Session vs. RoleProvider

Discussion in 'ASP .Net Security' started by Arthur Dent, May 15, 2007.

  1. Arthur Dent

    Arthur Dent Guest

    Please help... i am stumped...

    I have an app, written in VB.NET fwiw. I have a custom RoleProvider class,
    cuz i finally got tired enough of hacking with application variables, to
    learn the "correct" way to do roles. ;) ....

    Now, the problem, is that my RoleProvider, and my FormsAuthentication
    Session do not stay together. That is to say, i frequently see cases where
    the session will expire, but the RoleProvider does not. Now, they both have
    their expiration timeouts set to the same values in the web.config file.

    So what i wind up with is being able to access the "locked down" areas of my
    site (because my RoleProvider is still providing the correct roles) even
    though my forms authentication has expired. How can i force
    FormsAuthentication and a custom RoleProvider to stay in lock-step???
    This is a major problem, and comprises a pretty significant security hole.
    Even though FA has expired, and it SHOULD send me back to my login page, it
    doesn't because the RoleProvider is still saying i have "Admin" rights (or
    whatever rights, for the 'secured' section).

    I hope someone can help me with this; Thanks in advance,
    - Arthur Dent.
     
    Arthur Dent, May 15, 2007
    #1
    1. Advertising

  2. On May 15, 6:07 pm, "Arthur Dent" <>
    wrote:
    > Please help... i am stumped...
    >
    > I have an app, written in VB.NET fwiw. I have a custom RoleProvider class,
    > cuz i finally got tired enough of hacking with application variables, to
    > learn the "correct" way to do roles. ;) ....
    >
    > Now, the problem, is that my RoleProvider, and my FormsAuthentication
    > Session do not stay together. That is to say, i frequently see cases where
    > the session will expire, but the RoleProvider does not. Now, they both have
    > their expiration timeouts set to the same values in the web.config file.
    >
    > So what i wind up with is being able to access the "locked down" areas of my
    > site (because my RoleProvider is still providing the correct roles) even
    > though my forms authentication has expired. How can i force
    > FormsAuthentication and a custom RoleProvider to stay in lock-step???
    > This is a major problem, and comprises a pretty significant security hole.
    > Even though FA has expired, and it SHOULD send me back to my login page, it
    > doesn't because the RoleProvider is still saying i have "Admin" rights (or
    > whatever rights, for the 'secured' section).
    >
    > I hope someone can help me with this; Thanks in advance,
    > - Arthur Dent.


    Hi Arthur,

    1. can you post here the code of your custom role provider?
    2. what timeout value you have set in the authentication tag of the
    web.config file?

    BR,
     
    Alexey Smirnov, May 23, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Olbert

    MembershipProvider/RoleProvider Problems

    Mark Olbert, Jan 10, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    2,893
    Steven Cheng[MSFT]
    Jan 10, 2006
  2. Mark Olbert
    Replies:
    0
    Views:
    637
    Mark Olbert
    Jan 10, 2006
  3. Chris
    Replies:
    0
    Views:
    861
    Chris
    Mar 6, 2006
  4. Arthur Dent

    Session vs. RoleProvider

    Arthur Dent, May 15, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    1,350
    Alexey Smirnov
    May 23, 2007
  5. Keith Patrick
    Replies:
    1
    Views:
    649
    Dominick Baier
    Aug 20, 2006
Loading...

Share This Page