Forms authentication - credential store

  • Thread starter Thread starter Martin
  • Start date Start date
M

Martin

Dear fellow ASP.NET programmer,

I stared using forms authentication and temporarily used a <credentials> tag
in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentication.Authenticate() method's documentations claims the
following:

"Attempts to validate the credentials against those contained in the
configured credential store, given the supplied credentials."

I figured it wouldn't be too hard to by-pass the retrieval of credentials to
some other source and that it could probably be done declaratively in
web.config. Well I still hope this is the case but I cannot find anything
about it anywhere except a couple more references that state that it is very
easy to do so. If anyone actually knows how I sure would like to know.

I have my own xml fle with credentials now. My problem is that, since I am
authenticating myself and do not use
FormsAuthentication.Authenticate() anymore, the user name is no longer
available from the read-only property httpContext.Current.User.Identity.Name
which was pretty nice. I can of course store my user name in some session
variable but this doesn't seem right, I want to do this properly.

I am also confused about the authentication cookie. Is it in any way related
to the session cookie or are sessions and authentication sessions separate,
independent animals?

Martin.
 
Here's bit of forms authentication from my project

// Register.aspx.cs - register and log user the first time

private void btnRegister_Click(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
FormsAuthentication.Initialize();
UserDetail myUser = new UserDetail();
myUser.Email = txtEmail.Text;
myUser.PasswordHash =
FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text,
"md5");
UsersDB myUserDB = new UsersDB();

bool UserAdded = myUserDB.SetUserInfo(ref myUser);
if(UserAdded == false)
{
lblUserExists.Visible = true;
return;
}
else
{
LoggedUserInfo myUserInfo = myUserDB.GetRoles(myUser.Email,
myUser.PasswordHash);
if(myUserInfo.Role != null && myUserInfo.Role != "")
{
Security.SetUserInfo(myUserInfo, false);
// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewState["returnURL"];
else
returnURL = "/";

Response.Redirect(returnURL);
}
}
}
}

----------------------------------------------------------------------------
------------------
// Security.cs containing Security Class // used to set the authentication
ticket and cookie
public static void SetUserInfo(LoggedUserInfo myUser, bool persistant)
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket
(
1, // Ticket Version
myUser.UserID + ", " + myUser.Name, // UserName associated with the
ticket
DateTime.Now, // Date time issued
DateTime.Now.AddMinutes(30), // date time to expire
persistant, // cookie persistance
myUser.Role, // user data
FormsAuthentication.FormsCookiePath // cookie path configured
);
// Encrypt the cookie using machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
hash);


// set cookie's expiration time to ticket's expiration time
if(ticket.IsPersistent)
cookie.Expires = ticket.Expiration;
HttpContext.Current.Response.Cookies.Add(cookie);
}

----------------------------------------------------------------------------
---------------------
// Login.aspx - Log user in
private void btnLogin_Click(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
FormsAuthentication.Initialize();
UsersDB myUser = new UsersDB();

string email, passwordHash;
email = txtEmail.Text;
passwordHash =
FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text,
"md5");
LoggedUserInfo myUserInfo = myUser.GetRoles(email, passwordHash);
if(myUserInfo.Role != null && myUserInfo.Role != "")
{
Security.SetUserInfo(myUserInfo, chkRememberMe.Checked);

// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewState["returnURL"];
else
returnURL = "/";

Response.Redirect(returnURL);
}
else
{
lblErrorMsg.Text = "UserName / Password Incorrect Please try again.";
}
}

}

----------------------------------------------------------------------------
---------------------------------
// Web.config file
// under configuration >> system.web
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="Login.aspx"
timeout = "30"
slidingExpiration="true"
protection="All"
path="/" />
</authentication>

----------------------------------------------------------------------------
----------------------------------
// Last but not the least....
// Global.asax.cs
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if(HttpContext.Current.User != null)
{
if(HttpContext.Current.User.Identity.IsAuthenticated)
{
if(HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;

// get data stored in cookie
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
----------------------------------------------------------------------------
--------

should be working now.. i can access my user info using
HttpContext.Current.User
can validate whether user is in a particular role or what his name is or his
id is.

hope this helps... know its a long post but didnt have an option...
 
should be working now.. i can access my user info using
HttpContext.Current.User can validate whether user is in
a particular role or what his name is or his id is.
hope this helps... know its a long post but didnt have an option...
Click to expand...

Yeah, well... Seems like a lot of fix-ups, you are doing the things I would
expect ASP.NET to be doing.

You are redirecting manually instead of using
FormsAuthentication.RedirectFromLoginPage. The latter method seems to take
care of at least putting the user name into
HttpContext.Current.User.Identity.Name.

Thanks for the example.

Regards, Martin.
 
the reason i am doing a whole lot of things is taht i would like to put in
stuff i want inside the authentication ticket...
and for that reason i have to create the ticket myself...

if i use RedirectFromLoginPage... it replaces the ticket... which kinda
compounds my problem...
plus that ticket is indeed important... using it across two applications....
:)
 
Back
Top