Roles not loaded at in LoggedIn event

Discussion in 'ASP .Net' started by =?Utf-8?B?SWFpbg==?=, Mar 8, 2007.

  1. I've a simple asp.net applicaiton in which I'm using the login control.

    I trap the LoggedIn event and then decide which pages to redirect the user
    to based on their role.

    The problem is that no roles appear to be loaded at this point.

    Curiously, if I login twice, the second time the roles are available and in
    general if I log in then the roles shown seem to be for the PREVIOUS login.

    I can find no way to force the reloading of roles and I have no idea what is
    happening here despite some hours spent scouring the net!

    No doubt it is obvious, but sadly, not to me!

    Iain
    =?Utf-8?B?SWFpbg==?=, Mar 8, 2007
    #1
    1. Advertising

  2. "Iain" wrote:

    > I've a simple asp.net applicaiton in which I'm using the login control.
    >
    > I trap the LoggedIn event and then decide which pages to redirect the user
    > to based on their role.
    >
    > The problem is that no roles appear to be loaded at this point.
    >

    Does anyone have any ideas about this? It would seem that I'm either doing
    something terribly stupid or there is a serious flaw in the way in which the
    Roles are handled. I prefer the first option (<g>), but I can't see it!


    Iain
    =?Utf-8?B?SWFpbg==?=, Mar 15, 2007
    #2
    1. Advertising

  3. I've never used the login control, but presumably the onus is on you to get
    the roles. A quick look at the help for the login control doesn't show that
    it provides any features such as role retrieval.

    Roles could, for example, be stored in an RDBMS or in some sort of Directory
    Service, or in an XML file or even in a text file. How have you arranged
    for the roles to be retrieve?

    HTH


    Peter

    "Iain" <> wrote in message
    news:...
    >
    >
    > "Iain" wrote:
    >
    >> I've a simple asp.net applicaiton in which I'm using the login control.
    >>
    >> I trap the LoggedIn event and then decide which pages to redirect the
    >> user
    >> to based on their role.
    >>
    >> The problem is that no roles appear to be loaded at this point.
    >>

    > Does anyone have any ideas about this? It would seem that I'm either
    > doing
    > something terribly stupid or there is a serious flaw in the way in which
    > the
    > Roles are handled. I prefer the first option (<g>), but I can't see it!
    >
    >
    > Iain
    Peter Bradley, Mar 15, 2007
    #3
  4. "Peter Bradley" wrote:

    > I've never used the login control, but presumably the onus is on you to get
    > the roles. A quick look at the help for the login control doesn't show that
    > it provides any features such as role retrieval.


    Hi, Peter.

    YOu will see from my first post that a resubmit of the login page picks up
    the roles correctly. The roles are present in the same SQLExpress database
    as the users.

    The symptoms are as if the roles are not loaded until after the LoggedIn
    event is called, which is plain bizzare.

    Iain
    =?Utf-8?B?SWFpbg==?=, Mar 15, 2007
    #4
  5. Where is your code that loads the roles?


    Peter

    "Iain" <> wrote in message
    news:...
    >
    >
    > "Peter Bradley" wrote:
    >
    >> I've never used the login control, but presumably the onus is on you to
    >> get
    >> the roles. A quick look at the help for the login control doesn't show
    >> that
    >> it provides any features such as role retrieval.

    >
    > Hi, Peter.
    >
    > YOu will see from my first post that a resubmit of the login page picks up
    > the roles correctly. The roles are present in the same SQLExpress
    > database
    > as the users.
    >
    > The symptoms are as if the roles are not loaded until after the LoggedIn
    > event is called, which is plain bizzare.
    >
    > Iain
    Peter Bradley, Mar 15, 2007
    #5
  6. Just had a look at the help for the control:
    <quote>
    Notes to Implementers Custom authentication schemes should set the
    Authenticated property to true to indicate that a user has been
    authenticated. When a user submits his or her login information, the Login
    control first raises the LoggingIn event, then the Authenticate event, and
    finally the LoggedIn event.

    </quote>

    So, if it were me, I'd retrieve the roles in the Authenticate event. Since
    we use Forms authentication, I'd then store them as a delimited string in a
    FormsAuthenticationTicket, which I'd then encrypt and store in a cookie.
    The Application_AuthenticateRequest event handler can then retrieve and
    decrypt the cookie, get the roles stored and put them into an Identity
    object in a Principal object.

    HTH



    Peter

    "Iain" <> wrote in message
    news:...
    >
    >
    > "Peter Bradley" wrote:
    >
    >> I've never used the login control, but presumably the onus is on you to
    >> get
    >> the roles. A quick look at the help for the login control doesn't show
    >> that
    >> it provides any features such as role retrieval.

    >
    > Hi, Peter.
    >
    > YOu will see from my first post that a resubmit of the login page picks up
    > the roles correctly. The roles are present in the same SQLExpress
    > database
    > as the users.
    >
    > The symptoms are as if the roles are not loaded until after the LoggedIn
    > event is called, which is plain bizzare.
    >
    > Iain
    Peter Bradley, Mar 15, 2007
    #6
  7. "Peter Bradley" wrote:

    > Just had a look at the help for the control:
    > <quote>
    > Notes to Implementers Custom authentication schemes should set the
    > Authenticated property to true to indicate that a user has been
    > authenticated. When a user submits his or her login information, the Login
    > control first raises the LoggingIn event, then the Authenticate event, and
    > finally the LoggedIn event.
    >
    > </quote>
    >
    > So, if it were me, I'd retrieve the roles in the Authenticate event. Since
    > we use Forms authentication, I'd then store them as a delimited string in a
    > FormsAuthenticationTicket, which I'd then encrypt and store in a cookie.
    > The Application_AuthenticateRequest event handler can then retrieve and
    > decrypt the cookie, get the roles stored and put them into an Identity
    > object in a Principal object.
    >

    Hi, Peter.

    I'm not using custom authentication and as I'm checking roles (with
    User.IsInRole("MyRole")) in the LoggedIn Event this should be equivalent to
    doing it in the Authenticated event. I've worked around this, by not
    checking the role in the login form, but rather redirecting the form to a
    holding page, checking there for the role (which works) and then redirecting
    again if need be.

    I would have to regard this as a bug. It's not the way I would expect it to
    work.

    Other oddities I've picked up (which I think are plain wrong!) are..

    If you login without first logging out, the login does not work. YOu remain
    logged in as the previous user.

    If you login as a new user, the session is not restarted.

    My work around is to use FormsAuthentication.SignOut() to force a log off
    (why is this not part of the Membership class?) and also to clear the session
    in the LogginIn event.

    Dear Microsoft, a spoonful of documentation would have saved me a
    considerable time of messing around.

    Iain
    =?Utf-8?B?SWFpbg==?=, Mar 16, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shimon Sim
    Replies:
    5
    Views:
    4,451
    Steven Cheng[MSFT]
    Jun 9, 2006
  2. =?Utf-8?B?SmF2?=
    Replies:
    2
    Views:
    2,114
  3. Rusty Hill
    Replies:
    1
    Views:
    461
    Rusty Hill
    May 24, 2007
  4. RustyHill
    Replies:
    1
    Views:
    748
    bruce barker
    Jan 21, 2009
  5. James Coleman

    IsAuthenticated is false during LoggedIn event

    James Coleman, Apr 16, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    171
    James Coleman
    Apr 16, 2006
Loading...

Share This Page