flukester
asked on
Forms Authentication (using IP and login page)
I have asked this question before, but maybe not as clear as I should have, I'm going to try again with hopes someone has done this before.
Scenario:
I have a website that has 2 different protected areas. Access to these areas (folders) could happen 2 different ways. 1. IP authentication or 2. logging in with username and password.
I built a custom membership and custom role provider. I can get the users role whether they come in through the login form or via IP and give them access to the proper folders.
The problem occurs when they hop between the 2 folders. The user could be at work and gain access to a folder via the work IP address, but then go over to the other protected area and have to login with their personal username and password (the IP role comes from the company record in the table and the username and password role comes from the users record)
So the problem is when they hop back and forth. For example user goes to folder 1 and is prompted to login. A forms authentication cookie is established and the role is gathered and I allow them access to the page. Now the user (already authenticated) goes over to the other folder where they have an IP subscription from their work record, but because their previous authentication doesn't have the correct role (only have their personal role) they get kicked over to the login page. They don't have a username and password because they have IP access.
Any ideas? Am I explaining this right?
Scenario:
I have a website that has 2 different protected areas. Access to these areas (folders) could happen 2 different ways. 1. IP authentication or 2. logging in with username and password.
I built a custom membership and custom role provider. I can get the users role whether they come in through the login form or via IP and give them access to the proper folders.
The problem occurs when they hop between the 2 folders. The user could be at work and gain access to a folder via the work IP address, but then go over to the other protected area and have to login with their personal username and password (the IP role comes from the company record in the table and the username and password role comes from the users record)
So the problem is when they hop back and forth. For example user goes to folder 1 and is prompted to login. A forms authentication cookie is established and the role is gathered and I allow them access to the page. Now the user (already authenticated) goes over to the other folder where they have an IP subscription from their work record, but because their previous authentication doesn't have the correct role (only have their personal role) they get kicked over to the login page. They don't have a username and password because they have IP access.
Any ideas? Am I explaining this right?
can't you detect their status and allow and warn them that they are logged in as roleA and give them a logout link?
How do you track, as they move between pages in a certain area, whether or not they have access to that area?
It seems you may need another layer of abstraction that controls authentication and access. Each time a user tries to access a content area, this layer checks to see if they have access to that area, whether they authenticated via IP or username/password. This layer would control the flow of each movement throughout the site and could be placed as an include in the top of each page. The actual code would only exist in one place.
It seems you may need another layer of abstraction that controls authentication and access. Each time a user tries to access a content area, this layer checks to see if they have access to that area, whether they authenticated via IP or username/password. This layer would control the flow of each movement throughout the site and could be placed as an include in the top of each page. The actual code would only exist in one place.
ASKER
Jason, yes I want them to be able to hop around, but they currently can't. Basically I need to have 2 authentication cookies, 1 if they come in via IP and one if they login and have both cookies active at the same time. The problem occurs if they first go to a username/password section and get authenticated that way, how am I supposed to check the IP if they are already authenticated. I can't do it on page load b/c I end up in a never ending loop.
mplungian, I could give them their status, but these customers don't know what role(s) they are or should be.
mdiehly64, I don't track via code on a page. Using the built in forms authentication piece it's all tracked via cookie. They get access based on their role(s) which is based off their username when they login or their IP if they come in that way. I like your idea, just not sure how to implement it? Any ideas.
I can post code tomorrow when I get back to the office.
mplungian, I could give them their status, but these customers don't know what role(s) they are or should be.
mdiehly64, I don't track via code on a page. Using the built in forms authentication piece it's all tracked via cookie. They get access based on their role(s) which is based off their username when they login or their IP if they come in that way. I like your idea, just not sure how to implement it? Any ideas.
I can post code tomorrow when I get back to the office.
I agree with mdiehly64...you need another layer here.
Set a cookie or session whenever someone successfully authenticates via one method or the other and then have both scripts check for the presence of that cookie. If it exists, bypass the normal login.
Set a cookie or session whenever someone successfully authenticates via one method or the other and then have both scripts check for the presence of that cookie. If it exists, bypass the normal login.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm confused. Do you want them to be able to hop or not?