A
asnowfall
I am using 'System.Web.Security.Membership' &
'System.Web.UI.WebControls.Login' control to implement Forms based
authentication. The problem began after I started persisting the
credentials using cookie. On the first log-in credentials of user, say
'account1', gets persisted in a cookie; and after this 'account1' is
able to access the resource owned by another other user 'account2'.
Please help me resolve this or rather clarify my understanding.
Here are the details of my implementation. Authentication is done by
comparing user name and password against the values stored in DB; and
thus MembershipProvider authenticates against the DB. And the files or
data belonging to an user is kept in a folder who's name is same as
account name; and the logged in user is given access to the files if
the log-in name is same as folder name. Account name is not passed as
part of URL and but picked up from the log-in dialog. Server compares
log-in against folder name to decide whether to give access to the
files. Here is the sample URL
http://localhost:8080/?id=572
Before I added the cookie feature, user was being prompted for
credentials every time and this setup was working fine. And the
problem started after I added the cookies. I have overloaded only
System.Web.UI.WebControls.Login::OnAuthenticate() and here it is
System.Web.UI.WebControls.Login::OnAuthenticate( o, e)
{
if(MembershipProvider.Validate(u,p))
{
FormAuthenticate::RedirectFromLoginPage(u, true)
e.Authenticated = true;
}
else
{
e.Authenticated = false;
}
}
What I am seeing is that MembershipProvider.Validate() gets called
only on the first log-in but not on subsequent times. I would like to
know how .Net framework compensates for not invoking
MembershipProvider.Validate(). And, I can see the problem in that on
subsequent log-ins I am not storing log-in name; and the solution
seems to be that some how I should get the log-in name that is present
inside the cookie.
So my questions are..
-Is my understanding correct?
-On subsequent logins, will any methods of
System.Web.UI.WebControls.Login() gets called at all?
If so, which method should I overload to get the log-in name?
Thanks in advance
Ramesh
'System.Web.UI.WebControls.Login' control to implement Forms based
authentication. The problem began after I started persisting the
credentials using cookie. On the first log-in credentials of user, say
'account1', gets persisted in a cookie; and after this 'account1' is
able to access the resource owned by another other user 'account2'.
Please help me resolve this or rather clarify my understanding.
Here are the details of my implementation. Authentication is done by
comparing user name and password against the values stored in DB; and
thus MembershipProvider authenticates against the DB. And the files or
data belonging to an user is kept in a folder who's name is same as
account name; and the logged in user is given access to the files if
the log-in name is same as folder name. Account name is not passed as
part of URL and but picked up from the log-in dialog. Server compares
log-in against folder name to decide whether to give access to the
files. Here is the sample URL
http://localhost:8080/?id=572
Before I added the cookie feature, user was being prompted for
credentials every time and this setup was working fine. And the
problem started after I added the cookies. I have overloaded only
System.Web.UI.WebControls.Login::OnAuthenticate() and here it is
System.Web.UI.WebControls.Login::OnAuthenticate( o, e)
{
if(MembershipProvider.Validate(u,p))
{
FormAuthenticate::RedirectFromLoginPage(u, true)
e.Authenticated = true;
}
else
{
e.Authenticated = false;
}
}
What I am seeing is that MembershipProvider.Validate() gets called
only on the first log-in but not on subsequent times. I would like to
know how .Net framework compensates for not invoking
MembershipProvider.Validate(). And, I can see the problem in that on
subsequent log-ins I am not storing log-in name; and the solution
seems to be that some how I should get the log-in name that is present
inside the cookie.
So my questions are..
-Is my understanding correct?
-On subsequent logins, will any methods of
System.Web.UI.WebControls.Login() gets called at all?
If so, which method should I overload to get the log-in name?
Thanks in advance
Ramesh