forms authentication woes

Discussion in 'ASP .Net' started by Hermit Dave, Sep 21, 2004.

  1. Hermit Dave

    Hermit Dave Guest

    i am having a wierd problem with forms authentication... it doesnt the way
    its supposed to but i work around does the job. would be thankful if anyone
    can see what i might be doing wrong

    this is how i create the ticket, add it to the cookie and pass it on to the
    Response stream

    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,
    lu.ToString(),
    DateTime.Now,
    DateTime.Now.AddMinutes(30),
    false,
    userinfo.Roles,
    FormsAuthentication.FormsCookiePath);

    string hash = FormsAuthentication.Encrypt(ticket);
    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
    hash);
    HttpContext.Current.Response.Cookies.Add(cookie);

    this is how i read it up in application_authenticaterequest

    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
    IPrincipal user = HttpContext.Current.User;
    if(user != null && user.Identity.IsAuthenticated && (user.Identity is
    FormsIdentity))
    {
    FormsIdentity id = (FormsIdentity)user.Identity;
    FormsAuthenticationTicket ticket = id.Ticket;
    string[] roles = ticket.UserData.Split(',');
    user = new GenericPrincipal(id, roles);
    }
    }

    now on my page if i use
    if(this.Context.User.Identity.IsInRole("authors") == true)
    {
    // having logged on with a user with this role
    // it should come in here but it doesnt
    }

    the IsInRole for some reason flakes out...
    however i can do this
    FormsIdentity id = (FormsIdentity)user.Identity;
    string userRole = id.Ticket.UserData;
    if(userRole == "authors")
    {
    // its all fine now
    }

    first i was using multiple roles... didnt work.. so i used got around using
    != false for IsInRole and checking for all roles but that and that did it..
    then i modified each user to only have one role. even there the problem
    remains...

    I look forward to your thoughts on this one.

    --

    Regards,

    Hermit Dave
    (http://hdave.blogspot.com)
     
    Hermit Dave, Sep 21, 2004
    #1
    1. Advertising

  2. Hi Hermit,

    From the detailed code snippet you provided, there seems have two things we
    need to correct in the code:

    1. In the "Application_AuthenticateRequest" event handler, after we created
    the "GenericPrincipal" object, we should assign it to the
    HttpContext.Current.User rather our local refernce variable. So the code
    should be something like:

    FormsIdentity id = (FormsIdentity)user.Identity;
    FormsAuthenticationTicket ticket = id.Ticket;
    string[] roles = ticket.UserData.Split(',');
    HttpContext.Current.User = new GenericPrincipal(id, roles);

    2. the "IsInRole" method belongs to the "IPrincipal" interface rather than
    the "IIdentity" so we should call the IsInRole on HttpContext.Current.User
    rather than HttpContext.Current.User.Identity

    In addition ,here are two related tech articles which may also be helpful.
    Thanks.

    #FormsAuthentication, Identities and Role - based Security with a database
    http://www.eggheadcafe.com/articles/20020906.asp

    How To: Implement Iprincipal
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
    ml/SecNetHT06.asp

    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Sep 22, 2004
    #2
    1. Advertising

  3. Hermit Dave

    Hermit Dave Guest

    Thank you Steven.

    Setting the generic principal to HttpContext.Current.User did the job.
    I for some reason thought that being a reference type, the
    HttpContext.CurrentUser if assigned to IPrincipal would actually reference
    the HttpContext.Current.User instead of creating a copy of it locally. Point
    taken.

    About IsInRole. Sorry it was a typo and i am using User.IsRole and not
    trying to do Identity.IsInRole.. VS.net would never let me recompile with
    such a obvious mistake :).. i had it removed from code previously and i
    mentioned it just for the heck of it. :)

    Thank you once again.

    --

    Regards,

    Hermit Dave
    (http://hdave.blogspot.com)
    "Steven Cheng[MSFT]" <> wrote in message
    news:...
    > Hi Hermit,
    >
    > From the detailed code snippet you provided, there seems have two things
    > we
    > need to correct in the code:
    >
    > 1. In the "Application_AuthenticateRequest" event handler, after we
    > created
    > the "GenericPrincipal" object, we should assign it to the
    > HttpContext.Current.User rather our local refernce variable. So the code
    > should be something like:
    >
    > FormsIdentity id = (FormsIdentity)user.Identity;
    > FormsAuthenticationTicket ticket = id.Ticket;
    > string[] roles = ticket.UserData.Split(',');
    > HttpContext.Current.User = new GenericPrincipal(id, roles);
    >
    > 2. the "IsInRole" method belongs to the "IPrincipal" interface rather than
    > the "IIdentity" so we should call the IsInRole on HttpContext.Current.User
    > rather than HttpContext.Current.User.Identity
    >
    > In addition ,here are two related tech articles which may also be helpful.
    > Thanks.
    >
    > #FormsAuthentication, Identities and Role - based Security with a database
    > http://www.eggheadcafe.com/articles/20020906.asp
    >
    > How To: Implement Iprincipal
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
    > ml/SecNetHT06.asp
    >
    > Regards,
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
     
    Hermit Dave, Sep 22, 2004
    #3
  4. Hi Hermit,

    Thanks for the followup and I'm glad that everything is going well now.
    Happy programming!:)

    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Sep 23, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Connell
    Replies:
    1
    Views:
    548
    Natty Gur
    Oct 21, 2003
  2. Eric
    Replies:
    2
    Views:
    1,495
    Tommy
    Feb 13, 2004
  3. JEFF
    Replies:
    1
    Views:
    1,026
    =?Utf-8?B?YnJpYW5zW01DU0Rd?=
    Nov 12, 2007
  4. Keltex
    Replies:
    1
    Views:
    404
    Dominick Baier [DevelopMentor]
    Jan 24, 2006
  5. Eric
    Replies:
    2
    Views:
    554
Loading...

Share This Page