Re: Role-based authentication and Forms and System.UnauthorizedAccessException

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 08/20/05 

Date: Sat, 20 Aug 2005 00:11:39 -0700

Hello wrecker,

in 1.1 - FormsAuth is totally dependent on cookies...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> Thanks for you help. Now I'm wondering if there is anyway to access a
> users roles if they have cookies disabled? I suppose that I could
> pass roles on the query string and check them on page load but there
> must be a more elegant way. For now I'll follow your suggestion and
> store the roles in a cookie.
>
> Thanks again
>
> On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
> <dbaier@pleasepleasenospamdevelop.com> wrote:
>
>> Hello wrecker,
>>
>> i doubt your code is working fine. In AuthenticateRequest you don't
>> have access to the Session as the SessionModule runs after this
>> event....
>>
>> The common approach is to store the roles in the cookie. I have a
>> sample on my blog for doing this:
>> http://www.leastprivilege.com/DevWeek2005PostConference.aspx
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi all,
>>>
>>> I'm trying to implement role-based authentication for the following
>>> directory structure in my ASP.NET app.
>>>
>>> login.aspx
>>> Admin/
>>> Members/
>>> The web.config in my Admin directory is as follows
>>> <configuration>
>>> <system.web>
>>> <authorization>
>>> <allow roles="Admin"/>
>>> <deny users="*"/>
>>> </authorization>
>>> </system.web>
>>> </configuration>
>>> When the user logs in using authentication mode set to Forms, they
>>> are
>>> authenticated against a SQL table and then assigned a role
>>> Dim roles() As String
>>> If CurrentUser.IsAdministrator Then
>>> roles = New String() {"Admin", "Member"}
>>> Else
>>> roles = New String() {"Member"}
>>> End If
>>> Where the roles string array is stored in the Session (although I've
>>> also tried storing it in the cache object as well to try and solve
>>> my
>>> problem)
>>> In Global.asax Application_AuthenticateRequest I have
>>>
>>> If (Not (HttpContext.Current.User Is Nothing)) Then
>>> If HttpContext.Current.User.Identity.AuthenticationType =
>>> "Forms" Then
>>> Dim id As System.Web.Security.FormsIdentity
>>> id = HttpContext.Current.User.Identity
>>> HttpContext.Current.User = New _
>>> System.Security.Principal.GenericPrincipal(id, roles)
>>> ' roles extracted from session
>>> End If
>>> End If
>>> My problem is that after a user having Administrator privelages logs
>>> in and they try to access a page in the Admin directory they get a
>>> System.UnauthorizedAccessException exception. I've debugged this
>>> and
>>> the roles array does indeed have "Admin" and "Members" in it, but
>>> the
>>> HttpContext.Current.User doesn't seem to contain this information,
>>> even after assigning it the new principal (I can't find it in any
>>> fields that are visible to the debugger) I've checked the
>>> permissions
>>> on the directory and the ASP machine account has access to this
>>> directory. I've been reading quite a few articles on role based
>>> security (expecially the ones from the Rolla guys) and they all seem
>>> to use this approach. Why is this not working???
>>> My test system is IIS5.1 on XP Pro using version 1.1 of the
>>> framework.
>>>
>>> Thanks
>>>

Relevant Pages

  • Re: [PHP] module and access rights
    ... > so you store in your cookie the username and the check string. ... How, exactly, is that any more secure than a standard session identifier? ... >> because i can store in DB the sessionID, and check it to every DB ...
    (php.general)
  • Re: Is it safe to store user_id in Session?
    ... What I was wondering is how safe it is to store user_id or username or ... session so I do not need to search the database all the time. ... OVERRIDING BASIC SESSION COOKIE AUTHENTICATION ... So what is described in the article only works for bad php scripts. ...
    (comp.lang.php)
  • Re: pls help w/cookies.......
    ... >but how do you do it when you have a form w/lots of info user has to ... You store the information somewhere on the server side, ... use the cookie to retrieve the stored information when needed. ... So, if the session attributes can do the thing for you, the servlet engine ...
    (comp.lang.java.help)
  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.security)
  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.framework.aspnet.security)