This is simply my not understanding what is going on.

I got to the end of chapter 13 and tried running it and something odd happened. (Keep in mind I had been playing with the app and adding things along the way in previous "try it outs".

When I went to "check out" I was already logged in. I went back and simply added a loginname control to the front page, and it appeared that when I was running the site, it was logging me in automatically as /COMPUTERNAME/LOGINNAME (ex /PHANTOMLAP/ROBERTSEARING)

I am the admin of my own computer, obviously, that SQL Server and VStudio are running on.

What's odd, is I went in and deleted the USER /PHANTOMLAP/ROBERTSEARING in the aspnetdb.mdf file and it autocrated again when I "added an item" to my cart.

What is doing this? shouldn't it be adding it to the anonomous profile?

I had another question...I assume there is only one anonymous profile--what happens if I create a cart...log out..or just shut the window..then YOU logged in .. as anonymous...how is it that the profile is re-written..OR..say several people are using the site at the same time...are multiple anonymous accounts created?

Please help,
Rob Searing

Here's another tidbit of info. I deleted the LOCALHOST/USERNAME account and just put a login name on my first page..before anythign is saved.

When I am FIRST running the app--it recognizes me as LOCALHOST/USERNAME...keep in mind..I am not loggin in--I am simply starting the app which has a default list of items I can "buy". The example is supposed to show how this can put this in an anonymous profile..then allow you to login to save it.

NOW--when I open a previous example--from chapter 4--that was just illustrating memberships...I slapped a loginName control and..bam...it's empty..doesn't show a name, UNTIL I log in. I assume this is default for anonymous?

My assumption is the reason the previous example--for some reason is recognizing my LOCALHOST/USERNAME account INSTEAD of treating me as anonymous has something to do with enabling profiles???

This is driving me crazy. Is there even a way to test anonymous adding of profile from VS then?

How does the web.config file look like? In particular, how does your <authentication> element look like?

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

Rob, I have implemented the cart also. I was having a problem which was that different users seemed to be sharing the anonymous cart. I was just able to overcome this last night, and I did several things and am not 100% sure which one fixed it (I plan to backtrack to figure this out), but I think it was when I changed the directive in the web.config to authentication="none" instead of "windows". After that (I think), it started keeping track of anonymous users separately. I'm also wondering whether that might fixed your other problem with your login. By the way, it wasn't just the cart having the problem. I was storing other profile data that was also being shared across sessions.

Terry

That would make sense, and seems consistent with my question about the authentication element. It may also explain why earlier you saw the same cart on multiple machines (assuming you used the same network or user account to log on).

With authentication="windows" you are using Windows authentication. This means as soon as you hit the site (even before you access a protected page or the Login page) you are already logged in with your Windows account. This is a feature from IE that automatically uses your Windows identity for web sites.

When you removed Windows authentication (by setting it to none or Forms) you are no longer logged in automatically. Instead, you'll get a cookie as an anonymous (or forms-authenticated logged in user) that can access the shopping cart.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

Here's the string--which confirms--just a few questions below:

<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
     <appSettings/>
     <connectionStrings>
          <add name="WroxUnitedConnectionString" connectionString="Data
Source=.\SQLEXPRESS;AttachDbFilename=|DataDirector y|WroxUnited.mdf;Integrated
Security=True;User Instance=True" providerName="System.Data.SqlClient"/>
     </connectionStrings>
     <system.web>
          <!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
          <compilation debug="true"/>
          <!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
          <authentication mode="Windows"/>
          <!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.

<customErrors mode="RemoteOnly"
defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm"/>
<error statusCode="404" redirect="FileNotFound.htm"/>
</customErrors>
-->
<anonymousIdentification enabled="true"/>
          <profile enabled="true">
               <properties>
                    <add name="MemberName"/>
                    <add name="Name"/>
                    <add name="Address"/>
                    <add name="City"/>
                    <add name="County"/>
                    <add name="PostCode"/>
                    <add name="Country"/>
                    <add name="Mailings" type="System.Boolean"/>
                    <add name="Email"/>
                    <add name="Theme"/>
<add name="Cart" serializeAs="Binary"
type="Wrox.Commerce.WroxShoppingCart"
allowAnonymous="true"/>
               </properties>
          </profile>
     </system.web>
</configuration>


How do different anonymous users take advantage of an anonymous profile?

If it is set up for Windows authentication..is someone ever "anonymous" then?..being you would have to log onto Windows, correct? (possibly Guest--unless guest = anonymous?)

SO--if I am to think about this correctly---if you reference profile.whatever...if it is windows authentication--it automatically references yoru windows account...if it is forms--then it will look to how you are referenced within the confines of ASP?..meaning...your user name--unless you are not logged on, which would then be anonymous?

I am more interested in understanding how different users can use different anonymous profile's..being the aspnetdb only has (and i haven't checked this for anonymous) one user per user--ok that sounds crazy--let me restate....if I create an "rsearing" user...and I look in the users table--there is only one "rsearing" user.

If the answer above has anything to do with session state?...then can someone provide a link to some simply explanation of how this is handled? I PM'd a group that was developing a site on the web and the PDA. To maintain ability to go "back" in forms..it was easy with the PDA..but with the web--I was told that to do this--you had session variabless..etc..and it would make the app slower because of the size of them.....I never understood this thing about session variables and would love a link that talks about it...I mean--it makes sense to wonder where you would/how you would store global variables?

:)
Rob

No, it has nothing to do with sessions. The profile is like a super session, that survives between a user's visits.

Profiles are stored for each individual user. If you look in the Profiles table you see a user ID that maps to the aspnet_Users table.

This table (aspnet_Users) stores simple user data, for both known and anonymous users (you'll recognize the latter on their GUID names). Finally, the aspnet_Membership stores detailed information about "registered" users and is used when you're using forms authentication.

I think whenever you're using Windows authentication, there are no anonymous users / profiles anymore However, that's not a problem, is it? Anonymous user tracking is created to allow you to track anonymous users. But, if all your users are already authenticated, you know who they are and you don't need the anonymous features.

With the Windows authentication, a user is added automatically in the aspnet_Users table, so profiles in the aspnet_Profiles table can be mapped to that user. So, in a way, your Windows account is referenced, but still this all takes place within the ASP.NET services and providers and uses the aspnetdb database.
But beware: AFAIK, no user is created in the aspnet_Membership table. So, an account is created, but it doesn't become a member of the site. When you do use forms authentication the aspnet_Membership table is used to store members.

Does this clarify things?

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

Just to add to Imar's comments, the way ASP.NET keeps track of anonymous users is that it creates a GUID and stores it in a cookie named ASPXANONYMOUS. That way it knows from one session to the next who you are. There is a lot of information on the Web about how this works, but I've never seen anything that discusses the fact that if the authentication mode is set to Windows, it won't work. However, as Imar said, it does make a certain amount of sense.

Very much so...just two more things..then I'll drop this topic.

1) I assume, then, that with "memberships" .... well ... this is just it..I am like a hair's breadth away from getting this. With forms authent., you go through WAT and can set up rules to different folders. For example, you could set up a rule to deny access to all anonymous users to a folder called /SomeFolder. Let's say that you want only users that have been added to the site to get into that folder. Being you are an authenticated windows account--how would I prevent that from happening? In other words---how would I set up a folder--or web page--to only be viewed by users I want---and not allow for those that have Windows account?

2) This is the important question. Like I had mentioned, I was part of a team that designed an app that would allow you to log on--search for patients, and then pull up various information about that patient. On the forms, there were "back" buttons to take you back to a screen. This was easy to do on the PDA--but there was a reason that it was difficult (I was told) on the Web--that was due to saving "session variables" or somethng like that. Basically, I was told, that to be able to hit a "back" button, you had to be able to save things from the current screen--and that was done via a session. The way this was explained to me is that, with most apps, you have / can have - global variables. With web apps--each page has it's own set of variables--that you have to have this "session" to store variables that can be used by all pages. First..where is this?..is it a file. lastly, I don't expect someone to explain this in this string--but does someone have a link to a fairly simple means of explaining this?

Ok--that's it---no more on this topic, I promise--just hoping someone can look at those two things above.

Kindest Regards,
Rob

And just to add a little to the above:

The GUID saved in the cookie is only stored in that cookie when you are using forms authentication. With true, unknown and anonymous (internet) users, ASP.NET hands out this cookie to keep track of a user. For each anonymous user, a record in the aspnet_Users (but not aspnet_Membership) is created.

When you are using Windows Authentication, you are always a known user, so you are never anonymous. This means you don't get a cookie with your ID. (There is no need to; you can be tracked with your Windows name). But, you do get a record in the aspnet_Users table in the format MachineName\UserName. This user is then used to hook it up to other data, including the aspnet_Profiles table.

So, in short, when you are using Windows authentication, you are always logged in by default. This is NOT because you have a record in aspnet_Users, but because you are an authenticated Windows user. In fact, the record in aspnet_Users is put there because you *are* an authenticated user.

To see what I mean and to clarify things, try this:

1. Create a brand new web site in Visual Web Developer. Accept all defaults.

2. Add the following to the web.config under system.web: 3. Add the following to the Default.aspx.vb file: 4. Save everything and hit F5.

Default.aspx loads and the profile is saved.

Close your browser and look at the database that has been created in App_Data. You'll find a record in the following tables:

1. aspnet_Users: MachineName\UserName
This is an ASP.NET Services user mapped to a Windows account. This user is used for the Profiles

2. aspnet_Profiles
A profiles record is stored in this table, with the user ID from [1]

Additionally, there is no ASPXANONYMOUS cookie. The profile is tracked through your Windows account name and not through a cookie.

If you want, start all over (delete the entire site) and follow all the steps. However, right before you hit F5, change this:

<authentication mode="Windows"/>

to

<authentication mode="Forms"/>

You'll see similar behavior. However, this time round, your user name in aspnet_Users is a GUID, and you'll have a cookie in your browser that links your browser to the user in aspnet_Users.

Hope this clarifies things.

For everyone who wants to learn more about this (in fact, get to the bottom of it), I can wholeheartedly suggest the book "Professional ASP.NET 2.0 Security, Membership, and Role Management" by "Stefan Schackow". It's without a doubt the best book on the subject. You can find the book here: http://www.wrox.com/WileyCDA/WroxTit...764596985.html

This will be my last post for a while, so I won't be able to answer any follow up questions.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.