[.NET 1.1] Authentication and cookies clarifications
- From: Nicola Farina <"sciagu[nospam]"@libero.it>
- Date: Fri, 20 Jan 2006 18:57:29 +0100
Hi all,
I'm testing ASP.NET 1.1 authentications and cookies features, and I've red tons of tutorials and articles about this, but not all is clear for me.
My goal is to create a basic site with authentication process, like my other ASP 3.0 sites that I developed with classical session variables to follow each user with some personal data (like role, e-mail address, preferences, ect.).
In .NET 1.1 I understand the basic web.config settings with <authentication> node and <authorize> and so on... I've tested the global.asax "onauthenticationrequest" to cast an identities to principal for use "isInRole" properties, but this hint not solve the problem of save in temporary memory some other data for not access to database everytime, also I want to use a database table for storing my users data, also their role in this application.
My questions are:
1) if I use a database table, can I use "If FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text) Then ..."? (I don't think so, I think this is only possible with users and passwords definition on web.config, so I've to check with an "IF statement" the value with my datareader relative values.)
2) How can I menage efficently roles? I don't want to ask to database the user credential every page access... I've tried a trick to add to user name the role value with ":rolevalue" and then retrieve with a substring method the relative values (in this case I can pass user name and role simply, but I can't pass efficently other informations).
2.1) Can I use temporary cookies to store this informations?
2.2) Can I eventually encript this cookies (there's some builtin .NET functions?)
2.3) Can I use sessions variables? Many people say that is not a good idea...
3) There's a way to add other values to the cookie that ASP.NET generate for authentication? Or I've to set another cookie for that? I see that this auto-generated cookie is encrypted, so it would be a good and simple possibility for my goals ;-)
4) I've tried to set up a clear-text cookie in the meaning of: If FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text) Then
Dim cook As New HttpCookie("trialcookie")
cook.Values.Add("role", "1")
Response.Cookies.Add(cook)
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)
End If
but in the protected page, now visible after this authentication, I can't see "role" value of the cookie... why?
5) If I've two subdirectories "users" and "admins" (each contain specific content pages), and If I can't manage group in web.config with form authentication, how can I denied access to this specific directories? I think I've to add code at "load" event to each page to check user role (take by cookies, sesssion variables or other suggestions see at top questions), in fact, I can't use <location> node to specify group roles...
Really thanks for your patience, I think that this post can be usefull for some other .NET newbie developer like me :-).
Nicola .
- Follow-Ups:
- Re: [.NET 1.1] Authentication and cookies clarifications
- From: Patrick.O.Ige
- Re: [.NET 1.1] Authentication and cookies clarifications
- Prev by Date: DataGrid Color - Annoying feature
- Next by Date: Re: Saving a code generated control to a string
- Previous by thread: DataGrid Color - Annoying feature
- Next by thread: Re: [.NET 1.1] Authentication and cookies clarifications
- Index(es):
Relevant Pages
|
