Solved

Forms Authentication (using IP and login page)

Posted on 2009-05-13
10
369 Views
Last Modified: 2012-08-13
I have asked this question before, but maybe not as clear as I should have, I'm going to try again with hopes someone has done this before.

Scenario:
I have a website that has 2 different protected areas. Access to these areas (folders) could happen 2 different ways. 1. IP authentication or 2. logging in with username and password.

I built a custom membership and custom role provider. I can get the users role whether they come in through the login form or via IP and give them access to the proper folders.

The problem occurs when they hop between the 2 folders.  The user could be at work and gain access to a folder via the work IP address, but then go over to the other protected area and have to login with their personal username and password (the IP role comes from the company record in the table and the username and password role comes from the users record)

So the problem is when they hop back and forth. For example user goes to folder 1 and is prompted to login. A forms authentication cookie is established and the role is gathered and I allow them access to the page. Now the user (already authenticated) goes over to the other folder where they have an IP subscription from their work record, but because their previous authentication doesn't have the correct role (only have their personal role) they get kicked over to the login page. They don't have a username and password because they have IP access.

Any ideas? Am I explaining this right?
0
Comment
Question by:flukester
10 Comments
 
LVL 70

Expert Comment

by:Jason C. Levine
Comment Utility
Hi flukester,

I'm confused.  Do you want them to be able to hop or not?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
Comment Utility
can't you detect their status and allow and warn them that they are logged in as roleA and give them a logout link?
0
 
LVL 1

Expert Comment

by:mdiehly64
Comment Utility
How do you track, as they move between pages in a certain area, whether or not they have access to that area?

It seems you may need another layer of abstraction that controls authentication and access.  Each time a user tries to access a content area, this layer checks to see if they have access to that area, whether they authenticated via IP or username/password.  This layer would control the flow of each movement throughout the site and could be placed as an include in the top of each page.  The actual code would only exist in one place.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:flukester
Comment Utility
Jason, yes I want them to be able to hop around, but they currently can't. Basically I need to have 2 authentication cookies, 1 if they come in via IP and one if they login and have both cookies active at the same time. The problem occurs if they first go to a username/password section and get authenticated that way, how am I supposed to check the IP if they are already authenticated. I can't do it on page load b/c I end up in a never ending loop.

mplungian, I could give them their status, but these customers don't know what role(s) they are or should be.

mdiehly64, I don't track via code on a page. Using the built in forms authentication piece it's all tracked via cookie. They get access based on their role(s) which is based off their username when they login or their IP if they come in that way.  I like your idea, just not sure how to implement it? Any ideas.

I can post code tomorrow when I get back to the office.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
Comment Utility
I agree with mdiehly64...you need another layer here.

Set a cookie or session whenever someone successfully authenticates via one method or the other and then have both scripts check for the presence of that cookie.  If it exists, bypass the normal login.
0
 

Accepted Solution

by:
flukester earned 0 total points
Comment Utility
Does this make sense to you guys. I think I have it working. In the page load event I call a checkIP procedure if the user is not authenticated or if they don't have an IP cookie.

The checkIP procedure will authenticate the user and create an IP cookie.

Then if they go to a login/password area I create another cookie to delete the IP cookie. That way if/when they go back to the IP area the checkIP procedure is run again because of the logic in the page load.

See any holes with this setup?
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to dynamically set the form action using jQuery.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now