Re: Role-based authentication and Forms and System.UnauthorizedAccessException

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 08/30/05 

Date: Tue, 30 Aug 2005 09:48:53 -0700

Hello Pat,

yes - you can now do cookieless forms authentication, similar to cookieless
sessions, the authentication ticket gets mangled in the URL. Needless to
say - i don't like that :)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> But as it changed in ASP.NET 2.0?
>
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:766747632601259878413456@news.microsoft.com...
>
>> Hello wrecker,
>>
>> in 1.1 - FormsAuth is totally dependent on cookies...
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi Dominick,
>>>
>>> Thanks for you help. Now I'm wondering if there is anyway to access
>>> a users roles if they have cookies disabled? I suppose that I could
>>> pass roles on the query string and check them on page load but there
>>> must be a more elegant way. For now I'll follow your suggestion and
>>> store the roles in a cookie.
>>>
>>> Thanks again
>>>
>>> On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
>>> <dbaier@pleasepleasenospamdevelop.com> wrote:
>>>
>>>> Hello wrecker,
>>>>
>>>> i doubt your code is working fine. In AuthenticateRequest you don't
>>>> have access to the Session as the SessionModule runs after this
>>>> event....
>>>>
>>>> The common approach is to store the roles in the cookie. I have a
>>>> sample on my blog for doing this:
>>>> http://www.leastprivilege.com/DevWeek2005PostConference.aspx
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hi all,
>>>>>
>>>>> I'm trying to implement role-based authentication for the
>>>>> following directory structure in my ASP.NET app.
>>>>>
>>>>> login.aspx
>>>>> Admin/
>>>>> Members/
>>>>> The web.config in my Admin directory is as follows
>>>>> <configuration>
>>>>> <system.web>
>>>>> <authorization>
>>>>> <allow roles="Admin"/>
>>>>> <deny users="*"/>
>>>>> </authorization>
>>>>> </system.web>
>>>>> </configuration>
>>>>> When the user logs in using authentication mode set to Forms, they
>>>>> are
>>>>> authenticated against a SQL table and then assigned a role
>>>>> Dim roles() As String
>>>>> If CurrentUser.IsAdministrator Then
>>>>> roles = New String() {"Admin", "Member"}
>>>>> Else
>>>>> roles = New String() {"Member"}
>>>>> End If
>>>>> Where the roles string array is stored in the Session (although
>>>>> I've
>>>>> also tried storing it in the cache object as well to try and solve
>>>>> my
>>>>> problem)
>>>>> In Global.asax Application_AuthenticateRequest I have
>>>>> If (Not (HttpContext.Current.User Is Nothing)) Then
>>>>> If HttpContext.Current.User.Identity.AuthenticationType =
>>>>> "Forms" Then
>>>>> Dim id As System.Web.Security.FormsIdentity
>>>>> id = HttpContext.Current.User.Identity
>>>>> HttpContext.Current.User = New _
>>>>> System.Security.Principal.GenericPrincipal(id, roles)
>>>>> ' roles extracted from session
>>>>> End If
>>>>> End If
>>>>> My problem is that after a user having Administrator privelages
>>>>> logs
>>>>> in and they try to access a page in the Admin directory they get a
>>>>> System.UnauthorizedAccessException exception. I've debugged this
>>>>> and
>>>>> the roles array does indeed have "Admin" and "Members" in it, but
>>>>> the
>>>>> HttpContext.Current.User doesn't seem to contain this information,
>>>>> even after assigning it the new principal (I can't find it in any
>>>>> fields that are visible to the debugger) I've checked the
>>>>> permissions
>>>>> on the directory and the ASP machine account has access to this
>>>>> directory. I've been reading quite a few articles on role based
>>>>> security (expecially the ones from the Rolla guys) and they all
>>>>> seem
>>>>> to use this approach. Why is this not working???
>>>>> My test system is IIS5.1 on XP Pro using version 1.1 of the
>>>>> framework.
>>>>> Thanks
>>>>>

Relevant Pages

  • Re: Major security issue?
    ... that make your car an insecure product? ... There is, real sessions, although that is arguable as well. ... > problematic since ASP first came about. ... Cookieless sessions are just an alternative. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Using useuri with security: Keep returning to login page
    ... I've tried turning off cookies in FireFox and turning on cookieless ... sessions in the forms element inside the authentication element (I set ... the cookieless attribute to UseUri). ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Going sessionless (and cookie limitations)
    ... The sticky sessions will ensure the same web user reaches the same ... server in the web farm so the reconnect with the same session. ... Most decent load balancer hardware supports sticky sessions. ... cookieless mode, I learned it is best to avoid it whenever possible. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Cookieless Sessions (Sessions Without Cookies) and Security
    ... If someone can sniff your connection (no SSL) - there is no difference between cookies and cookieless security-wise. ... Some suggest that SSL is the cure all for cookieless sessions. ... or at least make them as secure as sessions with cookies? ...
    (microsoft.public.dotnet.framework.aspnet.security)