Currently I have a site (asp.net 3.5) that uses a unique ID for the login. I am going to need to switch it to use emails if possible. I am going to be creating all new accounts so I can wipe the membership table clean and import all the user info.
We are switching from generic logins for departments to individual accounts.
Any links or pointers in the right direction would be greatly appreciated.
So here is what you should do.
If you are creating a entire user base just wipe of the current ones and tell users to create the new user with a email, as long as you validate that on the entry form you are going to be good.
Now if you already have a user base, then is a little more complicated.
First verify that every current user has a valid distinct email, then you have to change 2 columns on the aspnet_Users table, the columns are UserName, and LoweredUserName.
That should be simple if the first step is true, just do a loop for every aspnetMembership row, get the column Email and set as UserName, then get the column LoweredEmail a set as LoweredUserName.
Ta daaaaaa!
Now you have it all migrated to the new model, for new entries, make sure that the entry form validates the UserName to be an email, for that you can use RegEx.
Related
I've built a number sites using classic ASP type security and have continued using the same methods in ASP.NET. However, I now am looking for recommendations for a better or best practice way of doing it. I've read a few resource online but have not seen anything comprehensive enough that's applicable to what I'm trying to do. What I'm trying to do is apply user specific security that determines that user's access to specific pages, sections on that page, and fields in each section. It also needs to restrict access to various records as well and determine whether it's read or write privileges.
For those interested, here's how I've done it so far:
Because I lacked the know-how, here's how I did it using the old ASP classic way...
First, on the database side I have 4 relevant tables: tblUsers, tblRoles, tblPages, tblRecords (haven't gotten to sections and fields yet). Each user can belong to a "role" and the role then determines what pages they can access as well as what records they can access in various tables (there are a number of other tables in the db as well e.g. tblCustomers, tblSales, etc...). Each table includes these fields:
tblUsers: UserID, UserName, UserPwd
tblRoles: RoleID, RoleName, UserID
tblPages: PageID, PageName, RoleID
tblRecords: RecordID, RecordTable, RoleID
Now on the application side here's what I've done:
First, my login page is based on 1) looking up the user name and password in the tblUsers table and 2) if found, setting a session variable named "UserLoggedIn" = true. Then on every page load event I check if the UserLoggedIn session is set to true, if so, continue... if not clear all session variables (log out) and send the user back to the login page. The old classic ASP way of doing it.
Second, with the login set up, to control page access, when the user is logged in I created another session variable that holds a pipe delimited string of all the pages that user can access (e.g. Session("PageAccess") = "{1|3|10|8}"). Then in each page's load event I've explicitly added a variable/constant that uniquely identifies that page (e.g. pageone.aspx has Dim PageID As String = 1). Then I check to see if the PageID matches an ID stored in the PageAccess session. If it does, continue... If it doesn't I send them to the home page.
Third/Last, for the records access, I did the same thing. When the user is logged in I created a session variable that hold a pipe delimited string of all the records the user could access along with the table it's related to (e.g. Session("RecordAccess") = "{tblCustomrs||1|5|7}" and checked it and applied it basically the same way as the page session variable.
My Solution is :(it worked for my projects)
tables : tblUser , tblRole ,
tblUserInRole : userid,roleid,username,password (this design help you can assign more than one role to a user)
tblrole, tbrules(your Access Controls for example pages)
tblRulesInRole : roleid , ruleid,Editable,Viewable,printable,Deletable
For Implement Access Control in every request and response ,you should Create HttpModule......
When regsitering in my site (ASP.Net MVC application), the users get inserted into the aspnet_users table. Since its a shopping site, I would want the users to have a customer id and all their details provided by them at registration in this Customer table as well. How do I link these 2 tables? Is it recommended to use the aspnet_user's UserId(Guid) in the application for other business processes.
Also, I would like to know when should a new record be inserted into the customers table.
I mean, when should a new customer be created. I guess its not good to create a record as ans when users are registered? Here, I want to know whats the norm? I felt it would be better to add it when a user adds an item to the shopping cart. Pls guide me.
Thanks in advance.
Add the UserId field into your customer table and then make a foreign key relationship back to the UserId in the aspnet_users table if you want to enforce relational integrity.
I'm not sure what you mean about when to insert the customer record. As long as you insert it after you have created the user (so that you have the user ID), you should be fine. It can happen in the same postback.
I'm not sure how you are saving the user. As in are you using one of the built-in ASP.Net controls or making the call manually?
If you are using the Membership provider as it sounds like you are, you can save the member using:
var user = Membership.CreateUser;
Guid userKey = user.ProviderUserKey;
//Populate your customer object.
//now use whatever EF/ADO/etc... to save your customer record.
In the standard forms authentication, users are identified by a Guid. I want to give my users an UserId of type int (doesn't have to be the primary key, just something to do lookup's on).
Is it safe to add an additional column to the aspnet_users table, or should I create a new table which FKs to the UserId column and has a Unique column which generates the integer ID?
The later sounds like a bad performance hit to take just for the sake of an int!
EDIT
I want to create URLs like those on stackoverflow. eg. https://stackoverflow.com/users/23590/greg-b where the User ID is an int. For that reason I don't want to use Guids.
I'd create profiles and store the associated urlID there. Web Forms don't have Profiles available out of the box, but you can see a workaround here:
http://www.codersbarn.com/post/2008/06/01/ASPNET-Web-Site-versus-Web-Application-Project.aspx
The advantage of using Profiles is that you can tap into all the existing logic and won't have to write as much custom code yourself, aside from constructing the URL.
You could combine this with Routing for friendly URLs, if you're using ASP.NET 3.5 or up.
UPDATE: kinda similar question:
Shorter GUID using CRC
We have got two distinct lists of users that we need to power logged in access to sections of our site.
These lists can't be combined, as one is synced daily to an externally hosted data source, and both tables have to be 100% the same.
We have set up two Membership providers onto the site, but my question is, is it possible to allow both to be logged in at the same time?
The issue I find is that HttpContext.Current.User.identity.name contains the username of the last successful logon.
Use some sort of delimiter and put both users into the the login Identity. e.g. mp3duck/employee1
When you login in via membership provider 1, you would do something like
// extract the existing prov2ID so you can keep it. GetID() would be a string split function
string prov2ID = GetID(User.Identity.Name, 2);
FormsAuthentication.SetAuthCookie(prov1ID + "/" + prov2ID, false);
And visa versa for a login via membership provider 2.
If you are using the <asp:login> control, you would modify the UserName propery instead of calling SetAuthCookie() since the login control calls SetAuthCookie() itself.
You can put any sort of stuff into the Identity name. I often use it to store both a number int ID for the user primary key, and their username. The only downside is you have to clean it up when displaying it in the html. e.g. Hello <% User.Identity.Name %> would display a lot more than you wanted.
would the suggestion outlined here be of any help?
Can SiteB Restrict Access Only to Users Authenticated on Site A? How?
I'm writing a small intranet app that uses Windows Authentication and Asp.Net MVC.
I need to store various bits of data in a db against each user.
As far as I can tell the IPrinciple object does not seem to have something like a unique id. So I was thinking I could just use User.Identity.Name as a unique value to identify rows in my db.
Is this a bad idea? Is there an alternative to this approach?
Thanks for any help.
I would create a User table that included an identity column as the id. When a person accesses the site, I would check the user table for that individuals unique id, and read it if it exists, or insert a new row if the user is new.
Login names can be long, and that could affect your indexes depending on the expected size of your data.