I'm trying to figure out how when using the default asp.net forms authentication stuff one can change the roles that a user has dynamically. In our case a user has access to many accounts and there roles can change per account. This doesn't seem like rocket science to me but I can't figure out I would do this. Does anyone have a experience trying to do this or a link that would be helpful?
UPDATE:
Just to clarify. We know at startup that User X has access to account #1 with roles 1,2,3 and account #2 with roles 1,2.
So first off I have to handle this part of the problem. Getting their roles based off their current account. For this I think I'd use a RoleProvider. The problem I'm trying to solve though is once ASP.Net has a User how do I tell it to invalidate that user or refresh that user so it would hit my custom RoleProvider (or what not) again.
Roles.AddUserToRole() should take care of adding the user to a role.
For removing: Roles.RemoveUserFromRole()
http://msdn.microsoft.com/en-us/library/system.web.security.roles.aspx
Related
I am thinking about how to solve an authentication problem that i have.
I have a MVC-site with an admin area which is going to be used for customer-inputs and its very easy to have formsauthentication to protected the admin area but my problem is that other users could be able to edit other users stuff and thats not what i want =(.
My previous sites only handled authentication for one site and formsauthentication handled all my problems but this site should be able to handle authentication for X users and X customers.
For example user1 logs in to user1 admin area (mysite/customer1) but after log in changes the url to mysite/customer2 and starts editing stuff here.
One solution would be in global.asax and the FormsAuthentication_OnAuthenticate and check the url but there must be better approaches to this right? Maybe i am missing something obvious here?
What if once the user logs in (user1) you save their userId (or some unique identifier) into a claim or session. then just make one page mysite/customer which will read that Id and bring back just that one person's record. so this way the only record they will see is the one associated with their Id and you don't have to make the same pages over and over for other users, so no mysite/customer1, mysite/customer2, mysite/customer3...etc..
In a generic asp.net website with Membership, Roles and hashed passwords enabled, I would like to provide the administrators with impersonation so that they may browse the website as that user would. The website should function as if that user is logged on and then be able to revert to their own login.
What is the best approach to achieve this?
An example use-case: A website with two types of users: 'Buyer' and 'Admin'.
The website provides a 'Purchase' button to buy something specifically provided to the user by the admins. i.e only that buyer can use the purchase button and make a payment.
User has trouble so a support admin can 'impersonate' the user's login and purchase on their behalf or 'see' the trouble they are facing.
Without impersonation, the only way is to allow this in code and that negates the purpose of 'seeing the user's issue'. Not even if I was not using hashed passwords and had used FormsAuthentication.SignOut() and manually logged in the admin as the user.
I hope i am making sense above.
Take a look at this sample on codeproject.com. I think it does what you're looking for.
I don't have the code we used to do this in front of me (assignment from a few years ago), but there are bits in the Membership API to sign someone in using code. I will not have access to the code until this weekend, unfortunately, or I could quickly share the bits and be done with this.
I do remember you had to get the user first, as a MembershipUser, using the Membership class. I am not sure, from this point, whether you had to validate against provider or what.We did use a custom provider, but I forget whether it was related to this solution.
Regardless, examine the security bits, focusing on membership and membershipUser.
My app can handle Medics and Patients.
So far everyone can login and perform different tasks on the site.
We want to avoid forcing people that are Medics AND ALSO Patients to create a new User Login and password.
So a Medic which is also a Patient should keep his same login and password but we are thinking that as soon as the person with this dual privilege logs in they should PICK which role (and maybe store in a session variable) he wants to log in as.
Is this recommended or can you please provide me with an alternative?
Please help. thanks in advance
Your suggestion for roleselection after authentication IS a preferred way of working with your users. Your application can perform authorizations based on the role, rather than on the user. It is also important for the user to unmistakenly be aware of the role activated performing certain tasks.
One small suggestion I could give is to be able to switch this role dynamically, at any point in time in your application, without having to re-authenticate or get back to some kind of main page in your app. That fast role switch would really improve its usability. And always have the activated role display somewhere in the screen.
Do Medics have more privileges?
Somewhat like an "Editor" is also a "Registered User".
You wouldn't need an extra logon, you would just need to setup the hierarchy and what tasks/abilities a Medic has over a patient - if that's your scheme.
You should create another role. MedicAdmin for example.
In my appliation,all pages are protected,so they must login to visit the pages.
And the admin of the system can add users.
Now some people told me that I have to prevent people login at the sametime using the same account.
That's to say if there is a user named "John" logined to the system,so other people cannot login with "John" again event he know the password.
Also,if one user find that someone have logined use the account he wanted,he can make the former user offline. If so I have to judge if the current user have been offed ornot in each page. This is not a work can be done easily.
I wonder if this is necessary?
Since I found so many websites nowdays do not limit this,for exmaple,you can use the same account login your gmail/stackoverflow/yahoo and ect in different machine at the same time.
So Any one can give me a suggestion?
Update:
Now,we use the asp.net's form authenciation,(we do not use the membership yet). And in the t_user table in the databse,we have a column named "isOnline" and "last_login_time".
When user login,we set the "isOnline" to 1,and store the login time.
When another user try to login again,we check the "isOnline" and the time:
if("isOnline"==1 && DateTime.now-LastLogiTIme <40min) // where the 40 min is the form authenaication timeout.
thisAccountHasLogined=true;
But suppose a user logined yet,then he clean the browser cookie,then if he refresh the page,he will be redirected to the login page,but not he can never login again before the form authentication time out because the "isOnline" in the db is 1 and the time span from his login to now does not large than the form timeout.
I am confused.
In some scenarios, I could understand not having multiple logins, but in reality, I have never had to implement it.
Unfortunately, I do not believe there is a standard mechanism for determining if a user is already logged in and this would need to be done by additional logic. In our application, we use a database for storing session information and using this, it would be a simple process to see if a session already exists within this for the user and not allow login if so.
Update
I was interested in this myself and found this;
http://msdn.microsoft.com/en-us/library/system.web.security.membershipusercollection.aspx
and this
http://msdn.microsoft.com/en-us/library/system.web.security.membershipuser.aspx
Using those, it may be possible to get this information with the .IsOnline() However, this does make the assumption you are using standard asp.net membership
the table where you store user name and password add a column status
when a user attempt to login update status to "Online" when logout update status "Logout"
During login check status, if status is online , terminate process. This may be an approch to implement this, hope it will help you
Our SSO login process uses Forms Authentication against a custom user store in SQL Server.
One of our new security requirements is to only allow an account to have one active session at a time. So any time a user logs in, we will check to see if the login credentials are already active, and preferably prevent the new user from logging in again until the other session ends. Alternatively we could force the other session to end, if that would be easier to implement.
Is there a simple way to do this with Forms Authentication? We've considered a custom approach where we track each session in the database, but it would be a lot of work and we'd probably have to modify all of our applications to detect the session_end, which I'm hoping to avoid. I figure there has to be something in Forms Auth that handles this.
I've seen the MembershipUser.IsOnline() method, which seems ideal, but we're not using a Membership provider.
UPDATE: Just to be clear, I do not need to check whether the current user is logged in, I need to know if somebody else is already logged in using the same account.
Try this:
System.Web.HttpContext.Current.User.Identity.IsAuthenticated
If I understood you correct, you would need to store the last activity state based on the user id.
Membership.IsOnline() is implemented by checking the LastActivityDate property persisted in the membership database.
So somewhere, you would need to track user activity.
You could maybe implement a httpmodule that updates a timestamp for user activity.
If the HttpContext.Current.User property is not null then they are logged in. And Identity.IsAuthenticated is true.