTO Application. 2/19/2009 11:31 PM | Sk

# re: Forms Authentication in Web Services

Great tip, thanks! Worked first time! 8/6/2009 10:36 PM | QdK

# re: Forms Authentication in Web Services

Three things are important so that will work:

1.) You have to use the same instance of the webservice proxy to which you added the CookieContainer and logged in. If you're using a new instance the CookieContainer will be empty!
Even adding the CookieContainer with the AuthCookie to a new instance didn't work for me.

2.) The webservice function you call has to have EnableSession set to true in the WebMethod attribute:

C#
[WebMethod(EnableSession = true)]

VB
<WebMethod(EnableSession = true)>

3.) Setup the web.config properly. For example:

<authentication mode="Forms">
<forms name="AUTH" loginUrl="ServiceName.asmx" protection="All" timeout="5" path="/" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>

When the authentication failed the soap request will be redirectd to the ServiceName.asmx. Because it won't call a function in this example, the response will be empty! 9/10/2009 9:28 PM | Bob

# re: Forms Authentication in Web Services

Hi,
I have similar case with me. A web application is already existing with asp.net websites having forms authentication. I created a new webservice in it at /services/myservice.asmx . Now I am trying to consume the service. I am not able to detect the web service itself.

I disabled forms authentication and then registered with web service. When I re enabled it and tried it your way, it says "unable to read data from transport connection. An existing connection was forcibly closed by the remote host." 11/20/2009 4:34 AM | Inder

# re: Forms Authentication in Web Services

I tried to implement your solution, but it doesn't work. The call to the Login web method will immediately be redirected to the login page - that's how forms based authentication is supposed to work. What's the trick avoid the redirect while calling Login? 1/14/2010 12:45 AM | Mirko

Mikhail says...