Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET 3.5 : in C# and VB BOOK ISBN: 978-0-470-18759-3
This is the forum to discuss the Wrox book Beginning ASP.NET 3.5: In C# and VB by Imar Spaanjaars; ISBN: 9780470187593
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET 3.5 : in C# and VB BOOK ISBN: 978-0-470-18759-3 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old May 6th, 2010, 09:50 AM
Authorized User
Points: 154, Level: 3
Points: 154, Level: 3 Points: 154, Level: 3 Points: 154, Level: 3
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 34
Thanks: 5
Thanked 0 Times in 0 Posts
Default Question about HttpContext.Current.Session

Hi Imar
I wanted to ask you about this object:
HttpContext.Current.Session
According to MSDN it is like Session object just that it can be access from VB classes and not only from code behind pages like Session object.

I created in my website my own MembershipProvider and ProfileProvider that base on MSSQL DB. and I am using the Login controls and that’s works fine.
But I need to allow access to the website with username + password and also with email+password.
That works fine since it easy to check which username has the enterd email and password and let him login - the profile is getting the needed values from the DB according to the username (email or username)

the problem is that I have some users that have the same email for different usernames and passwords (different accounts but same email)
so I need to identify them according to the password which is unique for each such customer.

the problem is that the ProfileProvider class does not know the password since it gets in the GetPropertyValues method (which I Overrides in my custom Provider) only the username and isauthenticated values in the context As SettingsContext parameter object.

my solution was to save the password in the HttpContext.Current.Session
like this:
Code:
HttpContext.Current.Session("pass")=password
when the user is authenticated in the ValidateUser function of the custom MemberShipProvider class

and to retrieve it in the GetPropertyValues function of the CustomProfileProvider like this:
Code:
Dim password As String = CStr(HttpContext.Current.Session("pass"))
so I can verify which user it not only by username (which can be email also)
but also by password.

that works fine also but it raises 2 questions:
1. is it safe from security point of view?
2. is it safe to keep it in that object? will it be kept all the time and the session variable won't "get lost"?
I set the HttpContext.Current.Session.Timeout to the time I need.

sorry for the "long story" and thanks in advanced

Barak

Last edited by barakros; May 6th, 2010 at 09:54 AM..
Reply With Quote
  #2 (permalink)  
Old May 6th, 2010, 09:56 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

It wouldn't be my solution. Separating users by password is a bad idea. What if someone changes his password? This is where user names are for. I would try to rearchitect the solution.

To answer the question: yes, it's more or less safe to store it in Session state since no-on has access to it directly. However, it's still tricky and can lead to information disclosure, IMO. You could have a logging module that sends out errors and may include session data so it could still "leak" out of your application.

Can you please post questions that are not directly relayed to my book in a general ASP.NET category: http://p2p.wrox.com/asp-net-3-5-436/ Makes it easier for everyone to find stuff.

Cheers,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
Reply With Quote
  #3 (permalink)  
Old May 6th, 2010, 10:11 AM
Authorized User
Points: 154, Level: 3
Points: 154, Level: 3 Points: 154, Level: 3 Points: 154, Level: 3
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 34
Thanks: 5
Thanked 0 Times in 0 Posts
Default

thanks for the quick reply.

the users can't change their password (it is given by my customer people) but that a good point.
the username is offcourse unique and can not be changed.
is there another way to achive what I need ?

thanks
Barak
Reply With Quote
  #4 (permalink)  
Old May 6th, 2010, 10:23 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Quote:
is there another way to achive what I need ?
Create unique user names, or let them enter a user name and e-mail address.

Somehow, you need to be able to uniquely identify them....

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Httpcontext.Current doesn't work with NUnit myself.panku BOOK: ASP.NET MVC Website Programming Problem Design Solution ISBN: 9780470410950 0 January 20th, 2010 08:53 AM
How do I get my current client Session id ? badgolfer ASP.NET 1.0 and 1.1 Basics 1 October 25th, 2004 08:02 AM
HttpContext.Current.Cache used to store user info? flyin General .NET 11 April 6th, 2004 03:57 PM



All times are GMT -4. The time now is 03:17 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.