Solved

ASP.NET Membership

Posted on 2013-01-14
9
199 Views
Last Modified: 2013-08-02
My web.config has webpages that require authorization like this:
  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

I am trying to authenticate a user based on a session variable. If the user is authenticated, then they are authorized to go to pages which require the "Cust" role like "Account.aspx"

If I check the session variable on Page_load or Page_Init, the user needs to refresh twice to go to "Account.aspx". Therefore, I need to check the session variable in the AuthorizeRequest application event. However, at that point I do not have access to Session variable. Any suggestions?

Thank you
0
Comment
Question by:LockDev
  • 5
  • 4
9 Comments
 
LVL 41

Expert Comment

by:guru_sami
ID: 38779641
So you are not using basic forms authentication but your custom Session mechanism correct?

Can we see your authentication and authorization code?
0
 

Author Comment

by:LockDev
ID: 38779846
Yes I use a custom Session mechanism.

protected void Page_Load(object sender, EventArgs e)
        {
            if (!IsPostBack)
            {
                string UserName = "";

                if (Session["UserName"] == null)
                {
                    //Check user's availability from database by unique machine key / remote address / remote host / systemname

                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;


                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        Session["UserName"] = UserName;
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);

                        if (!String.IsNullOrEmpty(ReturnUrl))
                            Response.Redirect(ReturnUrl);
                    }
                    else
                        FormsAuthentication.SignOut();
                }
                else
                {
                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;

                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);
                    }
                    else
                    {
                        Session.Remove("UserName");
                        FormsAuthentication.SignOut();

                    }
                }

            }
}
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780047
Trying to see how your if and else are different.
I see you still have FormsAuthentication in place. Is it properly configured in web.config?
And the code is from your login page or account.aspx page?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:LockDev
ID: 38780199
This is in the master page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780819
Why do you have it in MastePage? Don't you think it should be in your Login page?
The code is resetting your FormsAuthentication cookie upon even request.
0
 

Author Comment

by:LockDev
ID: 38782994
I list in the web.config which pages require authorization like this:

  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="Checkout.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Therefore in the master page I need to check the session on every page load to see if the visitor is authorized for that page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38783608
With forms authentication and roles properly setup, you don't need to check for session over and over. The rules in the web.config should take care of allowing the user or not to access the page.

or may be I am totally misunderstanding your mechanism.
0
 

Author Comment

by:LockDev
ID: 38784092
We have multiple domains using the same membership database. Currently when a customer logs in to one domain, they are not logged in to the second domain. (The rules in the web.config worked for this.)

However, I want to change this so that when a customer is logged in to one domain, they will be logged in to the second domain. Therefore, I use a session to update across domains. That's why I was trying to update the FormsAuthentication cookie upon even request.
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 500 total points
ID: 38788395
I am not sure much on that...but did you look into SingleSignOn
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question