View Single Post
Old May 6th, 2010, 09:50 AM
barakros barakros is offline
Authorized User
Points: 154, Level: 3
Points: 154, Level: 3 Points: 154, Level: 3 Points: 154, Level: 3
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Jan 2010
Posts: 34
Thanks: 5
Thanked 0 Times in 0 Posts
Default Question about HttpContext.Current.Session

Hi Imar
I wanted to ask you about this object:
According to MSDN it is like Session object just that it can be access from VB classes and not only from code behind pages like Session object.

I created in my website my own MembershipProvider and ProfileProvider that base on MSSQL DB. and I am using the Login controls and that’s works fine.
But I need to allow access to the website with username + password and also with email+password.
That works fine since it easy to check which username has the enterd email and password and let him login - the profile is getting the needed values from the DB according to the username (email or username)

the problem is that I have some users that have the same email for different usernames and passwords (different accounts but same email)
so I need to identify them according to the password which is unique for each such customer.

the problem is that the ProfileProvider class does not know the password since it gets in the GetPropertyValues method (which I Overrides in my custom Provider) only the username and isauthenticated values in the context As SettingsContext parameter object.

my solution was to save the password in the HttpContext.Current.Session
like this:
when the user is authenticated in the ValidateUser function of the custom MemberShipProvider class

and to retrieve it in the GetPropertyValues function of the CustomProfileProvider like this:
Dim password As String = CStr(HttpContext.Current.Session("pass"))
so I can verify which user it not only by username (which can be email also)
but also by password.

that works fine also but it raises 2 questions:
1. is it safe from security point of view?
2. is it safe to keep it in that object? will it be kept all the time and the session variable won't "get lost"?
I set the HttpContext.Current.Session.Timeout to the time I need.

sorry for the "long story" and thanks in advanced


Last edited by barakros; May 6th, 2010 at 09:54 AM..