Hi all,
I'm testing ASP.NET 1.1 authentications and cookies features, and I've
red tons of tutorials and articles about this, but not all is clear for me.
My goal is to create a basic site with authentication process, like my
other ASP 3.0 sites that I developed with classical session variables to
follow each user with some personal data (like role, e-mail address,
preferences, ect.).
In .NET 1.1 I understand the basic web.config settings with
<authentication> node and <authorize> and so on... I've tested the
global.asax "onauthenticationrequest" to cast an identities to principal
for use "isInRole" properties, but this hint not solve the problem of
save in temporary memory some other data for not access to database
everytime, also I want to use a database table for storing my users
data, also their role in this application.
My questions are:
1) if I use a database table, can I use "If
FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text)
Then ..."? (I don't think so, I think this is only possible with users
and passwords definition on web.config, so I've to check with an "IF
statement" the value with my datareader relative values.)
2) How can I menage efficently roles? I don't want to ask to database
the user credential every page access... I've tried a trick to add to
user name the role value with ":rolevalue" and then retrieve with a
substring method the relative values (in this case I can pass user name
and role simply, but I can't pass efficently other informations).
2.1) Can I use temporary cookies to store this informations?
2.2) Can I eventually encript this cookies (there's some builtin .NET
functions?)
2.3) Can I use sessions variables? Many people say that is not a good
idea...
3) There's a way to add other values to the cookie that ASP.NET generate
for authentication? Or I've to set another cookie for that? I see that
this auto-generated cookie is encrypted, so it would be a good and
simple possibility for my goals ;-)
4) I've tried to set up a clear-text cookie in the meaning of:
If FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text) Then
Dim cook As New HttpCookie("trialcookie")
cook.Values.Add("role", "1")
Response.Cookies.Add(cook)
FormsAuthentication.RedirectFromLoginPage(txtUsern ame.Text, False)
End If
but in the protected page, now visible after this authentication, I
can't see "role" value of the cookie... why?
5) If I've two subdirectories "users" and "admins" (each contain
specific content pages), and If I can't manage group in web.config with
form authentication, how can I denied access to this specific
directories? I think I've to add code at "load" event to each page to
check user role (take by cookies, sesssion variables or other
suggestions see at top questions), in fact, I can't use <location>
node to specify group roles...
Really thanks for your patience, I think that this post can be usefull
for some other .NET newbie developer like me :-).
Nicola
