Re: Persist login does not work

From: Eric Marvets (ericm_at_bangproject.com)
Date: 05/24/04 

Date: Sun, 23 May 2004 19:46:54 -0400

The Request.Cookies collection does not show the cookie expiration
information?

I don't know why it doesn't work. The whole Forms based authentication
system has some flaws in my opinion, but I don't know why the designers of
the framework built it the way they did. It does not follow the IIdentity
and IPrincipal authentication and authorization strategy that is used
throughout the rest of the framework. Maybe there was some perfomance or
size considerations involved.

I have taken a different approach to this in the past. I use Forms based
authentication the way all the samples show, using the RedirectFromLogin
page, which does persist the login info. For the username I use the UserID.
I use the UserID to create my custom IIdentity and IPrincipal objects and
attach them to the Thread.CurrentPrincipal property which will follow the
user around until that particular request is over.

Ususally I have cached all the logged in users to I don't have to retrieve
the object so frequently from the database (doesn't work with a server farm,
in that case its a database call everytime). You could do the same, and if
it doesn't exist in the cache (persisted forms ticket from a few days ago),
then retreive it from the database. 

-- 
Eric Marvets
Principal Consultant
the bang project
<shameless self promotion>
Email sales@bangproject.com for Information on Our Architecture and
Mentoring Services
</shameless self promotion>

Relevant Pages

  • Re: Persist login does not work
    ... I was able to make a solution that stores the following values as xml in the ... > and IPrincipal authentication and authorization strategy that is used ... > I use the UserID to create my custom IIdentity and IPrincipal objects and ... > in that case its a database call everytime). ...
    (microsoft.public.dotnet.security)
  • ASP.NET Forms Authentication Best Practices
    ... ASP.NET Forms Authentication Best Practices ... What happens if your user database is compromised? ... Listing One, where you want to use login.aspx to log users in. ... string FirstName ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Security question ..
    ... What I want to prevent is any access to the database accept through our ... application unless you have elevated permissions. ... Authentication, if he is smart enough to create an NT Auth ODBC connection ... passes through to the database or to use SQL Server authentication. ...
    (microsoft.public.sqlserver.server)
  • User authentication over the web (was: Secure Password in database)
    ... Subject: User authentication over the web (was: Secure Password in database) ... a web server is usually authenticated to users by using SSL or TLS ...
    (SecProg)
  • Re: Using SSPI with Custom Authentication
    ... It boils down to moving the security perimeter away from the server. ... first database contains all of the user information; ... perform authentication, and users need to be authenticated before accessing ...
    (microsoft.public.dotnet.security)