Re: Role-based authentication and Forms and System.UnauthorizedAccessException

From: wrecker (
Date: 08/19/05

Date: Fri, 19 Aug 2005 13:31:56 -0400

Hi Dominick,

Thanks for you help. Now I'm wondering if there is anyway to access a users roles if they have
cookies disabled? I suppose that I could pass roles on the query string and check them on page load
but there must be a more elegant way. For now I'll follow your suggestion and store the roles in a

Thanks again

On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
<> wrote:

>Hello wrecker,
>i doubt your code is working fine. In AuthenticateRequest you don't have
>access to the Session as the SessionModule runs after this event....
>The common approach is to store the roles in the cookie. I have a sample
>on my blog for doing this:
>Dominick Baier - DevelopMentor
>> Hi all,
>> I'm trying to implement role-based authentication for the following
>> directory structure in my ASP.NET app.
>> login.aspx
>> Admin/
>> Members/
>> The web.config in my Admin directory is as follows
>> <configuration>
>> <system.web>
>> <authorization>
>> <allow roles="Admin"/>
>> <deny users="*"/>
>> </authorization>
>> </system.web>
>> </configuration>
>> When the user logs in using authentication mode set to Forms, they are
>> authenticated against a SQL table and then assigned a role
>> Dim roles() As String
>> If CurrentUser.IsAdministrator Then
>> roles = New String() {"Admin", "Member"}
>> Else
>> roles = New String() {"Member"}
>> End If
>> Where the roles string array is stored in the Session (although I've
>> also tried storing it in the cache object as well to try and solve my
>> problem)
>> In Global.asax Application_AuthenticateRequest I have
>> If (Not (HttpContext.Current.User Is Nothing)) Then
>> If HttpContext.Current.User.Identity.AuthenticationType =
>> "Forms" Then
>> Dim id As System.Web.Security.FormsIdentity
>> id = HttpContext.Current.User.Identity
>> HttpContext.Current.User = New _
>> System.Security.Principal.GenericPrincipal(id, roles)
>> ' roles extracted from session
>> End If
>> End If
>> My problem is that after a user having Administrator privelages logs
>> in and they try to access a page in the Admin directory they get a
>> System.UnauthorizedAccessException exception. I've debugged this and
>> the roles array does indeed have "Admin" and "Members" in it, but the
>> HttpContext.Current.User doesn't seem to contain this information,
>> even after assigning it the new principal (I can't find it in any
>> fields that are visible to the debugger) I've checked the permissions
>> on the directory and the ASP machine account has access to this
>> directory. I've been reading quite a few articles on role based
>> security (expecially the ones from the Rolla guys) and they all seem
>> to use this approach. Why is this not working???
>> My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
>> Thanks

Relevant Pages

  • Re: [PHP] module and access rights
    ... > so you store in your cookie the username and the check string. ... How, exactly, is that any more secure than a standard session identifier? ... >> because i can store in DB the sessionID, and check it to every DB ...
  • Re: Can SID be trusted?
    ... transmitted via a query string parameter or via a cookie if the browser ... I'm wondering if SID can be manipulated by an attacker to contain ... You're correct that SID is not set if the session id was stored in a cookie. ...
  • AuthenticateRequest event IIS Win2003 Server wont read encrpyted v
    ... I have placed code in the global.asax which uses the AuthenticateRequest ... Prompt user for User Name, Password and Domain Name (for impersonation). ... Create temporary cookie with above but encrypt password using rijndael. ... Save the encoded password string as unicode and place in cookie. ...
  • Re: Web Service Session Behaviour
    ... I've been experimenting with managing state using the Session object. ... However, using a console application, in between setting the string value and attempting to retrieve it using the same instance of the client proxy, the value is lost. ... The fact that it only applies to an web browser session I would think, ... It expects to receive that cookie back on subsequent requests so that it recognizes the request as being part of the same session. ...
  • Re: Sessions vs Cookies
    ... There is a session cookie which simply allows the server to identify the client and retrieve relevant session data for it. ... If cookies can be read or forged, it makes little odds whether you have the master key or all the little keys,. ... Suppose you only send the PHPSESSID: Now you cannot change a thing on the server, even if you have the 'master key'. ...