wsyeager Posted July 24, 2003 Posted July 24, 2003 Everything is working in my authentication process except for the fact that I can't retrieve the "UserData" property from the "FormsAuthenticationTicket". Write before I do a "RedirectFromLoginPage", I check the "UserData" property of the "FormsAuthenticationTicket". It's set to the value "Admin" (a role for the user) which is what I want. Here is the code: strUserName = CType(drOLEDBNicemScheduling.GetValue(1) & Chr(32) & drOLEDBNicemScheduling.GetValue(2), String) 'Set the authentication ticket Dim arrRoles(0) As String arrRoles(0) = drOLEDBNicemScheduling.GetValue(3) Dim ticket As New FormsAuthenticationTicket(1, strUserName, Now, DateAdd(DateInterval.Minute, 60, Now), ValidateLogin.PersistantCookie, arrRoles(0)) Dim cookie = New HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket)) If ValidateLogin.PersistantCookie Then Response.Cookies.Add(cookie) End If 'Create Identity Dim objIdentity As New Security.Principal.GenericIdentity(strUserName) Dim objPrincipal As New Security.Principal.GenericPrincipal(objIdentity, arrRoles) FormsAuthentication.RedirectFromLoginPage(strUserName, ValidateLogin.PersistantCookie) However, once I get in the Global.asax file in the "Application_AuthenticateRequest" event (fired by the FormsAuthentication.RedirectFromLoginPage method), I check the "UserData" property of the ticket and it's an empty string! All the other properties pertaining to the ticket are there. I'm setting up the cookie, so the "Userdata" property should be populated. Here is the code in the global.asax file: Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs) If (Not (HttpContext.Current.User Is Nothing)) Then If HttpContext.Current.User.Identity.AuthenticationType = "Forms" Then If HttpContext.Current.User.Identity.IsAuthenticated Then Dim id As FormsIdentity = HttpContext.Current.User.Identity Dim ticket As FormsAuthenticationTicket = id.Ticket Dim roles(0) As String roles(0) = ticket.UserData HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(id, roles) End If End If End If End Sub What am I doing wrong??? I need to be able to identify the role of the user (they will only have 1 role). Quote Thanks, Bill Yeager (MCP, BCIP) Microsoft Certified Professional Brainbench Certified Internet Professional, .Net Programmer, Computer Programmer YeagerTech Consulting, Inc.
*Gurus* Derek Stone Posted July 25, 2003 *Gurus* Posted July 25, 2003 Try to use the HttpContext.Current.User.IsInRole() method opposed to storing the role in the UserData property. Quote Posting Guidelines
wsyeager Posted July 26, 2003 Author Posted July 26, 2003 forms authentication question... Derek, how would I know what the role of the user is if it is not placed anywhere to begin with? I get the role from the db and want to place it in a cookie so I can read it..... The thing is, how do I read that cookie to get that role information? That's what I don't know how to do...... Quote Thanks, Bill Yeager (MCP, BCIP) Microsoft Certified Professional Brainbench Certified Internet Professional, .Net Programmer, Computer Programmer YeagerTech Consulting, Inc.
*Gurus* Derek Stone Posted July 26, 2003 *Gurus* Posted July 26, 2003 You should be storing as little as possible in cookies. Roles should be retrieved from the database (if any) with each request, and used to populate IIdentity and IPrincipal objects. Roles should never be placed in cookies, as its an open door for account elevation attacks. Nonetheless... Dim roles(0) As String [b]roles(0)[/b] = ticket.UserData HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(id, [b]roles[/b]) I've highlighted your problem. Quote Posting Guidelines
wsyeager Posted July 26, 2003 Author Posted July 26, 2003 Derek, I figured out finally how to do it. In my login form I have the following code: FormsAuthentication.HashPasswordForStoringInConfigFile(ValidateLogin.Password, "md5") 'The userid is a random unique key numeric field which ties the db tables together Session("lngUserID") = CType(drOLEDBNicemScheduling.GetValue(0), Long) strUserName = CType(drOLEDBNicemScheduling.GetValue(1) & Chr(32) & drOLEDBNicemScheduling.GetValue(2), String) 'Set the authentication ticket Dim arrRoles(0) As String arrRoles(0) = drOLEDBNicemScheduling.GetValue(3) Dim ticket As New FormsAuthenticationTicket(1, strUserName, Now, DateAdd(DateInterval.Minute, 60, Now), ValidateLogin.PersistantCookie, arrRoles(0)) Dim cookie = New HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket)) Response.Cookies.Add(cookie) Dim strURL As String = FormsAuthentication.GetRedirectUrl(strUserName, False) Response.Redirect(strURL) In my global.asax file I have the following: If (Not (HttpContext.Current.User Is Nothing)) Then If HttpContext.Current.User.Identity.AuthenticationType = "Forms" Then If HttpContext.Current.User.Identity.IsAuthenticated Then Dim id As FormsIdentity = HttpContext.Current.User.Identity Dim ticket As FormsAuthenticationTicket = id.Ticket Dim roles() As String roles = ticket.UserData.Split(",") HttpContext.Current.User = New GenericPrincipal(id, roles) End If End If End If Notice I hash the password & encrypt the authentication ticket.... Quote Thanks, Bill Yeager (MCP, BCIP) Microsoft Certified Professional Brainbench Certified Internet Professional, .Net Programmer, Computer Programmer YeagerTech Consulting, Inc.
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.