How to get log-in name from cookie in case of Forms authentication?

Discussion in 'ASP .Net Security' started by asnowfall, Jan 18, 2008.

  1. asnowfall

    asnowfall Guest

    I am using 'System.Web.Security.Membership' &
    'System.Web.UI.WebControls.Login' control to implement Forms based
    authentication. The problem began after I started persisting the
    credentials using cookie. On the first log-in credentials of user, say
    'account1', gets persisted in a cookie; and after this 'account1' is
    able to access the resource owned by another other user 'account2'.
    Please help me resolve this or rather clarify my understanding.

    Here are the details of my implementation. Authentication is done by
    comparing user name and password against the values stored in DB; and
    thus MembershipProvider authenticates against the DB. And the files or
    data belonging to an user is kept in a folder who's name is same as
    account name; and the logged in user is given access to the files if
    the log-in name is same as folder name. Account name is not passed as
    part of URL and but picked up from the log-in dialog. Server compares
    log-in against folder name to decide whether to give access to the
    files. Here is the sample URL
    http://localhost:8080/?id=572

    Before I added the cookie feature, user was being prompted for
    credentials every time and this setup was working fine. And the
    problem started after I added the cookies. I have overloaded only
    System.Web.UI.WebControls.Login::OnAuthenticate() and here it is

    System.Web.UI.WebControls.Login::OnAuthenticate( o, e)
    {
    if(MembershipProvider.Validate(u,p))
    {
    FormAuthenticate::RedirectFromLoginPage(u, true)
    e.Authenticated = true;
    }
    else
    {
    e.Authenticated = false;
    }
    }

    What I am seeing is that MembershipProvider.Validate() gets called
    only on the first log-in but not on subsequent times. I would like to
    know how .Net framework compensates for not invoking
    MembershipProvider.Validate(). And, I can see the problem in that on
    subsequent log-ins I am not storing log-in name; and the solution
    seems to be that some how I should get the log-in name that is present
    inside the cookie.

    So my questions are..
    -Is my understanding correct?
    -On subsequent logins, will any methods of
    System.Web.UI.WebControls.Login() gets called at all?
    If so, which method should I overload to get the log-in name?

    Thanks in advance
    Ramesh
     
    asnowfall, Jan 18, 2008
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.