Solved

ASP.NET Membership

Posted on 2013-01-14
9
198 Views
Last Modified: 2013-08-02
My web.config has webpages that require authorization like this:
  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

I am trying to authenticate a user based on a session variable. If the user is authenticated, then they are authorized to go to pages which require the "Cust" role like "Account.aspx"

If I check the session variable on Page_load or Page_Init, the user needs to refresh twice to go to "Account.aspx". Therefore, I need to check the session variable in the AuthorizeRequest application event. However, at that point I do not have access to Session variable. Any suggestions?

Thank you
0
Comment
Question by:LockDev
  • 5
  • 4
9 Comments
 
LVL 41

Expert Comment

by:guru_sami
ID: 38779641
So you are not using basic forms authentication but your custom Session mechanism correct?

Can we see your authentication and authorization code?
0
 

Author Comment

by:LockDev
ID: 38779846
Yes I use a custom Session mechanism.

protected void Page_Load(object sender, EventArgs e)
        {
            if (!IsPostBack)
            {
                string UserName = "";

                if (Session["UserName"] == null)
                {
                    //Check user's availability from database by unique machine key / remote address / remote host / systemname

                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;


                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        Session["UserName"] = UserName;
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);

                        if (!String.IsNullOrEmpty(ReturnUrl))
                            Response.Redirect(ReturnUrl);
                    }
                    else
                        FormsAuthentication.SignOut();
                }
                else
                {
                    String HostSystemName = System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName.ToString();
                    String UniqueMachineKey = CustAccess.GetUniqueMachineKey();
                    String Browser = Request.Browser.Browser.ToString();
                    String UniqueValue = HostSystemName + "_" + UniqueMachineKey + "_" + Browser;

                    UserName = LMCart.CustAccess.loginAttempts(UniqueValue);

                    if (!String.IsNullOrEmpty(UserName))
                    {
                        FormsAuthentication.SetAuthCookie(Session["UserName"].ToString(), true);
                    }
                    else
                    {
                        Session.Remove("UserName");
                        FormsAuthentication.SignOut();

                    }
                }

            }
}
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780047
Trying to see how your if and else are different.
I see you still have FormsAuthentication in place. Is it properly configured in web.config?
And the code is from your login page or account.aspx page?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:LockDev
ID: 38780199
This is in the master page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38780819
Why do you have it in MastePage? Don't you think it should be in your Login page?
The code is resetting your FormsAuthentication cookie upon even request.
0
 

Author Comment

by:LockDev
ID: 38782994
I list in the web.config which pages require authorization like this:

  <location path="Account.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="Checkout.aspx">
    <system.web>
      <authorization>
        <allow roles="Cust" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Therefore in the master page I need to check the session on every page load to see if the visitor is authorized for that page.
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 38783608
With forms authentication and roles properly setup, you don't need to check for session over and over. The rules in the web.config should take care of allowing the user or not to access the page.

or may be I am totally misunderstanding your mechanism.
0
 

Author Comment

by:LockDev
ID: 38784092
We have multiple domains using the same membership database. Currently when a customer logs in to one domain, they are not logged in to the second domain. (The rules in the web.config worked for this.)

However, I want to change this so that when a customer is logged in to one domain, they will be logged in to the second domain. Therefore, I use a session to update across domains. That's why I was trying to update the FormsAuthentication cookie upon even request.
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 500 total points
ID: 38788395
I am not sure much on that...but did you look into SingleSignOn
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question