Re: [.NET 1.1] Authentication and cookies clarifications

Tech-Archive recommends: Fix windows errors by optimizing your registry

Nicola here is a good article here at :-(Which uses Database to store its
Roles and secures drirectories)
http://www.codeproject.com/aspnet/formsroleauth.asp
Hope this helps
Patrick
**Any more questions pls do post it


"Nicola Farina" <"sciagu[nospam]"@libero.it> wrote in message
news:OevX#reHGHA.3120@xxxxxxxxxxxxxxxxxxxxxxx
> Hi all,
>
> I'm testing ASP.NET 1.1 authentications and cookies features, and I've
> red tons of tutorials and articles about this, but not all is clear for
me.
>
> My goal is to create a basic site with authentication process, like my
> other ASP 3.0 sites that I developed with classical session variables to
> follow each user with some personal data (like role, e-mail address,
> preferences, ect.).
>
> In .NET 1.1 I understand the basic web.config settings with
> <authentication> node and <authorize> and so on... I've tested the
> global.asax "onauthenticationrequest" to cast an identities to principal
> for use "isInRole" properties, but this hint not solve the problem of
> save in temporary memory some other data for not access to database
> everytime, also I want to use a database table for storing my users
> data, also their role in this application.
>
> My questions are:
>
> 1) if I use a database table, can I use "If
> FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text)
> Then ..."? (I don't think so, I think this is only possible with users
> and passwords definition on web.config, so I've to check with an "IF
> statement" the value with my datareader relative values.)
>
> 2) How can I menage efficently roles? I don't want to ask to database
> the user credential every page access... I've tried a trick to add to
> user name the role value with ":rolevalue" and then retrieve with a
> substring method the relative values (in this case I can pass user name
> and role simply, but I can't pass efficently other informations).
>
> 2.1) Can I use temporary cookies to store this informations?
> 2.2) Can I eventually encript this cookies (there's some builtin .NET
> functions?)
> 2.3) Can I use sessions variables? Many people say that is not a good
> idea...
>
> 3) There's a way to add other values to the cookie that ASP.NET generate
> for authentication? Or I've to set another cookie for that? I see that
> this auto-generated cookie is encrypted, so it would be a good and
> simple possibility for my goals ;-)
>
> 4) I've tried to set up a clear-text cookie in the meaning of:
> If FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text)
Then
> Dim cook As New HttpCookie("trialcookie")
> cook.Values.Add("role", "1")
> Response.Cookies.Add(cook)
> FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)
> End If
> but in the protected page, now visible after this authentication, I
> can't see "role" value of the cookie... why?
>
> 5) If I've two subdirectories "users" and "admins" (each contain
> specific content pages), and If I can't manage group in web.config with
> form authentication, how can I denied access to this specific
> directories? I think I've to add code at "load" event to each page to
> check user role (take by cookies, sesssion variables or other
> suggestions see at top questions), in fact, I can't use <location>
> node to specify group roles...
>
>
> Really thanks for your patience, I think that this post can be usefull
> for some other .NET newbie developer like me :-).
>
> Nicola


.

Relevant Pages

  • [UNIX] Wordpress Cookie Authentication Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Wordpress Cookie Authentication Vulnerability ... With read-only access to the Wordpress database, ...
    (Securiteam)
  • Re: Has anyone written authentication for Araneida?
    ... the authorization information from? ... Authentication with a login page ... Unless there's a cookie you can redirect to the login page. ... check it against the database. ...
    (comp.lang.lisp)
  • Re: Best authentication methods for CGI <- PERL -> DBI
    ... Right now one method which seems to be really unsecured, is to take them, check them against the PW/ID stored in the database and permit/deny against that. ... The client javascript code takes the password and MD5 sums it, and sends that as the password along with the cleartext username. ... One cookie is the record id of the user in the database, ... A solution to not use https would be public key encryption. ...
    (perl.dbi.users)
  • Re: Best authentication methods for CGI <- PERL -> DBI
    ... Right now one method which seems to be really unsecured, is to take them, check them against the PW/ID stored in the database and permit/deny against that. ... The client javascript code takes the password and MD5 sums it, and sends that as the password along with the cleartext username. ... One cookie is the record id of the user in the database, ... A solution to not use https would be public key encryption. ...
    (perl.dbi.users)
  • Re: variable persistence
    ... You may store it in a cookie, in a database, in a text file, in viewstate, ...
    (microsoft.public.dotnet.framework.aspnet)