Please help... i am stumped...
I have an app, written in VB.NET fwiw. I have a custom RoleProvider class,
cuz i finally got tired enough of hacking with application variables, to
learn the "correct" way to do roles. ;) ....
Now, the problem, is that my RoleProvider, and my FormsAuthentication
Session do not stay together. That is to say, i frequently see cases where
the session will expire, but the RoleProvider does not. Now, they both have
their expiration timeouts set to the same values in the web.config file.
So what i wind up with is being able to access the "locked down" areas of my
site (because my RoleProvider is still providing the correct roles) even
though my forms authentication has expired. How can i force
FormsAuthentication and a custom RoleProvider to stay in lock-step???
This is a major problem, and comprises a pretty significant security hole.
Even though FA has expired, and it SHOULD send me back to my login page, it
doesn't because the RoleProvider is still saying i have "Admin" rights (or
whatever rights, for the 'secured' section).
I hope someone can help me with this; Thanks in advance,
- Arthur Dent.
1  1702 
On May 15, 6:07 pm, "Arthur Dent" <hitchhikersguideto-n...@yahoo.com>
wrote:
Please help... i am stumped...
I have an app, written in VB.NET fwiw. I have a custom RoleProvider class,
cuz i finally got tired enough of hacking with application variables, to
learn the "correct" way to do roles. ;) ....
Now, the problem, is that my RoleProvider, and my FormsAuthentication
Session do not stay together. That is to say, i frequently see cases where
the session will expire, but the RoleProvider does not. Now, they both have
their expiration timeouts set to the same values in the web.config file.
So what i wind up with is being able to access the "locked down" areas of my
site (because my RoleProvider is still providing the correct roles) even
though my forms authentication has expired. How can i force
FormsAuthentication and a custom RoleProvider to stay in lock-step???
This is a major problem, and comprises a pretty significant security hole.
Even though FA has expired, and it SHOULD send me back to my login page, it
doesn't because the RoleProvider is still saying i have "Admin" rights (or
whatever rights, for the 'secured' section).
I hope someone can help me with this; Thanks in advance,
- Arthur Dent.
Hi Arthur,
1. can you post here the code of your custom role provider?
2. what timeout value you have set in the authentication tag of the
web.config file?
BR, This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Mark Olbert |
last post by:
I've written a custom MembershipProvider and a custom RoleProvider, and am trying to get them to work with the ASP.NET Configuration
tool. Which is a royal pain in the butt, because there doesn't...
|
by: Mark Olbert |
last post by:
I'm posting this here to save other folks some hair-pulling time. No need to respond.
You can debug custom MembershipProvider and RoleProvider classes under the ASPNET Configuration tool by...
|
by: joseph conrad |
last post by:
Hi,
I tried to implement my own session handler in order to keep control on
the process
the drawback I foun it is not creating and storing in my cookie the
PHPSESSID variable anymore.
reading te...
|
by: aroraamit81 |
last post by:
Hi,
I am facing a trouble. I have some Session variables in my code and
somehow my session variables are getting mixed up with other users.
For example User A has access to 10 companies and...
|
by: aroraamit81 |
last post by:
Well Guys, Here is a very strange trouble. When more than one users
request tto same page at the same time then our session gets
conflicted.
Moreover I printed my SessionID, strangely but true I...
|
by: Santosh |
last post by:
Dear All
i am writting a code sending mail with attachement.
i am writting code for sending mail in one page and code for attaching
a file in the next page.
aftet attaching a file i am taking...
|
by: caius |
last post by:
Hi, I recently develop a custom membership provider and role
provider . I did configure the central admin and the SharePoint site
to use them. I can now use the login page and authenticate to...
|
by: lyealain |
last post by:
<%
If Session("username") = "" Then
Response.Redirect("/CLS/Login.asp")
End If
Dim conn
Dim connectstr
Dim db_name, db_username, db_userpassword
Dim db_server
Dim res
|
by: =?Utf-8?B?d2lsbGlhbQ==?= |
last post by:
Hi,
Could anyone tell me how to change the default roleprovider at runtime?
Basically I have a few sets of roleprovider and membership provider, I want
to switch among them at runtime based on...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
