Re: Best Authentication Provider

From: David Lozzi (dlozzi_at_(removethis)delphi-ts.com)
Date: 07/20/05 

Date: Wed, 20 Jul 2005 14:06:54 -0400

Thank you for your help! It helped a lot. I got my sample app here:

users are redirected to login.aspx. After entering username and password,
formsauthentication is taken care of and cookies and all that stuff. After
this is happy, it then redirects the user to default.aspx, at which point I
can pull the user's username (context.user.identity.name).

I can't seem to figure out how to pull the remaining information about the
user, security level, full name, email addy, etc. This is usually stored in
a session state but I see no session info in this. I can think of one
possible solution, and that would be to query the database everytime I
needed this information. Is this a good idea? Is this better than a session
state?

Thanks!

David Lozzi

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:621141632574614842703824@news.microsoft.com...
> Hello David,
>
> inline
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Howdy,
>>
>> I've written a few apps already and I have done custom authentication
>> like so: prompt for user name and password, verify information against
>> SQL table, then load returned username, ID, security, etc. into
>> session state. This works and frankly I'm not sure why i'm posting
>> this except for that I want to be 'correct' in my apps.
>>
>> I notice .Net supports Authentication Modes. Which is the better one
>> to use? I have a basic understanding of each provider and it appears
>> that the Forms Authentication Provider is the preferred method? Using
>> Forms, how do I specify the database table in SQL to use? Also, once
>> validated, it loads the user information into a cookie for later
>> retrieval. Can I load more information into this cookie, like custom
>> security levels, etc. Currently, I basically have a range from 1
>> through 10 specifying security levels, will this still work or does
>> Forms process security itself?
>
> You do that manually - you have to provide a login page - and handle the
> login button click event - then you go to a datastore and validate
> credentials. The authentication cookie contains a 'UserData' field where
> you can store arbitrary additional information, e.g. Roles or what you
> call Security Levels. Upon each request then you create a IPrincipial
> implementation and attach it to the current thread.
>>
>> Same questions with Windows Auth. I've used Windows Auth in some
>> legacy ASP apps and was able to determin security levels by a users
>> membership to domain groups. Does this provider work the same? How do
>> I read the security information?
>
> Regardless of what AuthType you use - the IPrincipal which is accessible
> through Page.User or Context.User contains a IsInRole("") method to query
> role membership
>
> i have a full working example of FormsAuth on my blog - this should get
> you started..feel free to ask more questions after you looked at the code.
> http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc8cfbec4c3a
>
>>
>> Eh, PassPort is cool but I not necessary for me so I don't care enough
>> to ask.
>>
>> I've been reading through MSDN articles pertaining to these but my
>> questions can't seem to get answered with MS Docs. Any help and
>> clarity is greatly appreciated!
>>
>> Thanks!
>>
>> David Lozzi
>>
>
>
>