We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

HttpContext.Current.User problem

DexterJones
DexterJones asked
on
Medium Priority
309 Views
Last Modified: 2007-10-18
Hi,

Please kindly assist how come I get redirected to login.aspx even though I'm authenticated?

Thanks.

Login.aspx
Login_click
.....user successfully authenticated to ms sql database
            cmd.ExecuteNonQuery()
            Dim returnaccessvalue As String = cmd.Parameters("@RETURN_VALUE").Value
            returnaccessvalue = cmd.Parameters("@RETURN_VALUE").Value
            FormsAuthentication.SetAuthCookie(txtusername.Text, False)
            HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})
response.redirect("admin.aspx")


admin.aspx
page_load
       If Me.User.IsInRole("21") Then

         'role accepted

        Else
            System.Web.Security.FormsAuthentication.SignOut()
            Response.Redirect("../Login.aspx")
        End If

Thanks.
Comment
Watch Question

Commented:
Have you stepped through the code? That would help a lot. Also in the line:

HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})

You never create a variable try a Session variable:

HttpContext.Current.User VARIABLE = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})
Session("user") = VARIABLE

admin.aspx
page_load
       HttpContext.Current.User VARIABLE = Session("user")

       If VARIABLE.IsInRole("21") Then

         'role accepted

        Else
            System.Web.Security.FormsAuthentication.SignOut()
            Response.Redirect("../Login.aspx")
        End If

Author

Commented:
strickdd,

I found new info, when I check

if Me.User.IsInRole("21") then

on the login page it returnes true. but it returned false on other pages, what could be happening?

Thanks.

Commented:
The object is not being passed from one page to another. You have to pass the User object to the next page which is why I recommended a session variable. It just has to be cast as a User type object when you want to use it on the next page.

Author

Commented:
strickdd,

Can you kindly assist in code how can we use an encrytped cookie? I've been reading left and right on the net, sadly i'm lost on how to implement this.

Thanks.


This is the code I have been working with still no luck on the encrypted cookie to be used for passing from one page to another.

Login.aspx
Login_click
.....user successfully authenticated to ms sql database
            cmd.ExecuteNonQuery()
            Dim returnaccessvalue As String = cmd.Parameters("@RETURN_VALUE").Value
            returnaccessvalue = cmd.Parameters("@RETURN_VALUE").Value
            FormsAuthentication.SetAuthCookie(txtusername.Text, False)
            HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(txtusername.Text), New String() {"21"})


            Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
             txtusername.Text, DateTime.Now, _
             DateTime.Now.AddMinutes(30), False, returnaccessvalue, _
             FormsAuthentication.FormsCookiePath)
            Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, _
             FormsAuthentication.Encrypt(fat)))
           
            Response.Redirect(FormsAuthentication.GetRedirectUrl(txtusername.Text, False))  <----what does this one do?

if me.user.isinrole("21") then
response.redirect("admin.aspx")
elseif me.user.isinrole("22") then
response.redirect("power.aspx")
elseif me.user.isinrole("23") then
response.redirect("standard.aspx")


Thanks.
Commented:
I'm a little confused as to why a session variable seems to be out of the question. It is more secure than an encrypted cookie and is a lot easier to work with. If you do this on the first page:

Session("UserObj") = me.user

and on the next pages where you need to use this object:

me.user = Session("UserObj")

This code should work fine for your purposes, be more secure than any other method, and reduce code considerably. Have you tried it?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
strickdd,

Thanks so much for the info, Got a question for ya, how can we increase the time a session variable times out?

Thanks.
Dexter,

Session.Timeout = 5 '5 minute timeout

If it is working please give all the points to strickdd. I am just helping out while he is most probably asleep ;)

Commented:
The easiest way to manage sessions is through the web.config file. You can do the Session.Timeout = x, but then you have to recompile the project if you need to change the session.

In the web.config there should be a section like this:

<sessionState
            mode="InProc"
            stateConnectionString="tcpip=127.0.0.1:42424"
            sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
            cookieless="false"
            timeout="20"
    />


Just change the "timeout="20"" to be the length of time you want to give. Note the default is always 20 minutes.

Author

Commented:
strickdd,

Amazing, one last question, which is better?

form auth with session as role
or

session role only

Thanks.

Commented:
I'm not quite sure what you mean by that. Example code would help if possible.

Author

Commented:
is it more secure to use form auth and session variable for role or session variable for role is more secure?

user login/password is authenticated using database.

Author

Commented:
I mean if the combination of form auth and session variable is more secure versus

using session variables only

Commented:
In the code behind for the login form, you can just use the user object. To get the user object to the next page, use the session variable. does that answer your question?
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.