Solved

ASP.NET Membership

Posted on 2013-01-14
9
200 Views
Last Modified: 2013-08-02
My web.config has webpages that require authorization like this:
  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

I am trying to authenticate a user based on a session variable. If the user is authenticated, then they are authorized to go to pages which require the "Cust" role like "Account.aspx"

If I check the session variable on Page_load or Page_Init, the user needs to refresh twice to go to "Account.aspx". Therefore, I need to check the session variable in the AuthorizeRequest application event. However, at that point I do not have access to Session variable. Any suggestions?

Thank you
0
Comment
Question by:LockDev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 41

Expert Comment

by:guru_sami
ID: 38779641
So you are not using basic forms authentication but your custom Session mechanism correct?

Can we see your authentication and authorization code?
0
 

Author Comment

by:LockDev
ID: 38779846
Yes I use a custom Session mechanism.

protected void Page_Load(object sender, EventArgs e)
        {
            if (!IsPostBack)
            {
                string UserName = "";

                if (Session["UserName"] == null)
                {
                    //Check user's availability from database by unique machine key / remote address / remote host / systemname

                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;


                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        Session["UserName"] = UserName;
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);

                        if (!String.IsNullOrEmpty(ReturnUrl))
                            Response.Redirect(ReturnUrl);
                    }
                    else
                        FormsAuthentication.SignOut();
                }
                else
                {
                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;

                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);
                    }
                    else
                    {
                        Session.Remove("UserName");
                        FormsAuthentication.SignOut();

                    }
                }

            }
}
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780047
Trying to see how your if and else are different.
I see you still have FormsAuthentication in place. Is it properly configured in web.config?
And the code is from your login page or account.aspx page?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:LockDev
ID: 38780199
This is in the master page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780819
Why do you have it in MastePage? Don't you think it should be in your Login page?
The code is resetting your FormsAuthentication cookie upon even request.
0
 

Author Comment

by:LockDev
ID: 38782994
I list in the web.config which pages require authorization like this:

  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="Checkout.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Therefore in the master page I need to check the session on every page load to see if the visitor is authorized for that page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38783608
With forms authentication and roles properly setup, you don't need to check for session over and over. The rules in the web.config should take care of allowing the user or not to access the page.

or may be I am totally misunderstanding your mechanism.
0
 

Author Comment

by:LockDev
ID: 38784092
We have multiple domains using the same membership database. Currently when a customer logs in to one domain, they are not logged in to the second domain. (The rules in the web.config worked for this.)

However, I want to change this so that when a customer is logged in to one domain, they will be logged in to the second domain. Therefore, I use a session to update across domains. That's why I was trying to update the FormsAuthentication cookie upon even request.
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 500 total points
ID: 38788395
I am not sure much on that...but did you look into SingleSignOn
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question