Solved

ASP.NET Membership

Posted on 2013-01-14
9
194 Views
Last Modified: 2013-08-02
My web.config has webpages that require authorization like this:
  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

I am trying to authenticate a user based on a session variable. If the user is authenticated, then they are authorized to go to pages which require the "Cust" role like "Account.aspx"

If I check the session variable on Page_load or Page_Init, the user needs to refresh twice to go to "Account.aspx". Therefore, I need to check the session variable in the AuthorizeRequest application event. However, at that point I do not have access to Session variable. Any suggestions?

Thank you
0
Comment
Question by:LockDev
  • 5
  • 4
9 Comments
 
LVL 41

Expert Comment

by:guru_sami
ID: 38779641
So you are not using basic forms authentication but your custom Session mechanism correct?

Can we see your authentication and authorization code?
0
 

Author Comment

by:LockDev
ID: 38779846
Yes I use a custom Session mechanism.

protected void Page_Load(object sender, EventArgs e)
        {
            if (!IsPostBack)
            {
                string UserName = "";

                if (Session["UserName"] == null)
                {
                    //Check user's availability from database by unique machine key / remote address / remote host / systemname

                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;


                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        Session["UserName"] = UserName;
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);

                        if (!String.IsNullOrEmpty(ReturnUrl))
                            Response.Redirect(ReturnUrl);
                    }
                    else
                        FormsAuthentication.SignOut();
                }
                else
                {
                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;

                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);
                    }
                    else
                    {
                        Session.Remove("UserName");
                        FormsAuthentication.SignOut();

                    }
                }

            }
}
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780047
Trying to see how your if and else are different.
I see you still have FormsAuthentication in place. Is it properly configured in web.config?
And the code is from your login page or account.aspx page?
0
 

Author Comment

by:LockDev
ID: 38780199
This is in the master page.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 41

Expert Comment

by:guru_sami
ID: 38780819
Why do you have it in MastePage? Don't you think it should be in your Login page?
The code is resetting your FormsAuthentication cookie upon even request.
0
 

Author Comment

by:LockDev
ID: 38782994
I list in the web.config which pages require authorization like this:

  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="Checkout.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Therefore in the master page I need to check the session on every page load to see if the visitor is authorized for that page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38783608
With forms authentication and roles properly setup, you don't need to check for session over and over. The rules in the web.config should take care of allowing the user or not to access the page.

or may be I am totally misunderstanding your mechanism.
0
 

Author Comment

by:LockDev
ID: 38784092
We have multiple domains using the same membership database. Currently when a customer logs in to one domain, they are not logged in to the second domain. (The rules in the web.config worked for this.)

However, I want to change this so that when a customer is logged in to one domain, they will be logged in to the second domain. Therefore, I use a session to update across domains. That's why I was trying to update the FormsAuthentication cookie upon even request.
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 500 total points
ID: 38788395
I am not sure much on that...but did you look into SingleSignOn
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now