Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Storing Roles in a cookie

Status
Not open for further replies.

whatsthehampton

Programmer
Sep 13, 2005
121
CA
Dear all,

I am bringing out my roles in my global.asax like so:-

Code:
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)


If Request.IsAuthenticated Then 


Dim _cnn As SqlConnection

_cnn = New SqlConnection(BST.JBXEL.DataManager.constr)

Dim cmd As SqlCommand = New SqlCommand("BST_sp_GetUserRoles", _cnn)

cmd.CommandType = CommandType.StoredProcedure

Dim paramUserID As New SqlParameter("@userid", SqlDbType.Int)

paramUserID.Value = HttpContext.Current.User.Identity.Name

cmd.Parameters.Add(paramUserID) 

_cnn.Open()

Dim dr As SqlDataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection) 

Dim roleList As New ArrayList

Do While dr.Read()

roleList.Add(dr("RGroupName"))

Loop 

Dim roleListArray As String() = roleList.ToArray(GetType(String))

HttpContext.Current.User = _

New GenericPrincipal(User.Identity, roleListArray)



_cnn.Close()



End If 


End Sub

But this is hitting the database on every page request.
How can I issue a cookie or ticket to store these roles please?

I have looked all over the place but am having trouble with a formsAuthentication ticket accepting my 'rolelistarray'

All help most appreciated

Regards,

j


 
Let me ask you this: What happens if someone notices that you're storing security-related info in a cookie, and manipulates it (since it's stored on their local machine) to grant themselves super-user priviledges?

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
Is it hitting that code on ANY page request, not just your "login" page?
As for the roles, I would store them in a session variable.

Jim
 
Jim thanks,

Does 'Application_AuthenticateRequest' not get called on every page request? (I'm not sure, I was led to believe it was).

Sessions sound like the way to go for me but how do I put an array into session and then call it later??

Apoligies in advance!

Cheers,
j



 
'Set session var
Session("MyVar") = <your array variable?


'Get the session var
<array variable> = Session("MyVar")
 
If you want to learn how to do this go here and download one of the starter kits (issue or time tracker are good examples) in VB.NET. Focus on the Global.asax, Security.vb and CustomPrincipal.vb files. Once you have a handle on the basics you can roll your own authentication. They're also decent examples of using a business tier and data access tier, keeping all that messy System.Data.SqlClient code off your code-behind pages.


Vince
 
Thanks all and Veep,

yes, I looked at the Portal starter kit and am storing the roles in a forms auth ticket like so..

Code:
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)

        If Request.IsAuthenticated Then
            
            Dim roles() As String

            If Request.Cookies("roles") Is Nothing Then 'make cookie

                Dim _user As New BST.JBXEL.UsersDB()
                roles = _user.getUserRoles(User.Identity.Name) ' from business class

                Dim roleStr As String = ""
                Dim role As String

                For Each role In roles

                    roleStr += role
                    roleStr += ";"

                Next role

                Dim ticket As New FormsAuthenticationTicket(1, _
                    Context.User.Identity.Name, _
                    DateTime.Now, _
                    DateTime.Now.AddHours(1), _
                    False, _
                    roleStr)

                Dim cookieStr As String = FormsAuthentication.Encrypt(ticket)

                Response.Cookies("roles").Value = cookieStr
                Response.Cookies("roles").Path = "/"
                Response.Cookies("roles").Expires = DateTime.Now.AddMinutes(30)

            Else ' get from cookie
                
                Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Context.Request.Cookies("roles").Value)

                Dim userRoles As New ArrayList()

                Dim role As String

                For Each role In ticket.UserData.Split(New Char() {";"c})
                    userRoles.Add(role)
                Next role

                roles = CType(userRoles.ToArray(GetType(String)), String())

            End If

            Context.User = New GenericPrincipal(Context.User.Identity, roles)

        End If

    End Sub

It works great and has improved performance.

many thanks,

j

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top