?
Solved

HttpContext.Current.User problem

Posted on 2006-03-23
13
Medium Priority
?
292 Views
Last Modified: 2007-10-18
Hi,

Please kindly assist how come I get redirected to login.aspx even though I'm authenticated?

Thanks.

Login.aspx
Login_click
.....user successfully authenticated to ms sql database
            cmd.ExecuteNonQuery()
            Dim returnaccessvalue As String = cmd.Parameters("@RETURN_VALUE").Value
            returnaccessvalue = cmd.Parameters("@RETURN_VALUE").Value
            FormsAuthentication.SetAuthCookie(txtusername.Text, False)
            HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})
response.redirect("admin.aspx")


admin.aspx
page_load
       If Me.User.IsInRole("21") Then

         'role accepted

        Else
            System.Web.Security.FormsAuthentication.SignOut()
            Response.Redirect("../Login.aspx")
        End If

Thanks.
0
Comment
Question by:DexterJones
  • 6
  • 6
13 Comments
 
LVL 28

Expert Comment

by:strickdd
ID: 16268935
Have you stepped through the code? That would help a lot. Also in the line:

HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})

You never create a variable try a Session variable:

HttpContext.Current.User VARIABLE = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})
Session("user") = VARIABLE

admin.aspx
page_load
       HttpContext.Current.User VARIABLE = Session("user")

       If VARIABLE.IsInRole("21") Then

         'role accepted

        Else
            System.Web.Security.FormsAuthentication.SignOut()
            Response.Redirect("../Login.aspx")
        End If
0
 

Author Comment

by:DexterJones
ID: 16269910
strickdd,

I found new info, when I check

if Me.User.IsInRole("21") then

on the login page it returnes true. but it returned false on other pages, what could be happening?

Thanks.
0
 
LVL 28

Expert Comment

by:strickdd
ID: 16270193
The object is not being passed from one page to another. You have to pass the User object to the next page which is why I recommended a session variable. It just has to be cast as a User type object when you want to use it on the next page.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:DexterJones
ID: 16270274
strickdd,

Can you kindly assist in code how can we use an encrytped cookie? I've been reading left and right on the net, sadly i'm lost on how to implement this.

Thanks.


This is the code I have been working with still no luck on the encrypted cookie to be used for passing from one page to another.

Login.aspx
Login_click
.....user successfully authenticated to ms sql database
            cmd.ExecuteNonQuery()
            Dim returnaccessvalue As String = cmd.Parameters("@RETURN_VALUE").Value
            returnaccessvalue = cmd.Parameters("@RETURN_VALUE").Value
            FormsAuthentication.SetAuthCookie(txtusername.Text, False)
            HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})


            Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
             txtusername.Text, DateTime.Now, _
             DateTime.Now.AddMinutes(30), False, returnaccessvalue, _
             FormsAuthentication.FormsCookiePath)
            Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, _
             FormsAuthentication.Encrypt(fat)))
           
            Response.Redirect(FormsAuthentication.GetRedirectUrl(txtusername.Text, False))  <----what does this one do?

if me.user.isinrole("21") then
response.redirect("admin.aspx")
elseif me.user.isinrole("22") then
response.redirect("power.aspx")
elseif me.user.isinrole("23") then
response.redirect("standard.aspx")


Thanks.
0
 
LVL 28

Accepted Solution

by:
strickdd earned 2000 total points
ID: 16270469
I'm a little confused as to why a session variable seems to be out of the question. It is more secure than an encrypted cookie and is a lot easier to work with. If you do this on the first page:

Session("UserObj") = me.user

and on the next pages where you need to use this object:

me.user = Session("UserObj")

This code should work fine for your purposes, be more secure than any other method, and reduce code considerably. Have you tried it?
0
 

Author Comment

by:DexterJones
ID: 16277869
strickdd,

Thanks so much for the info, Got a question for ya, how can we increase the time a session variable times out?

Thanks.
0
 
LVL 15

Expert Comment

by:GavinMannion
ID: 16277908
Dexter,

Session.Timeout = 5 '5 minute timeout

If it is working please give all the points to strickdd. I am just helping out while he is most probably asleep ;)
0
 
LVL 28

Expert Comment

by:strickdd
ID: 16279386
The easiest way to manage sessions is through the web.config file. You can do the Session.Timeout = x, but then you have to recompile the project if you need to change the session.

In the web.config there should be a section like this:

<sessionState
            mode="InProc"
            stateConnectionString="tcpip=127.0.0.1:42424"
            sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
            cookieless="false"
            timeout="20"
    />


Just change the "timeout="20"" to be the length of time you want to give. Note the default is always 20 minutes.
0
 

Author Comment

by:DexterJones
ID: 16279409
strickdd,

Amazing, one last question, which is better?

form auth with session as role
or

session role only

Thanks.
0
 
LVL 28

Expert Comment

by:strickdd
ID: 16279439
I'm not quite sure what you mean by that. Example code would help if possible.
0
 

Author Comment

by:DexterJones
ID: 16279721
is it more secure to use form auth and session variable for role or session variable for role is more secure?

user login/password is authenticated using database.
0
 

Author Comment

by:DexterJones
ID: 16279739
I mean if the combination of form auth and session variable is more secure versus

using session variables only
0
 
LVL 28

Expert Comment

by:strickdd
ID: 16279825
In the code behind for the login form, you can just use the user object. To get the user object to the next page, use the session variable. does that answer your question?
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question