I create a website and visit it by clicking in a button. so that i become an anonymous user, but when I check aspnetuser table in database, then I not found anonymous id in any table. when anonymous user gets enter into the database.
I turned on anonymous authentication to true in the web.config file. and browse mu website, so that I become an anonymous user, then I checked aspnetuser table but I don't see that users anonymous id there.
Related
I am using ASPNETZERO multi-tenancy solution and I want to achieve following solution in that.
My need is like One user share all details among all Tenants.
Let's say there is user1 registered in Tenant1 with email id, password and all fields.
Now what I want is this User1 can logged in any tenant using the same login details, I mean to say user1 can login in tenant2, tenant3 etc.. But without registering again and also with same login details.
Also user can edit details in any tenant and that need to updated in all tenants.
Here is what I have planned :
I am planning to put multiple entries of same user with different
tenant id in default Usertables. I mean to say, when user1 registere
in tenant1 then I will copy all details of that user to all tenants.
So I will create same user entry with tenant2 id, tenant3 id and so
on..
I got it working by editing user-service file.
Thanks
In case of allowing a user to login to multiple tenants, the following approach can be used
The user details should be generic and not under a tenant
After adding user, you will assign the user roles for every tenant
When the user logs-in, the data will be validated and then the user will be given a page to choose tenant for which he can work
(OR), the user can provide the tenant name during login so that you can directly validate the user and allow to use the application
Tenant level access will be based on the tenant and roles, if I have access to Tenant1, it means that i have a role for Tenant1 and if I pass Tenant2 to access, the system does not find any roles associated with my user for the Tenant2, denying access (401).
I have designed a site using asp.net and database sql server. For login there are two roles; "admin" & "User" and several users with the role User. A user is now unable to login even with the correct user id and password. I have checked the tables in database. In the table "aspnet_membership", the field values are chaged as:
IsLockedOut=True
FailedPasswordAttemptCount=10
LastLockoutDate=#some date
FailedPasswordAttemptWindowStart=#some date
I have changed cthe values to:
IsLockedOut=False
FailedPasswordAttemptCount=0
LastLockoutDate=#default date
FailedPasswordAttemptWindowStart=#default date
But still the user is unable to login.
Do I have to change any other value in any table?
I am using ASP.NET Forms Authentication (Roles, Users, Membership, etc).
In short, I'm looking for something that will give me a unique UserId for users -before- they are logged in or before they create an account.
I would like the user to be able to personalize the site to a certain extent -before- they go about the work if creating an account. I realize that work would be lost if they clear their cookies.
I store personalized settings in a table with their ASP.NET Auth UserId. I'm hoping that users get assigned a cookie-based UserId even before they log in and create an account, rather than every "guest" having the same "guest id".
If and when they do create an account or log in I'd have to migrate their saved settings to their "permanent" UserId, but that's ok with me.
I could re-invent something, creating a Guid and storing it in a cookie, but I'd like to avoid reinventing the wheel if there's already a mechanism in ASP.NET.
Thanks!
Dave
See Personalization and User Profiles in ASP.NET 2.0 - Handling Anonymous Users.
Note that each anonymous user gets a unique anonymous ID the first time they visit a site. This ID is stored persistently in a cookie. Thus, if a second user opens up a browser on the same computer as the first, the second user will be seen by the site as having the same anonymous ID that was issued to the first user.
The short answer is No. There is no user id assigned to anonymous users that you can store in the Profile table. You will have to create an "AnonymousSettings" table that you store customization information on a per user basis. You would generate your own cookie with a unique ID (a GUID would be a good choice) and the use that to lookup the anonymous user.
Once the user registers, you can transfer their settings from the anonymous table to the profile settings.
Asp.net Automatically generate SessionID per user.
You can use SessionID of active user.
Session.SessionID returns unique key for user. SessionID stored in Cookies.
Asp.Net doesn't remove Session Cookie. After User logged in. So
You can match SessionID and UserId.
I'm wondering how to solve the following issue:
I have a web asp.net app where Forms Authentification is used, connected to the Active Directory. Also, I have a connection string to MS SQL db in the web app, where one global user (with given privileges) is used. The problem is that when I want to store information about the user (e.g. data modification log) in database, I can only get the global user info provided in the connection string, not the real user who is logged in.
Is there any possiblity to log onto a web app with my personal credentials, after, use a global user credentials to connect into the database and pass my personal user credentials (but not as parameters in store procedure) that database will think that the user who is logged in is not the global user?
I assume, it might be only possible if I also create same users in the database and use Impersonalization?
Or any other possibillities?
Thanks in advance.
What are you doing to get the current user? Are you doing something like SELECT #user = SYSTEM_USER? This will obviously only return the user that you connect to SQL Server with.
I would rather keep to using a single SQL login that the application uses, but pass in the username when you are making changes, e.g. through a sproc or a table update:
CREATE PROCEDURE dbo.DoSomething
#id INT,
#username VARCHAR(50)
AS
-- Make your changes.
INSERT INTO dbo.[Audit] SELECT 'update', #id, #username
GO
In ASP.NET you can grab the currently logged in user through User.Identity.Name property of the page.
You could use a role within your database to handle permissions, and then get the users you need in a group in AD, and assign permissions to that AD group to access your database under the role you define. (This way you don't need to assign each user to your database as you create them).
You would then use windows authentication right the way through from your web site to the database, and have the user identity that you need for logging. (You'll need to set identity impersonate="true" in your configuration).
I would note that this is only going to work (easily) if your servers and your users are all on the same network.
I am writing a web app for a client. Users will have a one-time key that they will use to initially identify themselves to the app. Once the app verifies that the key is valid it will take them to a page where they can create a normal account to use for all subsequent logins. The create-account page should only be accessible after entering the key and shouldn't be accessible otherwise. I.e, it shouldn't be accessible to users logged in with a normal account.
This is asp.net 3.0 using a custom membership provider.
My plan is to create a temporary account based on the key and authenticate the user with that account. This allows them access to the create-user page (which is protected with a location tag ) where they can create the formal account. I then authenticate them with their new account and delete the temporary account.
The flow is: the user goes to a page where they enter the key. If the key is valid I create the temporary account, call FormsAuthentication.SetAuthCookie, and redirect to the create-account page. This all works, although it seems a little complicated.
The problem is that the create-user page is available to any authenticated user; I only want it available during the time between entering the key and creating the formal account. So I thought I'd create a special role for the temporary account and make the create-user page accessible only to that role and none other. I created my own Principal object with a special role and tried setting it when I authenticate the temporary account but I can't get that to work.
I'm really hoping I don't have to write a custom role provider just to do this.
How can I make this work? There's gotta be a simpler way!
Why not simply create the real account when they enter the key. Assign it some random name and then let them change the name and other details. Then you don't need the create user page, just the enter key page and an account details editing page. If you're concerned about getting the account details filled in, you could set it up (perhaps via code on a MasterPage) so that incomplete accounts always get redirected to the edit details page until the details are entered.
Or, you could have them enter the required details in addition to the key code on the enter key page and simply use those details when creating the account.
My advice would be to avoid the use of temporary accounts when validating the user. Instead, generate your own logic for validating the sign-up key. Then, at the head of the page, you can check whether the user is an authenticated user (SetAuthCookie has been called) and jump to a different page if this is true.
You may even be able to change the page access to forbid this page to authenticated users (I know you can disable accounts for unauthenticated users but I'm not sure if you can go the other direction).
The key, though, is to avoid relying on the membership provider when, in fact, the user is not yet a member!
Assign an "incomplete" role when authenticating against the temporary token, then restrict access to only that role... when the account is created, send them to a re-login page (terminating the authentication token). This will simplify your security model.