Appplication_AuthenticateRequest

[Peter Morris]

Hi all

First I want to say that I don't want to implement the membership providers.
I'm writing some specific documentation, and those come into it later

I am using Forms authentication in a website. I want access to different
areas based on roles. When the user logs in I determine their roles as a
string[]. The problem is that to set those roles for Forms authentication I
need to create the new System.Security.Principal.GenericPrincipal in
Application_AuthenticateRequest.

The problem with this is that the Session[] is null. In the past I have
stored the role information in Application[], but if I want to move my
session state into a DB so that my site can be farmed my Application[] will
not get carried across will it?

So, what should I do?


Thanks

Pete

 

[Peter Morris]

Looks like I will have to store it in a DB.

 

[Peter Bromberg [C# MVP]]

If you are using Forms Authentication, you can create the Forms ticket
programmatically and store the user's role(s) info as a delimited string in
the userData property of the ticket. Since this is serialized into the Forms
auth cookie and can be read back out on each request, there is no need for
Session.
-- Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short Urls & more: http://ittyurl.net

 

[Peter Morris]

Where does that get stored between requests?

 

[Peter Bromberg [C# MVP]]

In the forms cookie. here's an article with some sample code:
http://www.eggheadcafe.com/articles/20020906.asp
Peter

Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short Urls & more: http://ittyurl.net

 

[Peter Morris]

It's as I thought, the roles are stored in a cookie on the client. Just how
safe is this against modification?

Pete