I made a custom membership provider and overrode the ValidateUser method, but now I am confused. I am not using any Login controls, I just have a site wide login (username and password box) on a masterpage.
Questions:
Do I need to call the ValidateUser() method myself? If so, what are
the next steps to take? Do I create the auth cookie which methods do I need to call to complete the login?
I need to return some custom user data if the user is authenticated. Is it better to
call GetUser and check for null or just call ValidateUser and then
grab a user object?
Where and how should I store the custom data for the user? Is it stored in the identity object? Should I store it in the MembershipUser Object?
Yes, you verify that the credentials are correct by doing a call such as
Membership.ValidateUser(TextBoxUsername.Text, TextBoxPassword.Text)
If the above call returns true then you need to set the authentication cookie like so:
FormsAuthentication.SetAuthCookie(TextBoxUsername.Text, CheckboxRememberMe.Checked);
There I used a "remember me" checkbox if you want to login automatically next time.
To get the user details you can call
Membership.FindUsersByName(TextBoxUsername.Text)
The most handy place you can store the user details is the session.
You didn't ask, but just as important would be a log out page. The functionality needed to undo the login steps are:
FormsAuthentication.SignOut();
Session.Abandon();
Response.Redirect("~/login.aspx", false);//or homepage, or any other page
Related
I have an ASP.Net MVC3 app. When the LogIn action is called, I use the MembershipProvider to validate the user and FormsAuthentication to set the cookie.
Additionally, I get some info about the user from a database and store it in Session.
When the user subsequently visits the site, they're already authenticated via the cookie, and I'm looking for somewhere to hook into so I can fetch the info about the user from the database again.
Is HttpApplication.AuthorizeRequest() the best place to do this? Obviously this is called for every request so I was hoping there was something I could use that just indicated the user had been authenticated - either explicitly after logging in or when they're authenticated automatically.
There are several events that get triggered on every request, HttpApplication.AuthorizeRequest() should work.
In order to only fetch from the database for logged in users, you can check the Name property of User.Identity which only gets set once the user authenticates:
if(!string.IsEmpty(User.Identity.Name))
{
//make call to database
}
I have a webpage that a user logs into to. Now I want to provide the ability for a user to change their password using the ChangePasswork Control. The control does work as described here ChangePasswork Control for non-authenticated users. But I want to the behavior for authenticated users.
I'm fairly new to asp so this could be a simple question but exactly how do you "authenticate" a user?
According to the docs, the control works for both authenticated and non-authenticated users.
Changing a users password programmatically is very straight forward.
Take a look at the MembershipProvider and MembershipUser classes.
You can validate a user using: MembershipProvider.ValidateUser
To authenticate them use: FormsAuthentication.SetAuthCookie
MembershipUser has a method: ChangePassword.
If you are new to all this, read introduction to membership
Am trying to design login page for my website and I am looking for methods other than forms authentication. The way in which I am trying is to have a table in the database that stores user information and check for the user validity.
The point where I get struck is how do i set cookies and session variables and how will I carry it through out the system. Can anyone tell/suggest me where I can relevant material so as to move forward. And also is my idea of negating traditional forms authentication and going for a model I described, is it good also does any other better method exist?
You can do this even with forms authentication itself...
For Forms Authentication to work, you need not have to use the Complete Database Setup that MS uses to Authenticate. You can simply have your own Database and Validate a user yourself, and just set the cookie.
String UserName = "CoolGuy";
String PassWord = "Pwd"
Boolean isValidUser = YourClass.YourMethod(UserName, PassWord);
if (isValidUser)
{ FormsAuthentication.setAuthCookie(UserName, false); }
This will authenticate the user "CoolGuy" for the session, provided YourMethod returns true. And you need to put this code only in Login Page... and the user will automatically be authenticated for the entire session or whatever...
Please see my response to another similar question here... ASP.NET access controls
Using Forms Authentication, I am storing a cookie for each user if they mark Remember Me during login, using the following piece of code in the Login1_LoggedIn event.
if (rememberMe.Checked) FormsAuthentication.SetAuthCookie(Login1.UserName, true);
When the user arrives on my page with a cookie, I need to get his/her user name so I can check their roles. Does the Forms Authentication cookie store this information, and how can I retrieve it?
The string you parse to SetAuthCookie (Login1.UserName in your case) will be stored in the IPrincipal when the user accesses a page. You can access it using:
Page.User.Identity.Name
Try
Page.User.Identity.Name
or
HttpContext.Current.User.Identity.Name
I am using the asp.net CreateUserWizard and I have LoginCreatedUser=true. I also have the "OnCreatedUser" property for the CreateUserWizard control to a method and thought the auth ticket would be created at that point but it is not.
When exactly is the authentication ticket (Request.Cookies[".ASPXAUTH"]) populated?
I need to know so that during registration I can modify the UserData and add it to the auth ticket.
I've done this before doing the following:
In the CreateUserWizard_CreatedUser event you know for a fact the user is created, so save the username to HttpContext.Items array.
Check for the username in HttpContext.Items in the page's PreRender() event (it'll run after the CreatedUser() step). If it's there overwrite your authentication ticket
To test this make sure you later decrypt the authentication ticket and check the UserData. In my own projects this is how I handle having a user logged in at registration and have some of their info injected into the auth ticket's UserData.