Storing Variable for use in different page

S

- Steve -

I have a website that uses forms based authentication. In the logon.aspx
page a user enters a username and password. It is then authenticated
against Active Directory.

After that point on any page in the directory I can access the username
using HttpContext.Current.User.Identity.Name, but I can't figure out how to
access the password in plain text. Back at the logon.aspx page if I could
store the password that is submitted the authentication subroutine so that
it could be accessed by other pages I would be in business.

--

Steve Evans
Email Services
SDSU Foundation
(619) 594-0708
 
J

John Saunders

- Steve - said:
I have a website that uses forms based authentication. In the logon.aspx
page a user enters a username and password. It is then authenticated
against Active Directory.

After that point on any page in the directory I can access the username
using HttpContext.Current.User.Identity.Name, but I can't figure out how to
access the password in plain text. Back at the logon.aspx page if I could
store the password that is submitted the authentication subroutine so that
it could be accessed by other pages I would be in business.

It is generally considered bad practice to store cleartext passwords at all.
What do you need the password for? And why can't you just store it in
Session state.
 
S

- Steve -

I need to run the page as a user with permission to create users in the
Active Directory. So to impersonate the thread I've been told I need to use
the "Impersonate a Specific User in Code" from
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158, which needs
the username and password of the user account you want to impersonate.

If there's a better way I'd love to hear it.

--

Steve Evans
Email Services
SDSU Foundation
(619) 594-0708
 
J

John Saunders

- Steve - said:
I need to run the page as a user with permission to create users in the
Active Directory. So to impersonate the thread I've been told I need to use
the "Impersonate a Specific User in Code" from
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158, which needs
the username and password of the user account you want to impersonate.

If there's a better way I'd love to hear it.

Unless you need audits of the creation of users to show up with the username
of the creating user, you could simply run the web site under a domain user
and not as ASPNET.

I presume there's a reason you're using Forms Authentication and not Windows
Authentication?
 
S

- Steve -

Wouldn't running an IIS site as a domain user that can create users be more
dangerous than storing a password in memory for a few minutes?

I'm using forms authentication instead of IIS authentication because of
style and form. The pop-up logon box isn't very professional.

I could always just encrypt and decrypt the string as I go correct?

--

Steve Evans
Email Services
SDSU Foundation
(619) 594-0708
 
J

John Saunders

- Steve - said:
Wouldn't running an IIS site as a domain user that can create users be more
dangerous than storing a password in memory for a few minutes?

I'm not certain that you'd have to run the entire site that way. It might be
possible to create a small sub-application with only the pages which require
domain user access and run that with a different account. I've never tried
this, so I don't know if it's possible. Maybe only in IIS 6.
I'm using forms authentication instead of IIS authentication because of
style and form. The pop-up logon box isn't very professional.

The pop-up logon box is how IE does it. It does that for every site which
uses browser-based authentication as opposed to forms authentication.
I could always just encrypt and decrypt the string as I go correct?

Yes. If I were you, I wouldn't store the password, only the encrypted
password. I'd also make sure my login page required SSL, so you're not
sending passwords in the clear.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top