Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Storing Roles in a cookie

Status
Not open for further replies.
whatsthehampton

whatsthehampton

Programmer
Sep 13, 2005
121
0
0
CA
Dear all,

I am bringing out my roles in my global.asax like so:-

Code: 
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)


If Request.IsAuthenticated Then 


Dim _cnn As SqlConnection

_cnn = New SqlConnection(BST.JBXEL.DataManager.constr)

Dim cmd As SqlCommand = New SqlCommand("BST_sp_GetUserRoles", _cnn)

cmd.CommandType = CommandType.StoredProcedure

Dim paramUserID As New SqlParameter("@userid", SqlDbType.Int)

paramUserID.Value = HttpContext.Current.User.Identity.Name

cmd.Parameters.Add(paramUserID) 

_cnn.Open()

Dim dr As SqlDataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection) 

Dim roleList As New ArrayList

Do While dr.Read()

roleList.Add(dr("RGroupName"))

Loop 

Dim roleListArray As String() = roleList.ToArray(GetType(String))

HttpContext.Current.User = _

New GenericPrincipal(User.Identity, roleListArray)



_cnn.Close()



End If 


End Sub

But this is hitting the database on every page request.
How can I issue a cookie or ticket to store these roles please?

I have looked all over the place but am having trouble with a formsAuthentication ticket accepting my 'rolelistarray'

All help most appreciated

Regards,

j


 
Sort by date Sort by votes
Let me ask you this: What happens if someone notices that you're storing security-related info in a cookie, and manipulates it (since it's stored on their local machine) to grant themselves super-user priviledges?

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
Good question chiph!

Wouldn't I encrypt the cookie though?

If this is a security flaw then should I be storing the roles in session? I'm not sure how to do this from an array.

Many thanks,
j

 
Upvote 0 Downvote
Is it hitting that code on ANY page request, not just your "login" page?
As for the roles, I would store them in a session variable.

Jim
 
Upvote 0 Downvote
Jim thanks,

Does 'Application_AuthenticateRequest' not get called on every page request? (I'm not sure, I was led to believe it was).

Sessions sound like the way to go for me but how do I put an array into session and then call it later??

Apoligies in advance!

Cheers,
j



 
Upvote 0 Downvote
'Set session var
Session("MyVar") = <your array variable?


'Get the session var
<array variable> = Session("MyVar")
 
Upvote 0 Downvote
If you want to learn how to do this go here and download one of the starter kits (issue or time tracker are good examples) in VB.NET. Focus on the Global.asax, Security.vb and CustomPrincipal.vb files. Once you have a handle on the basics you can roll your own authentication. They're also decent examples of using a business tier and data access tier, keeping all that messy System.Data.SqlClient code off your code-behind pages.


Vince
 
Upvote 0 Downvote
Thanks all and Veep,

yes, I looked at the Portal starter kit and am storing the roles in a forms auth ticket like so..

Code: 
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)

        If Request.IsAuthenticated Then
            
            Dim roles() As String

            If Request.Cookies("roles") Is Nothing Then 'make cookie

                Dim _user As New BST.JBXEL.UsersDB()
                roles = _user.getUserRoles(User.Identity.Name) ' from business class

                Dim roleStr As String = ""
                Dim role As String

                For Each role In roles

                    roleStr += role
                    roleStr += ";"

                Next role

                Dim ticket As New FormsAuthenticationTicket(1, _
                    Context.User.Identity.Name, _
                    DateTime.Now, _
                    DateTime.Now.AddHours(1), _
                    False, _
                    roleStr)

                Dim cookieStr As String = FormsAuthentication.Encrypt(ticket)

                Response.Cookies("roles").Value = cookieStr
                Response.Cookies("roles").Path = "/"
                Response.Cookies("roles").Expires = DateTime.Now.AddMinutes(30)

            Else ' get from cookie
                
                Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Context.Request.Cookies("roles").Value)

                Dim userRoles As New ArrayList()

                Dim role As String

                For Each role In ticket.UserData.Split(New Char() {";"c})
                    userRoles.Add(role)
                Next role

                roles = CType(userRoles.ToArray(GetType(String)), String())

            End If

            Context.User = New GenericPrincipal(Context.User.Identity, roles)

        End If

    End Sub

It works great and has improved performance.

many thanks,

j

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

G12Consult
  • Locked
  • Question
Different landing pages for different roles
Replies
0
Views
121
G12Consult
G12Consult
weberm
  • Locked
  • Question
How do I make a page with multiple AJAX custom controls?
Replies
2
Views
146
weberm
weberm
a6green
  • Locked
  • Question
How to configure AT&T / Avaya Definity G3 incoming ISDN trunk
Replies
2
Views
166
a6green
a6green
JohnB33
  • Locked
  • Question
int type causes error
Replies
0
Views
120
JohnB33
JohnB33
AhmedAzizBarbary
  • Locked
  • Question
How to read data response body after success login razor page ?
Replies
0
Views
154
AhmedAzizBarbary
AhmedAzizBarbary

Part and Inventory Search

Sponsor

Back
Top