Hi Imar
I wanted to ask you about this object:
HttpContext.Current.Session
According to MSDN it is like Session object just that it can be access from VB classes and not only from code behind pages like Session object.

I created in my website my own MembershipProvider and ProfileProvider that base on MSSQL DB. and I am using the Login controls and that’s works fine.
But I need to allow access to the website with username + password and also with email+password.
That works fine since it easy to check which username has the enterd email and password and let him login - the profile is getting the needed values from the DB according to the username (email or username)

the problem is that I have some users that have the same email for different usernames and passwords (different accounts but same email)
so I need to identify them according to the password which is unique for each such customer.

the problem is that the ProfileProvider class does not know the password since it gets in the GetPropertyValues method (which I Overrides in my custom Provider) only the username and isauthenticated values in the context As SettingsContext parameter object.

my solution was to save the password in the HttpContext.Current.Session
like this:
when the user is authenticated in the ValidateUser function of the custom MemberShipProvider class

and to retrieve it in the GetPropertyValues function of the CustomProfileProvider like this:
so I can verify which user it not only by username (which can be email also)
but also by password.

that works fine also but it raises 2 questions:
1. is it safe from security point of view?
2. is it safe to keep it in that object? will it be kept all the time and the session variable won't "get lost"?
I set the HttpContext.Current.Session.Timeout to the time I need.

sorry for the "long story" and thanks in advanced

Barak

It wouldn't be my solution. Separating users by password is a bad idea. What if someone changes his password? This is where user names are for. I would try to rearchitect the solution.

To answer the question: yes, it's more or less safe to store it in Session state since no-on has access to it directly. However, it's still tricky and can lead to information disclosure, IMO. You could have a logging module that sends out errors and may include session data so it could still "leak" out of your application.

Can you please post questions that are not directly relayed to my book in a general ASP.NET category: http://p2p.wrox.com/asp-net-3-5-436/ Makes it easier for everyone to find stuff.

Cheers,

Imar

__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!

thanks for the quick reply.

the users can't change their password (it is given by my customer people) but that a good point.
the username is offcourse unique and can not be changed.
is there another way to achive what I need ?

thanks
Barak

Create unique user names, or let them enter a user name and e-mail address.

Somehow, you need to be able to uniquely identify them....

Imar

__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!