Windows Phone, Authentication, OData, CookieContainer

Jan 7, 2011 at 11:01 AM


I'm trying to secure my OData Web service but I encounter some problems.

I use a service to auth users : System.Web.ApplicationServices.AuthenticationService

It return a auth HttpOnly cookie that I can use for calls to OData Services.

The problem is that the cookie is in a CookieContainer that is invisible :

Note : Here is the “Trick” to make everything work. If you look into this CookieContainer class in the debugger you will not see the FEDAUTH cookie or any other HTTPOnly, but they are there. All you need to do is simply pass the CookieContainer along from call to call. 

Good, but when I want to pass this CookieContainer when SendingRequest in my entity client code, I can only access to the RequestHeaders from the SendingRequestEventArgs.

I have actually no access to the Request property from the SendingRequestEventArgs so I can't set the CookieContainer that contain's my "invisible" auth cookie.

So how can I do this ?

Jan 11, 2011 at 9:06 AM


I resolved this problem by setting the cookie to NOT HTTPOnly in the Global.asax file in CreatingCookie method :

 AuthenticationService.CreatingCookie += (sender, e) =>
                int cookieVersion = 1;
                //The time at which the cookie was issued by the server
                DateTime cookieIssueDate = DateTime.Now;
                //The relative time from now when the cookie will expire and the client will have to re-authenticate.
                DateTime cookieExpiryDate = DateTime.Now.AddMinutes(30);
                //The Forms Auth ticket which uniquely identifies a user
                //FormsAuthenticationTicket on MSDN :
                FormsAuthenticationTicket ticket = new FormsAuthenticationTicket
                               e.IsPersistent, /*Indicates whether the authentication cookie should be retained beyond the current session*/
                //Creates a string containing an encrypted forms-authentication ticket suitable for use in an HTTP cookie.
                //FormsAuthentication.Encrypt on MSDN :
                string encryptedTicket = FormsAuthentication.Encrypt(ticket);
                HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
                //set HttpOnly to false so that the managed CookieContainer can read the FormsAuth cookie from the response.
                cookie.HttpOnly = false;
                cookie.Expires = cookieExpiryDate;

                 e.CookieIsSet = true;

Mar 1, 2011 at 5:19 PM

Hi MMagnin,

 Please follow the instructions in this blog post for getting Forms Auth to work with the client library :

Apr 28, 2011 at 10:24 PM

Hi MMagnin,

How did you add requestheader from sendrequestevent if there is CookieContainer? I actually tried to add auth cookie into requestheaders manually for each odata request, but my my wcf dataservice seems cannot get login user infomration. the following steps is what I did.

create WCF Data service AuthenticationService.svc and change to System.Web.ApplicationServices.AuthenticationService and publish this service as basichttp binding. I also configure all web.config properly and global.ascx createtocken event.

Create my WCF data service to expose my entity stuff

On my windows phone project, add authentication service through "add service" and was able to create a login screen to call authentication service successfully. I also got token which sent from server side. 

got Odata2 client library and generate proxy class file. add tokent which I got from previous step and attach to OData service call by following statement

    public partial class TestDBEntities : global::System.Data.Services.Client.DataServiceContext
        partial void OnContextCreated()
            this.SendingRequest += new EventHandler<System.Data.Services.Client.SendingRequestEventArgs>(TestDBEntities_SendingRequest);

        private void TestDBEntities_SendingRequest(object sender, System.Data.Services.Client.SendingRequestEventArgs e)
            if (String.IsNullOrEmpty(App.AuthToken) == false)
                e.RequestHeaders["ASPXAUTH"] = App.AuthToken;


 the problem is my WCF data service which host entity stuff doesn't have login user information and isauthenticated property is false. I also add [RequiresAuthenticationin my service class. when I call HttpContext.Current.User.Identity.IsAuthenticated, it always show false and username is empty.

Did you know which steps I miss? Any comments will be appreciated.





May 3, 2011 at 5:47 PM

If you have one data service you need to create separate authentication service as a WCF Service and then enable the service in your web config (see WCF Authentication Service in MSDN library for pointers)

Seems logical that if you are authenticated then those credentials will be ok for future calls