Solved

ASP.NET Membership

Posted on 2013-01-14
9
202 Views
Last Modified: 2013-08-02
My web.config has webpages that require authorization like this:
  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

I am trying to authenticate a user based on a session variable. If the user is authenticated, then they are authorized to go to pages which require the "Cust" role like "Account.aspx"

If I check the session variable on Page_load or Page_Init, the user needs to refresh twice to go to "Account.aspx". Therefore, I need to check the session variable in the AuthorizeRequest application event. However, at that point I do not have access to Session variable. Any suggestions?

Thank you
0
Comment
Question by:LockDev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 41

Expert Comment

by:guru_sami
ID: 38779641
So you are not using basic forms authentication but your custom Session mechanism correct?

Can we see your authentication and authorization code?
0
 

Author Comment

by:LockDev
ID: 38779846
Yes I use a custom Session mechanism.

protected void Page_Load(object sender, EventArgs e)
        {
            if (!IsPostBack)
            {
                string UserName = "";

                if (Session["UserName"] == null)
                {
                    //Check user's availability from database by unique machine key / remote address / remote host / systemname

                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;


                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        Session["UserName"] = UserName;
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);

                        if (!String.IsNullOrEmpty(ReturnUrl))
                            Response.Redirect(ReturnUrl);
                    }
                    else
                        FormsAuthentication.SignOut();
                }
                else
                {
                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;

                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);
                    }
                    else
                    {
                        Session.Remove("UserName");
                        FormsAuthentication.SignOut();

                    }
                }

            }
}
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780047
Trying to see how your if and else are different.
I see you still have FormsAuthentication in place. Is it properly configured in web.config?
And the code is from your login page or account.aspx page?
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:LockDev
ID: 38780199
This is in the master page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780819
Why do you have it in MastePage? Don't you think it should be in your Login page?
The code is resetting your FormsAuthentication cookie upon even request.
0
 

Author Comment

by:LockDev
ID: 38782994
I list in the web.config which pages require authorization like this:

  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="Checkout.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Therefore in the master page I need to check the session on every page load to see if the visitor is authorized for that page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38783608
With forms authentication and roles properly setup, you don't need to check for session over and over. The rules in the web.config should take care of allowing the user or not to access the page.

or may be I am totally misunderstanding your mechanism.
0
 

Author Comment

by:LockDev
ID: 38784092
We have multiple domains using the same membership database. Currently when a customer logs in to one domain, they are not logged in to the second domain. (The rules in the web.config worked for this.)

However, I want to change this so that when a customer is logged in to one domain, they will be logged in to the second domain. Therefore, I use a session to update across domains. That's why I was trying to update the FormsAuthentication cookie upon even request.
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 500 total points
ID: 38788395
I am not sure much on that...but did you look into SingleSignOn
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question