Authentication ticket

Hello,

I am trying to develop custom form based authentication with active directory with asp.net 2.0 platform. I am having difficulty trying to implement security model. Here is what my senerio is:

After authentication from AD I want to be able to create a custom authentication ticket in which i can save additional information about user other than roles and authenticated usre id, such as the organization name of the user etc.

I realize that I could use sessions to keep additional info but to me that option is the last thing i want to use.

I have done some research on Iprinciple but it seems that you can only add user name and role informaion to that object.

Can some one please give me some direction.

Hi Anjummir,

When you create a custom IPrincipal object you must also create a custom IIdentity object. The IIdentity object represents your actual user, whereas the IPrincipal object represents the security context of that user.

The IIdentity object is part of the IPrincipal object.
The IIdentity object can hold extra details about your user.
The IPrincipal object is used to determine what roles/rites the user has...in order to determine what the user is and is not allowed to do.

Does this make sense??

Anyway, if you just want to store a couple of things in the authentication cookie there is a property that you can use when creating the cookie for storing extra details too. This property is called "UserData" and it stores a string containing whatever you would like.

Just be aware that it is less secure to store this extra information in the cookie as apposed to storing it in an IPrincipal (IIdentity) object. Determine how sensitive this extra user information is and place it accordingly.

-Frinny

Thank you very much Frinny for your response. I really want to user Iprincliple. I was just wondering if i can get hold of some sample code? or may be a link?

Hi Anjummir,

When you create a custom IPrincipal object you must also create a custom IIdentity object. The IIdentity object represents your actual user, whereas the IPrincipal object represents the security context of that user.

The IIdentity object is part of the IPrincipal object.
The IIdentity object can hold extra details about your user.
The IPrincipal object is used to determine what roles/rites the user has...in order to determine what the user is and is not allowed to do.

Does this make sense??

Anyway, if you just want to store a couple of things in the authentication cookie there is a property that you can use when creating the cookie for storing extra details too. This property is called "UserData" and it stores a string containing whatever you would like.

Just be aware that it is less secure to store this extra information in the cookie as apposed to storing it in an IPrincipal (IIdentity) object. Determine how sensitive this extra user information is and place it accordingly.

-Frinny

Thank you very much Frinny for your response. I really want to user Iprincliple. I was just wondering if i can get hold of some sample code? or may be a link?

Check out MSDN (that's where I found my information on the Principal and IIdentity objects when I first started developing custom log-ins)

See:

• Principal and Identity Objects
• Walkthrough: Implementing Custom Authentication and Authorization

Happy Coding!

-Frinny

I fianally got it working now here is another challenge. lets say we have one web app opened with an authentication ticket in one browser lets call it browser A. Now from browser A client opens up another window, lets call it B, and we want to keep user authenticated for windonw B with the same signon expet one things lets say the location of the user.

Please advise if i can have two simultaneous Iprincilpe objects with the different browsers on the same machine? if not what are my choices?

I fianally got it working now here is another challenge. lets say we have one web app opened with an authentication ticket in one browser lets call it browser A. Now from browser A client opens up another window, lets call it B, and we want to keep user authenticated for windonw B with the same signon expet one things lets say the location of the user.

Please advise if i can have two simultaneous Iprincilpe objects with the different browsers on the same machine? if not what are my choices?

The only way you can have 2 IPrincipal objects is to have 2 different flavors of browsers open at the same time.

Eg. You have it open in Internet Explorer and then open it again in Fire Fox.

Your authentication ticket is issued to the browser and stored as a cookie. These cookies are shared amongst every instance of the browser flavor you are issuing it to.

-Frinny

having two flavours of browsers is not an option. can you think of any other solution to it? i mean having two different sessions on the same machine?

in other words how can i have one variable that has the same variable name but two different values for two different browsers?

in other words how can i have one variable that has the same variable name but two different values for two different browsers?

I'm not sure what you're trying to do here?
Could you explain this in more detail....

having two flavours of browsers is not an option. can you think of any other solution to it? i mean having two different sessions on the same machine?

You can't have two different sessions for the same user (the same web browser).
If a user logs into your system, they are logged in, they'd have to log out to allow another user use the system. You have 1 session per person logged in...

If you explain what you are trying to do in more detail maybe I can help you find the solution to your problem. Right now I'm not sure what you are trying to do.

-Frinny

I believe I'm attempting to do something similar here. I have a web app with forms authentication. What I need is for a user to have multiple instances of IE open and logged in to my system with different username/password credentials. I know it sound odd but I'll save you the details. Just need to be able to have two instances going at the same time while maintaining seperate tickets (ticket has credential info such as roles and db connected to).
Currently, user can do this. The problem is that it appears the tickets are being shared between instances. That is to say, user logs into dbA in one browser and then into dbB in another browser. works fine at first but occassionally, as user clicks around simultaneously in the two apps comparing data, suddently the first browser that started with dbA gets dbB ticket....
I can't seem to create a custom ticket name dynamically b/c the ticketname is defined in the config file.
Thanks for any help

I believe I'm attempting to do something similar here. I have a web app with forms authentication. What I need is for a user to have multiple instances of IE open and logged in to my system with different username/password credentials. I know it sound odd but I'll save you the details. Just need to be able to have two instances going at the same time while maintaining seperate tickets (ticket has credential info such as roles and db connected to).
Currently, user can do this. The problem is that it appears the tickets are being shared between instances. That is to say, user logs into dbA in one browser and then into dbB in another browser. works fine at first but occassionally, as user clicks around simultaneously in the two apps comparing data, suddently the first browser that started with dbA gets dbB ticket....
I can't seem to create a custom ticket name dynamically b/c the ticketname is defined in the config file.
Thanks for any help

I haven't had that problem in IE before...
I could see this occurring if you were using FireFox because only one instance is ever running at a time.

The problem with what you're doing here is that even separate running instances of a browsers may share the same cookies...therefore you may be able to log in using one instance, then again with another instance but as soon as you try to do anything in the first one you'll actually be using the log in from the second.

-Frinny