Solved

Forms Authentication (using IP and login page)

Posted on 2009-05-13
10
370 Views
Last Modified: 2012-08-13
I have asked this question before, but maybe not as clear as I should have, I'm going to try again with hopes someone has done this before.

Scenario:
I have a website that has 2 different protected areas. Access to these areas (folders) could happen 2 different ways. 1. IP authentication or 2. logging in with username and password.

I built a custom membership and custom role provider. I can get the users role whether they come in through the login form or via IP and give them access to the proper folders.

The problem occurs when they hop between the 2 folders.  The user could be at work and gain access to a folder via the work IP address, but then go over to the other protected area and have to login with their personal username and password (the IP role comes from the company record in the table and the username and password role comes from the users record)

So the problem is when they hop back and forth. For example user goes to folder 1 and is prompted to login. A forms authentication cookie is established and the role is gathered and I allow them access to the page. Now the user (already authenticated) goes over to the other folder where they have an IP subscription from their work record, but because their previous authentication doesn't have the correct role (only have their personal role) they get kicked over to the login page. They don't have a username and password because they have IP access.

Any ideas? Am I explaining this right?
0
Comment
Question by:flukester
10 Comments
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 24463810
Hi flukester,

I'm confused.  Do you want them to be able to hop or not?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 24464584
can't you detect their status and allow and warn them that they are logged in as roleA and give them a logout link?
0
 
LVL 1

Expert Comment

by:mdiehly64
ID: 24467244
How do you track, as they move between pages in a certain area, whether or not they have access to that area?

It seems you may need another layer of abstraction that controls authentication and access.  Each time a user tries to access a content area, this layer checks to see if they have access to that area, whether they authenticated via IP or username/password.  This layer would control the flow of each movement throughout the site and could be placed as an include in the top of each page.  The actual code would only exist in one place.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:flukester
ID: 24467895
Jason, yes I want them to be able to hop around, but they currently can't. Basically I need to have 2 authentication cookies, 1 if they come in via IP and one if they login and have both cookies active at the same time. The problem occurs if they first go to a username/password section and get authenticated that way, how am I supposed to check the IP if they are already authenticated. I can't do it on page load b/c I end up in a never ending loop.

mplungian, I could give them their status, but these customers don't know what role(s) they are or should be.

mdiehly64, I don't track via code on a page. Using the built in forms authentication piece it's all tracked via cookie. They get access based on their role(s) which is based off their username when they login or their IP if they come in that way.  I like your idea, just not sure how to implement it? Any ideas.

I can post code tomorrow when I get back to the office.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 24470768
I agree with mdiehly64...you need another layer here.

Set a cookie or session whenever someone successfully authenticates via one method or the other and then have both scripts check for the presence of that cookie.  If it exists, bypass the normal login.
0
 

Accepted Solution

by:
flukester earned 0 total points
ID: 24477810
Does this make sense to you guys. I think I have it working. In the page load event I call a checkIP procedure if the user is not authenticated or if they don't have an IP cookie.

The checkIP procedure will authenticate the user and create an IP cookie.

Then if they go to a login/password area I create another cookie to delete the IP cookie. That way if/when they go back to the IP area the checkIP procedure is run again because of the logic in the page load.

See any holes with this setup?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

"In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
The viewer will learn how to dynamically set the form action using jQuery.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now