By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,635 Members | 2,085 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,635 IT Pros & Developers. It's quick & easy.

Forms authentication - credential store

P: n/a
Dear fellow ASP.NET programmer,

I stared using forms authentication and temporarily used a <credentials> tag
in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentication.Authenticate() method's documentations claims the
following:

"Attempts to validate the credentials against those contained in the
configured credential store, given the supplied credentials."

I figured it wouldn't be too hard to by-pass the retrieval of credentials to
some other source and that it could probably be done declaratively in
web.config. Well I still hope this is the case but I cannot find anything
about it anywhere except a couple more references that state that it is very
easy to do so. If anyone actually knows how I sure would like to know.

I have my own xml fle with credentials now. My problem is that, since I am
authenticating myself and do not use
FormsAuthentication.Authenticate() anymore, the user name is no longer
available from the read-only property httpContext.Current.User.Identity.Name
which was pretty nice. I can of course store my user name in some session
variable but this doesn't seem right, I want to do this properly.

I am also confused about the authentication cookie. Is it in any way related
to the session cookie or are sessions and authentication sessions separate,
independent animals?

Martin.
Nov 18 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Here's bit of forms authentication from my project

// Register.aspx.cs - register and log user the first time

private void btnRegister_Click(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
FormsAuthentication.Initialize();
UserDetail myUser = new UserDetail();
myUser.Email = txtEmail.Text;
myUser.PasswordHash =
FormsAuthentication.HashPasswordForStoringInConfig File(txtPassword.Text,
"md5");
UsersDB myUserDB = new UsersDB();

bool UserAdded = myUserDB.SetUserInfo(ref myUser);
if(UserAdded == false)
{
lblUserExists.Visible = true;
return;
}
else
{
LoggedUserInfo myUserInfo = myUserDB.GetRoles(myUser.Email,
myUser.PasswordHash);
if(myUserInfo.Role != null && myUserInfo.Role != "")
{
Security.SetUserInfo(myUserInfo, false);
// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewState["returnURL"];
else
returnURL = "/";

Response.Redirect(returnURL);
}
}
}
}

----------------------------------------------------------------------------
------------------
// Security.cs containing Security Class // used to set the authentication
ticket and cookie
public static void SetUserInfo(LoggedUserInfo myUser, bool persistant)
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket
(
1, // Ticket Version
myUser.UserID + ", " + myUser.Name, // UserName associated with the
ticket
DateTime.Now, // Date time issued
DateTime.Now.AddMinutes(30), // date time to expire
persistant, // cookie persistance
myUser.Role, // user data
FormsAuthentication.FormsCookiePath // cookie path configured
);
// Encrypt the cookie using machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
hash);
// set cookie's expiration time to ticket's expiration time
if(ticket.IsPersistent)
cookie.Expires = ticket.Expiration;
HttpContext.Current.Response.Cookies.Add(cookie);
}

----------------------------------------------------------------------------
---------------------
// Login.aspx - Log user in
private void btnLogin_Click(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
FormsAuthentication.Initialize();
UsersDB myUser = new UsersDB();

string email, passwordHash;
email = txtEmail.Text;
passwordHash =
FormsAuthentication.HashPasswordForStoringInConfig File(txtPassword.Text,
"md5");
LoggedUserInfo myUserInfo = myUser.GetRoles(email, passwordHash);
if(myUserInfo.Role != null && myUserInfo.Role != "")
{
Security.SetUserInfo(myUserInfo, chkRememberMe.Checked);

// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewState["returnURL"];
else
returnURL = "/";

Response.Redirect(returnURL);
}
else
{
lblErrorMsg.Text = "UserName / Password Incorrect Please try again.";
}
}

}

----------------------------------------------------------------------------
---------------------------------
// Web.config file
// under configuration >> system.web
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="Login.aspx"
timeout = "30"
slidingExpiration="true"
protection="All"
path="/" />
</authentication>

----------------------------------------------------------------------------
----------------------------------
// Last but not the least....
// Global.asax.cs
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if(HttpContext.Current.User != null)
{
if(HttpContext.Current.User.Identity.IsAuthenticat ed)
{
if(HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;

// get data stored in cookie
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
----------------------------------------------------------------------------
--------

should be working now.. i can access my user info using
HttpContext.Current.User
can validate whether user is in a particular role or what his name is or his
id is.

hope this helps... know its a long post but didnt have an option...
--
Regards,

HD

"Martin" <du***@somewhere.nl> wrote in message
news:3f***********************@news.wanadoo.nl...
Dear fellow ASP.NET programmer,

I stared using forms authentication and temporarily used a <credentials> tag in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentication.Authenticate() method's documentations claims the
following:

"Attempts to validate the credentials against those contained in the
configured credential store, given the supplied credentials."

I figured it wouldn't be too hard to by-pass the retrieval of credentials to some other source and that it could probably be done declaratively in
web.config. Well I still hope this is the case but I cannot find anything
about it anywhere except a couple more references that state that it is very easy to do so. If anyone actually knows how I sure would like to know.

I have my own xml fle with credentials now. My problem is that, since I am
authenticating myself and do not use
FormsAuthentication.Authenticate() anymore, the user name is no longer
available from the read-only property httpContext.Current.User.Identity.Name which was pretty nice. I can of course store my user name in some session
variable but this doesn't seem right, I want to do this properly.

I am also confused about the authentication cookie. Is it in any way related to the session cookie or are sessions and authentication sessions separate, independent animals?

Martin.

Nov 18 '05 #2

P: n/a
> should be working now.. i can access my user info using
HttpContext.Current.User can validate whether user is in
a particular role or what his name is or his id is.
hope this helps... know its a long post but didnt have an option...


Yeah, well... Seems like a lot of fix-ups, you are doing the things I would
expect ASP.NET to be doing.

You are redirecting manually instead of using
FormsAuthentication.RedirectFromLoginPage. The latter method seems to take
care of at least putting the user name into
HttpContext.Current.User.Identity.Name.

Thanks for the example.

Regards, Martin.
Nov 18 '05 #3

P: n/a
the reason i am doing a whole lot of things is taht i would like to put in
stuff i want inside the authentication ticket...
and for that reason i have to create the ticket myself...

if i use RedirectFromLoginPage... it replaces the ticket... which kinda
compounds my problem...
plus that ticket is indeed important... using it across two applications....
:)

--
Regards,

HD

"Martin" <du***@somewhere.nl> wrote in message
news:40***********************@news.euronet.nl...
should be working now.. i can access my user info using
HttpContext.Current.User can validate whether user is in
a particular role or what his name is or his id is.
hope this helps... know its a long post but didnt have an option...
Yeah, well... Seems like a lot of fix-ups, you are doing the things I

would expect ASP.NET to be doing.

You are redirecting manually instead of using
FormsAuthentication.RedirectFromLoginPage. The latter method seems to take
care of at least putting the user name into
HttpContext.Current.User.Identity.Name.

Thanks for the example.

Regards, Martin.

Nov 18 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.