HttpContext.Current.User problem

Hi,

Please kindly assist how come I get redirected to login.aspx even though I'm authenticated?

Thanks.

Login.aspx
Login_click
.....user successfully authenticated to ms sql database
            cmd.ExecuteNonQuery()
            Dim returnaccessvalue As String = cmd.Parameters("@RETURN_VALUE").Value
            returnaccessvalue = cmd.Parameters("@RETURN_VALUE").Value
            FormsAuthentication.SetAuthCookie(txtusername.Text, False)
            HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})
response.redirect("admin.aspx")


admin.aspx
page_load
       If Me.User.IsInRole("21") Then

         'role accepted

        Else
            System.Web.Security.FormsAuthentication.SignOut()
            Response.Redirect("../Login.aspx")
        End If

Thanks.
DexterJonesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

strickddCommented:
Have you stepped through the code? That would help a lot. Also in the line:

HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})

You never create a variable try a Session variable:

HttpContext.Current.User VARIABLE = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})
Session("user") = VARIABLE

admin.aspx
page_load
       HttpContext.Current.User VARIABLE = Session("user")

       If VARIABLE.IsInRole("21") Then

         'role accepted

        Else
            System.Web.Security.FormsAuthentication.SignOut()
            Response.Redirect("../Login.aspx")
        End If
0
DexterJonesAuthor Commented:
strickdd,

I found new info, when I check

if Me.User.IsInRole("21") then

on the login page it returnes true. but it returned false on other pages, what could be happening?

Thanks.
0
strickddCommented:
The object is not being passed from one page to another. You have to pass the User object to the next page which is why I recommended a session variable. It just has to be cast as a User type object when you want to use it on the next page.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

DexterJonesAuthor Commented:
strickdd,

Can you kindly assist in code how can we use an encrytped cookie? I've been reading left and right on the net, sadly i'm lost on how to implement this.

Thanks.


This is the code I have been working with still no luck on the encrypted cookie to be used for passing from one page to another.

Login.aspx
Login_click
.....user successfully authenticated to ms sql database
            cmd.ExecuteNonQuery()
            Dim returnaccessvalue As String = cmd.Parameters("@RETURN_VALUE").Value
            returnaccessvalue = cmd.Parameters("@RETURN_VALUE").Value
            FormsAuthentication.SetAuthCookie(txtusername.Text, False)
            HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})


            Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
             txtusername.Text, DateTime.Now, _
             DateTime.Now.AddMinutes(30), False, returnaccessvalue, _
             FormsAuthentication.FormsCookiePath)
            Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, _
             FormsAuthentication.Encrypt(fat)))
           
            Response.Redirect(FormsAuthentication.GetRedirectUrl(txtusername.Text, False))  <----what does this one do?

if me.user.isinrole("21") then
response.redirect("admin.aspx")
elseif me.user.isinrole("22") then
response.redirect("power.aspx")
elseif me.user.isinrole("23") then
response.redirect("standard.aspx")


Thanks.
0
strickddCommented:
I'm a little confused as to why a session variable seems to be out of the question. It is more secure than an encrypted cookie and is a lot easier to work with. If you do this on the first page:

Session("UserObj") = me.user

and on the next pages where you need to use this object:

me.user = Session("UserObj")

This code should work fine for your purposes, be more secure than any other method, and reduce code considerably. Have you tried it?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DexterJonesAuthor Commented:
strickdd,

Thanks so much for the info, Got a question for ya, how can we increase the time a session variable times out?

Thanks.
0
GavinMannionCommented:
Dexter,

Session.Timeout = 5 '5 minute timeout

If it is working please give all the points to strickdd. I am just helping out while he is most probably asleep ;)
0
strickddCommented:
The easiest way to manage sessions is through the web.config file. You can do the Session.Timeout = x, but then you have to recompile the project if you need to change the session.

In the web.config there should be a section like this:

<sessionState
            mode="InProc"
            stateConnectionString="tcpip=127.0.0.1:42424"
            sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
            cookieless="false"
            timeout="20"
    />


Just change the "timeout="20"" to be the length of time you want to give. Note the default is always 20 minutes.
0
DexterJonesAuthor Commented:
strickdd,

Amazing, one last question, which is better?

form auth with session as role
or

session role only

Thanks.
0
strickddCommented:
I'm not quite sure what you mean by that. Example code would help if possible.
0
DexterJonesAuthor Commented:
is it more secure to use form auth and session variable for role or session variable for role is more secure?

user login/password is authenticated using database.
0
DexterJonesAuthor Commented:
I mean if the combination of form auth and session variable is more secure versus

using session variables only
0
strickddCommented:
In the code behind for the login form, you can just use the user object. To get the user object to the next page, use the session variable. does that answer your question?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.