Re: Persisting user login credentials across pages

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Joe Fallon (jfallon1_at_nospamtwcny.rr.com)
Date: 02/21/05

• Next message: Derek Harmon: "Re: IP address of request."
• Previous message: Jim Heavey: "denotes a class which is not valid in the current context"
• In reply to: Siobhan: "Re: Persisting user login credentials across pages"
• Next in thread: Siobhan: "Re: Persisting user login credentials across pages"
• Reply: Siobhan: "Re: Persisting user login credentials across pages"
• Reply: Siobhan: "Re: Persisting user login credentials across pages"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sun, 20 Feb 2005 22:07:09 -0500

Siobhan,
In a large system the DB tends to be the bottleneck so you want to access it
only when truly needed.
You can always add more web servers to handle the load. Scaling the DB is
quite a bit trickier.

So you need to use Forms Authentication to authenticate a given UID and PWD
combination. These values can be in your DB and you need to look them up and
verify that the typped in values match the ones in the DB. (Note that the
connection string for your DB has nothing to do with this. You use those
credentials to make the connection and take advantage of the connection
pool. You do NOT vary the conenct string with each user as this is a true
scalabilit killer.)

Sample code requires you to have a login method on your Principal class
(which calls your Identity class).

      mUser.Login(txtUserId.Text, txtPassword.Text)
      mUser = CType(Thread.CurrentPrincipal, myUser)

      If mUser.Identity.IsAuthenticated = True Then
        HttpContext.Current.User = mUser
        Session("myPrincipal") = mUser
        Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUserId.Text,
False)
      Else
           'do something else
      End If

I use code like this in my Global.asax file to re-use the principal value on
each hit:

 Private Sub Global_AcquireRequestState(ByVal sender As Object, ByVal e As
System.EventArgs) Handles MyBase.AcquireRequestState

    If Not Session("myPrincipal") Is Nothing Then
      Thread.CurrentPrincipal = DirectCast(Session("myPrincipal"), myUser)
      HttpContext.Current.User =DirectCast(Session("myPrincipal"), myUser)
    Else
      If Thread.CurrentPrincipal.Identity.IsAuthenticated = True Then
        Web.Security.FormsAuthentication.SignOut()
        Server.Transfer(Request.ApplicationPath + "/Login.aspx")
      End If
    End If

  End Sub

Rocky Lhotka explains these concepts very well in his book on Business
Objects.
http://www.lhotka.net/ArticleIndex.aspx?area=CSLA%20.NET

-- 
Joe Fallon
"Siobhan" <Siobhan@discussions.microsoft.com> wrote in message 
news:80905982-FCCE-4917-878A-7F0BFFC88135@microsoft.com...
> Hi
> Yes this is what we have done before but we are passing the data using a
> session variable and I had just been worried about the implications of 
> this.
> I am not sure how Forms authentication would work - the sample using
> passwords on the site you recommended had passwords stored in the config 
> file
> - we are using SQL Server authentication to authenticate users.  Or maybe 
> I
> am getting confused as to what you meant.  I think I understand the 
> concept
> of setting the authorisation cookie etc, but I didn't know if this could 
> be
> used to store the password that they entered on the login page, or if it
> could, would it be safe?
> Thanks
> Siobhan
>
> "Wilco Bauwer" wrote:
>
>> Sorry, I meant Sparky Arbuckle.
>>
>> Siohban: you can place those textboxes in a usercontrol, such as
>> Login.ascx. You can place this login control on a login page. If you
>> lookup how forms authentication works, it should be fairly
>> straightforward to figure out how to get information based on a user's
>> ID. Such a user ID can be persisted across pages (using sessions).
>>
>> 

---

• Next message: Derek Harmon: "Re: IP address of request."
• Previous message: Jim Heavey: "denotes a class which is not valid in the current context"
• In reply to: Siobhan: "Re: Persisting user login credentials across pages"
• Next in thread: Siobhan: "Re: Persisting user login credentials across pages"
• Reply: Siobhan: "Re: Persisting user login credentials across pages"
• Reply: Siobhan: "Re: Persisting user login credentials across pages"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Industry Standard Security and guest wifi access best practice ... usage policy and a login screen. ... Connection is simple for the end user and requires no VPN client ... login pages (Authentication and then VPN) which would be necessary it I ... implementing 802.1X as the complexity in supporting tennants would ... (alt.internet.wireless) RE: passwords in asp pages ... The connection to SQL should be done by NT Authentication rather than SQL ... > plaintext passwords for credentials to an sql database on ... (Security-Basics) Re: Apache to use FreeBSD system passwd ... exposed your users' login passwords to network sniffers -- including ... a coffee-shop hotspot) -- since HTTP Auth Basic passwords are sent ... See RFC 2617 "HTTP Authentication: ... from your login passwords... ... (comp.unix.bsd.freebsd.misc) Re: Question about rsync ... If you use certificates for login instead of ... passwords, the authorized_keys file can force the connection into some ... (comp.os.linux.networking) Re: Persisting user login credentials across pages ... session variable and I had just been worried about the implications of this. ... I am not sure how Forms authentication would work - the sample using ... passwords on the site you recommended had passwords stored in the config file ... You can place this login control on a login page. ... (microsoft.public.dotnet.framework.aspnet)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.aspnet  > 2005-02