Forms authentication - credential store

Here's bit of forms authentication from my project

// Register.aspx.c s - register and log user the first time

private void btnRegister_Cli ck(object sender, System.EventArg s e)
{
if(Page.IsValid )
{
FormsAuthentica tion.Initialize ();
UserDetail myUser = new UserDetail();
myUser.Email = txtEmail.Text;
myUser.Password Hash =
FormsAuthentica tion.HashPasswo rdForStoringInC onfigFile(txtPa ssword.Text,
"md5");
UsersDB myUserDB = new UsersDB();

bool UserAdded = myUserDB.SetUse rInfo(ref myUser);
if(UserAdded == false)
{
lblUserExists.V isible = true;
return;
}
else
{
LoggedUserInfo myUserInfo = myUserDB.GetRol es(myUser.Email ,
myUser.Password Hash);
if(myUserInfo.R ole != null && myUserInfo.Role != "")
{
Security.SetUse rInfo(myUserInf o, false);
// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewSta te["returnURL"];
else
returnURL = "/";

Response.Redire ct(returnURL);
}
}
}
}

----------------------------------------------------------------------------
------------------
// Security.cs containing Security Class // used to set the authentication
ticket and cookie
public static void SetUserInfo(Log gedUserInfo myUser, bool persistant)
{
FormsAuthentica tionTicket ticket = new FormsAuthentica tionTicket
(
1, // Ticket Version
myUser.UserID + ", " + myUser.Name, // UserName associated with the
ticket
DateTime.Now, // Date time issued
DateTime.Now.Ad dMinutes(30), // date time to expire
persistant, // cookie persistance
myUser.Role, // user data
FormsAuthentica tion.FormsCooki ePath // cookie path configured
);
// Encrypt the cookie using machine key for secure transport
string hash = FormsAuthentica tion.Encrypt(ti cket);
HttpCookie cookie = new HttpCookie(Form sAuthentication .FormsCookieNam e,
hash);
// set cookie's expiration time to ticket's expiration time
if(ticket.IsPer sistent)
cookie.Expires = ticket.Expirati on;
HttpContext.Cur rent.Response.C ookies.Add(cook ie);
}

----------------------------------------------------------------------------
---------------------
// Login.aspx - Log user in
private void btnLogin_Click( object sender, System.EventArg s e)
{
if(Page.IsValid )
{
FormsAuthentica tion.Initialize ();
UsersDB myUser = new UsersDB();

string email, passwordHash;
email = txtEmail.Text;
passwordHash =
FormsAuthentica tion.HashPasswo rdForStoringInC onfigFile(txtPa ssword.Text,
"md5");
LoggedUserInfo myUserInfo = myUser.GetRoles (email, passwordHash);
if(myUserInfo.R ole != null && myUserInfo.Role != "")
{
Security.SetUse rInfo(myUserInf o, chkRememberMe.C hecked);

// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewSta te["returnURL"];
else
returnURL = "/";

Response.Redire ct(returnURL);
}
else
{
lblErrorMsg.Tex t = "UserName / Password Incorrect Please try again.";
}
}

}

----------------------------------------------------------------------------
---------------------------------
// Web.config file
// under configuration >> system.web
<authenticati on mode="Forms">
<forms name=".ASPXAUTH "
loginUrl="Login .aspx"
timeout = "30"
slidingExpirati on="true"
protection="All "
path="/" />
</authentication>

----------------------------------------------------------------------------
----------------------------------
// Last but not the least....
// Global.asax.cs
protected void Application_Aut henticateReques t(Object sender, EventArgs e)
{
if(HttpContext. Current.User != null)
{
if(HttpContext. Current.User.Id entity.IsAuthen ticated)
{
if(HttpContext. Current.User.Id entity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity) HttpContext.Cur rent.User.Ident ity;
FormsAuthentica tionTicket ticket = id.Ticket;

// get data stored in cookie
string userData = ticket.UserData ;
string[] roles = userData.Split( ',');
HttpContext.Cur rent.User = new GenericPrincipa l(id, roles);
}
}
}
}
----------------------------------------------------------------------------
--------

should be working now.. i can access my user info using
HttpContext.Cur rent.User
can validate whether user is in a particular role or what his name is or his
id is.

hope this helps... know its a long post but didnt have an option...
--
Regards,

HD

"Martin" <du***@somewher e.nl> wrote in message
news:3f******** *************** @news.wanadoo.n l...

Dear fellow ASP.NET programmer,

I stared using forms authentication and temporarily used a <credentials> tag in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentica tion.Authentica te() method's documentations claims the
following:

"Attempts to validate the credentials against those contained in the
configured credential store, given the supplied credentials."

I figured it wouldn't be too hard to by-pass the retrieval of credentials to some other source and that it could probably be done declaratively in
web.config. Well I still hope this is the case but I cannot find anything
about it anywhere except a couple more references that state that it is very easy to do so. If anyone actually knows how I sure would like to know.

I have my own xml fle with credentials now. My problem is that, since I am
authenticating myself and do not use
FormsAuthentica tion.Authentica te() anymore, the user name is no longer
available from the read-only property httpContext.Cur rent.User.Ident ity.Name which was pretty nice. I can of course store my user name in some session
variable but this doesn't seem right, I want to do this properly.

I am also confused about the authentication cookie. Is it in any way related to the session cookie or are sessions and authentication sessions separate, independent animals?

Martin.

> should be working now.. i can access my user info using

HttpContext.Cur rent.User can validate whether user is in
a particular role or what his name is or his id is.
hope this helps... know its a long post but didnt have an option...

Yeah, well... Seems like a lot of fix-ups, you are doing the things I would
expect ASP.NET to be doing.

You are redirecting manually instead of using
FormsAuthentica tion.RedirectFr omLoginPage. The latter method seems to take
care of at least putting the user name into
HttpContext.Cur rent.User.Ident ity.Name.

Thanks for the example.

Regards, Martin.

the reason i am doing a whole lot of things is taht i would like to put in
stuff i want inside the authentication ticket...
and for that reason i have to create the ticket myself...

if i use RedirectFromLog inPage... it replaces the ticket... which kinda
compounds my problem...
plus that ticket is indeed important... using it across two applications... .
:)

--
Regards,

HD

"Martin" <du***@somewher e.nl> wrote in message
news:40******** *************** @news.euronet.n l...

should be working now.. i can access my user info using
HttpContext.Cur rent.User can validate whether user is in
a particular role or what his name is or his id is.
hope this helps... know its a long post but didnt have an option...
Yeah, well... Seems like a lot of fix-ups, you are doing the things I

would expect ASP.NET to be doing.

You are redirecting manually instead of using
FormsAuthentica tion.RedirectFr omLoginPage. The latter method seems to take
care of at least putting the user name into
HttpContext.Cur rent.User.Ident ity.Name.

Thanks for the example.

Regards, Martin.