473,739 Members | 2,355 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Forms authentication - credential store

Dear fellow ASP.NET programmer,

I stared using forms authentication and temporarily used a <credentials> tag
in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentica tion.Authentica te() method's documentations claims the
following:

"Attempts to validate the credentials against those contained in the
configured credential store, given the supplied credentials."

I figured it wouldn't be too hard to by-pass the retrieval of credentials to
some other source and that it could probably be done declaratively in
web.config. Well I still hope this is the case but I cannot find anything
about it anywhere except a couple more references that state that it is very
easy to do so. If anyone actually knows how I sure would like to know.

I have my own xml fle with credentials now. My problem is that, since I am
authenticating myself and do not use
FormsAuthentica tion.Authentica te() anymore, the user name is no longer
available from the read-only property httpContext.Cur rent.User.Ident ity.Name
which was pretty nice. I can of course store my user name in some session
variable but this doesn't seem right, I want to do this properly.

I am also confused about the authentication cookie. Is it in any way related
to the session cookie or are sessions and authentication sessions separate,
independent animals?

Martin.
Nov 18 '05 #1
3 4742
Here's bit of forms authentication from my project

// Register.aspx.c s - register and log user the first time

private void btnRegister_Cli ck(object sender, System.EventArg s e)
{
if(Page.IsValid )
{
FormsAuthentica tion.Initialize ();
UserDetail myUser = new UserDetail();
myUser.Email = txtEmail.Text;
myUser.Password Hash =
FormsAuthentica tion.HashPasswo rdForStoringInC onfigFile(txtPa ssword.Text,
"md5");
UsersDB myUserDB = new UsersDB();

bool UserAdded = myUserDB.SetUse rInfo(ref myUser);
if(UserAdded == false)
{
lblUserExists.V isible = true;
return;
}
else
{
LoggedUserInfo myUserInfo = myUserDB.GetRol es(myUser.Email ,
myUser.Password Hash);
if(myUserInfo.R ole != null && myUserInfo.Role != "")
{
Security.SetUse rInfo(myUserInf o, false);
// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewSta te["returnURL"];
else
returnURL = "/";

Response.Redire ct(returnURL);
}
}
}
}

----------------------------------------------------------------------------
------------------
// Security.cs containing Security Class // used to set the authentication
ticket and cookie
public static void SetUserInfo(Log gedUserInfo myUser, bool persistant)
{
FormsAuthentica tionTicket ticket = new FormsAuthentica tionTicket
(
1, // Ticket Version
myUser.UserID + ", " + myUser.Name, // UserName associated with the
ticket
DateTime.Now, // Date time issued
DateTime.Now.Ad dMinutes(30), // date time to expire
persistant, // cookie persistance
myUser.Role, // user data
FormsAuthentica tion.FormsCooki ePath // cookie path configured
);
// Encrypt the cookie using machine key for secure transport
string hash = FormsAuthentica tion.Encrypt(ti cket);
HttpCookie cookie = new HttpCookie(Form sAuthentication .FormsCookieNam e,
hash);
// set cookie's expiration time to ticket's expiration time
if(ticket.IsPer sistent)
cookie.Expires = ticket.Expirati on;
HttpContext.Cur rent.Response.C ookies.Add(cook ie);
}

----------------------------------------------------------------------------
---------------------
// Login.aspx - Log user in
private void btnLogin_Click( object sender, System.EventArg s e)
{
if(Page.IsValid )
{
FormsAuthentica tion.Initialize ();
UsersDB myUser = new UsersDB();

string email, passwordHash;
email = txtEmail.Text;
passwordHash =
FormsAuthentica tion.HashPasswo rdForStoringInC onfigFile(txtPa ssword.Text,
"md5");
LoggedUserInfo myUserInfo = myUser.GetRoles (email, passwordHash);
if(myUserInfo.R ole != null && myUserInfo.Role != "")
{
Security.SetUse rInfo(myUserInf o, chkRememberMe.C hecked);

// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewSta te["returnURL"];
else
returnURL = "/";

Response.Redire ct(returnURL);
}
else
{
lblErrorMsg.Tex t = "UserName / Password Incorrect Please try again.";
}
}

}

----------------------------------------------------------------------------
---------------------------------
// Web.config file
// under configuration >> system.web
<authenticati on mode="Forms">
<forms name=".ASPXAUTH "
loginUrl="Login .aspx"
timeout = "30"
slidingExpirati on="true"
protection="All "
path="/" />
</authentication>

----------------------------------------------------------------------------
----------------------------------
// Last but not the least....
// Global.asax.cs
protected void Application_Aut henticateReques t(Object sender, EventArgs e)
{
if(HttpContext. Current.User != null)
{
if(HttpContext. Current.User.Id entity.IsAuthen ticated)
{
if(HttpContext. Current.User.Id entity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity) HttpContext.Cur rent.User.Ident ity;
FormsAuthentica tionTicket ticket = id.Ticket;

// get data stored in cookie
string userData = ticket.UserData ;
string[] roles = userData.Split( ',');
HttpContext.Cur rent.User = new GenericPrincipa l(id, roles);
}
}
}
}
----------------------------------------------------------------------------
--------

should be working now.. i can access my user info using
HttpContext.Cur rent.User
can validate whether user is in a particular role or what his name is or his
id is.

hope this helps... know its a long post but didnt have an option...
--
Regards,

HD

"Martin" <du***@somewher e.nl> wrote in message
news:3f******** *************** @news.wanadoo.n l...
Dear fellow ASP.NET programmer,

I stared using forms authentication and temporarily used a <credentials> tag in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentica tion.Authentica te() method's documentations claims the
following:

"Attempts to validate the credentials against those contained in the
configured credential store, given the supplied credentials."

I figured it wouldn't be too hard to by-pass the retrieval of credentials to some other source and that it could probably be done declaratively in
web.config. Well I still hope this is the case but I cannot find anything
about it anywhere except a couple more references that state that it is very easy to do so. If anyone actually knows how I sure would like to know.

I have my own xml fle with credentials now. My problem is that, since I am
authenticating myself and do not use
FormsAuthentica tion.Authentica te() anymore, the user name is no longer
available from the read-only property httpContext.Cur rent.User.Ident ity.Name which was pretty nice. I can of course store my user name in some session
variable but this doesn't seem right, I want to do this properly.

I am also confused about the authentication cookie. Is it in any way related to the session cookie or are sessions and authentication sessions separate, independent animals?

Martin.

Nov 18 '05 #2
> should be working now.. i can access my user info using
HttpContext.Cur rent.User can validate whether user is in
a particular role or what his name is or his id is.
hope this helps... know its a long post but didnt have an option...


Yeah, well... Seems like a lot of fix-ups, you are doing the things I would
expect ASP.NET to be doing.

You are redirecting manually instead of using
FormsAuthentica tion.RedirectFr omLoginPage. The latter method seems to take
care of at least putting the user name into
HttpContext.Cur rent.User.Ident ity.Name.

Thanks for the example.

Regards, Martin.
Nov 18 '05 #3
the reason i am doing a whole lot of things is taht i would like to put in
stuff i want inside the authentication ticket...
and for that reason i have to create the ticket myself...

if i use RedirectFromLog inPage... it replaces the ticket... which kinda
compounds my problem...
plus that ticket is indeed important... using it across two applications... .
:)

--
Regards,

HD

"Martin" <du***@somewher e.nl> wrote in message
news:40******** *************** @news.euronet.n l...
should be working now.. i can access my user info using
HttpContext.Cur rent.User can validate whether user is in
a particular role or what his name is or his id is.
hope this helps... know its a long post but didnt have an option...
Yeah, well... Seems like a lot of fix-ups, you are doing the things I

would expect ASP.NET to be doing.

You are redirecting manually instead of using
FormsAuthentica tion.RedirectFr omLoginPage. The latter method seems to take
care of at least putting the user name into
HttpContext.Cur rent.User.Ident ity.Name.

Thanks for the example.

Regards, Martin.

Nov 18 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
2720
by: Nick | last post by:
I am working a new application...well actually a series of applications for my company. They want internal users to be able to go to a site and everything regarding security is transparent, however we will have brokers and customers that also need to connect and will require a username and password. In this case we were going to store their credentials in a SQL database. Internal users will have the ability to access the same resources...
1
1471
by: Kevin | last post by:
Is using forms authentication any less secure than using one of the more secure IIS authentication methods? I am wanting to authenticate against credentials in a database. I see two ways of doing this. The first is through forms authentication and trying to encrypt the credential data being transmitted over the network. The other is using IIS authenication and an ISAPI filter dll to handle the authentication against the database.
1
2698
by: Dan | last post by:
Good Day All, I am writing a Smart Client application that will be used both internally and externally within our organiztion. The user will need to log on to the application. Since I can't store the external user's information within our Active Directory my plan is to store them in SQL Server. My idea is that I would either extend the Generic Identity class or create my own implementing the correct interface. During the authentication...
3
4870
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be protected by forms authentication. When I create forms authentication at root level it works but when I move my code up to the subfolder I get this error: Server Error in '/TestProjects/FormsAuthenticationTestingArea' Application.
0
4240
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET Applications and owner of Access Microsystems. Doug can be reached at doug@accessmicrosystems.com. --------------------------------------------------------------------------------
2
6811
by: TK | last post by:
I have a trouble to get web resopnse from an aspx page which is secured by Forms Authentication with custom user account database. My client application is a console application but not a browser. I want to download a file from my webapplication. I've learned that the NetworkCredential class gives a way to go but no luck. My code is as following...just dump out the web response for debugging. // C# public void Download(string username,...
6
517
by: Manny Chohan | last post by:
I am using forms authetication in the web config. i can validate a user against a database and click on images which makes hidden panels visible.However when i click on the link inside a panel which should take user to another pages, it defaults them back to the login page prompting them to enter username and password. Could someone please shed some light on this on how i can fix this issue? Thanks Manny
6
3346
by: Ming Zhang | last post by:
Hi guys, I have couple of ASP.NET applications that only support digest windows authentication, and credentials are managed in a central AD. When users login to one app, they can easily navigate to other apps without reenter UID/PWD. Everything works except it doesn't meet our security policy for new created users. When creating a new user, it's required to have "user must change password when first time login". In this case, the user will...
2
1849
by: Nicola Farina | last post by:
Hi all, I'm testing ASP.NET 1.1 authentications and cookies features, and I've red tons of tutorials and articles about this, but not all is clear for me. My goal is to create a basic site with authentication process, like my other ASP 3.0 sites that I developed with classical session variables to follow each user with some personal data (like role, e-mail address, preferences, ect.).
0
8794
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9341
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
9269
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9211
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
8216
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
6056
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4572
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
3282
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2748
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.