Our application requires browser with cookie support so this is not a problem.
As for delegating code to check for UserData I was thinking about writing Http module to do this.
-----Original Message-----
From: Discussion of building .NET applications targeted for the Web [mailto:DOTNET-***@DISCUSS.DEVELOP.COM] On Behalf Of Efran Cobisi
Sent: Friday, February 23, 2007 02:43
To: DOTNET-***@DISCUSS.DEVELOP.COM
Subject: Re: [DOTNET-WEB] Additional steps after authentication
Alex,
That's a good alternative to my approach; doing so you are however
delegating your code to do the check against "UserData to allowed pages"
match. I would rather prefer to let the FormsAuthentication module do
this check for me.
UserData seems to be a good place to store those informations; anyway,
the SetAuthCookie() method, which is used to set authentication
information within FormsAuthentication, seems to not support UserData.
However, you could get rid of the SetAuthCookie() method and store your
custom ticket directly in the Response.Cookies collection.
---
FormsAuthenticationTicket ticket = ...
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.Cookies.Add(authCookie);
---
The only drawback of this solution is that you can't use
FormsAuthentication cookieless support.
HTH,
Efran Cobisi
http://www.cobisi.com
Post by Alex IvanoffI thought about this. But it seems like a hack, plus we are not using
session state.
My other thought was to use UserData in FormsAuthenticationTicket to store
some flag indicating that checks were successful. The I would check in
Application_Authenticate request for this flag. Any comments on this
approach? One thing that bothers me is that at some point I would have to
override authentication ticket to change UserData. Can this screw up forms
authentication infrastructure?
Alex
Post by Efran CobisiHi Alex,
I've had the very same problem in a web app some time ago. My solution
was to stay with FormsAuthentication but do not authenticate the user
until she completed the required checks; in that case, I stored a state
value in the user session, which basically would indicate that the user
has been already checked against username/password match but it has to
complete the aforementioned checks. Once the checks completed, I'd
authenticate the user within FormsAuthentication.
HTH,
Efran Cobisi
http://www.cobisi.com
Post by Alex IvanoffI have an application using forms authentication with the following
requirement. After user logs in the application needs to to perform some
checks. If all checks are satisfied user is redirected to the original
page she requested. If one or more checks fail user is redirected to
other
Post by Efran CobisiPost by Alex Ivanoffpage to make some changes. After that checks are performed again until
all
Post by Efran CobisiPost by Alex Ivanoffof the ckecks are satisfied and user is redirected to the original page.
What is the best way to accompish something like this?
Thank you,
Alex
===================================
This list is hosted by DevelopMentor® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
===================================
This list is hosted by DevelopMentor® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
===================================
This list is hosted by DevelopMentor� http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com