View Single Post
  #5 (permalink)  
Old December 30th, 2007, 11:27 PM
Bob Bedell Bob Bedell is offline
Friend of Wrox
Join Date: Jun 2003
Location: , , USA.
Posts: 1,093
Thanks: 1
Thanked 12 Times in 11 Posts

Hi Imar,

Yup, I enjoyed the break too. Got the snot beat out of me by my 6 year old nephew for several days. Good to see the folks and bro. All is well.

Session["CSLA-Principal"] actually should be null until after the user authenticates. Here the null check is for a session variable that indexes the SessionStateItemCollection, not for the existence of the Session object itself. If session doesn’t exist, this line can’t be reached. ["CSLA-Principal"] indexes a CSLA.Security.BusinessPrincipal that is manually added to session after the user authenticates.

Here' the blow by blow:

protected void Application_AcquireRequestState(object sender, EventArgs e)
        if (HttpContext.Current.Session == null)
            // do nothing - Session object not 
            // instantiated yet.
            // The Session object has been instantiated or the first null
            // check would have returned 'true'. Here I'm just indexing the 
            // SessionStateItemCollection for a session-state variable. 
            // Indexing the SessionStateItemCollection simply returns null if 
            // the requested session variable doesn’t exist. The "CSLA-Principal"
            // session variable won't exist (will be null) until after the user 
            // has authenticated and a custom CSLA.Security.BusinessPrincipal 
            // object has been manually added to session-state by a method of 
            // the login form. 
            if (Session["CSLA-Principal"] != null)
                // The user has already authenticated and the CSLA.Security.BusinessPrincipal
                // object stored in session-state is assigned as the users CurrentPrincipal.  
                System.Threading.Thread.CurrentPrincipal = (System.Security.Principal.IPrincipal)Session["CSLA-Principal"];
                HttpContext.Current.User = System.Threading.Thread.CurrentPrincipal;
                // Fires if user logs out later in the session.
                if (System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated)
                {   // Unauthentiucated user assigned a GenericPrincipal object until 
                    // they authenticate.
                    System.Threading.Thread.CurrentPrincipal = (System.Security.Principal.IPrincipal)Session["CSLA-Principal"];
                    HttpContext.Current.User = System.Threading.Thread.CurrentPrincipal;

For completeness sake, here's the login button click event:
protected void btnLogin_Click(object sender, System.EventArgs e)
        string userName = txtUsername.Text;
        string password = txtPassword.Text;

        // If logging in, clear the current session.

        // Log into the system. BusinessPrinciple methods
        // query a security database, load an Idendity object,
        // and set the threads current principle the the 
        // BusinessPrincipal, which now references either an
        // authentucated or unauthenticated Identity object,
        // based on the query results.
        BusinessPrincipal.Login(userName, password);

        // see if we logged in successfully 
        if (Thread.CurrentPrincipal.Identity.IsAuthenticated)
            // The authenticated CSLA.Security.BusinessPrincipal 
            // gets added to session-state as a session variable named
            // "CSLA-Principal".
            Session["CSLA-Principal"] = Thread.CurrentPrincipal;
            HttpContext.Current.User = Thread.CurrentPrincipal;

            // redirect to the page the user requested
                userName, false);