Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET 3.5 : in C# and VB BOOK ISBN: 978-0-470-18759-3
This is the forum to discuss the Wrox book Beginning ASP.NET 3.5: In C# and VB by Imar Spaanjaars; ISBN: 9780470187593
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET 3.5 : in C# and VB BOOK ISBN: 978-0-470-18759-3 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old May 6th, 2010, 09:50 AM
Authorized User
Points: 154, Level: 3
Points: 154, Level: 3 Points: 154, Level: 3 Points: 154, Level: 3
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 34
Thanks: 5
Thanked 0 Times in 0 Posts
Default Question about HttpContext.Current.Session

Hi Imar
I wanted to ask you about this object:
HttpContext.Current.Session
According to MSDN it is like Session object just that it can be access from VB classes and not only from code behind pages like Session object.

I created in my website my own MembershipProvider and ProfileProvider that base on MSSQL DB. and I am using the Login controls and that’s works fine.
But I need to allow access to the website with username + password and also with email+password.
That works fine since it easy to check which username has the enterd email and password and let him login - the profile is getting the needed values from the DB according to the username (email or username)

the problem is that I have some users that have the same email for different usernames and passwords (different accounts but same email)
so I need to identify them according to the password which is unique for each such customer.

the problem is that the ProfileProvider class does not know the password since it gets in the GetPropertyValues method (which I Overrides in my custom Provider) only the username and isauthenticated values in the context As SettingsContext parameter object.

my solution was to save the password in the HttpContext.Current.Session
like this:
Code:
HttpContext.Current.Session("pass")=password
when the user is authenticated in the ValidateUser function of the custom MemberShipProvider class

and to retrieve it in the GetPropertyValues function of the CustomProfileProvider like this:
Code:
Dim password As String = CStr(HttpContext.Current.Session("pass"))
so I can verify which user it not only by username (which can be email also)
but also by password.

that works fine also but it raises 2 questions:
1. is it safe from security point of view?
2. is it safe to keep it in that object? will it be kept all the time and the session variable won't "get lost"?
I set the HttpContext.Current.Session.Timeout to the time I need.

sorry for the "long story" and thanks in advanced

Barak

Last edited by barakros; May 6th, 2010 at 09:54 AM..
 
Old May 6th, 2010, 09:56 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

It wouldn't be my solution. Separating users by password is a bad idea. What if someone changes his password? This is where user names are for. I would try to rearchitect the solution.

To answer the question: yes, it's more or less safe to store it in Session state since no-on has access to it directly. However, it's still tricky and can lead to information disclosure, IMO. You could have a logging module that sends out errors and may include session data so it could still "leak" out of your application.

Can you please post questions that are not directly relayed to my book in a general ASP.NET category: http://p2p.wrox.com/asp-net-3-5-436/ Makes it easier for everyone to find stuff.

Cheers,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
 
Old May 6th, 2010, 10:11 AM
Authorized User
Points: 154, Level: 3
Points: 154, Level: 3 Points: 154, Level: 3 Points: 154, Level: 3
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 34
Thanks: 5
Thanked 0 Times in 0 Posts
Default

thanks for the quick reply.

the users can't change their password (it is given by my customer people) but that a good point.
the username is offcourse unique and can not be changed.
is there another way to achive what I need ?

thanks
Barak
 
Old May 6th, 2010, 10:23 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Quote:
is there another way to achive what I need ?
Create unique user names, or let them enter a user name and e-mail address.

Somehow, you need to be able to uniquely identify them....

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!




Similar Threads
Thread Thread Starter Forum Replies Last Post
Httpcontext.Current doesn't work with NUnit myself.panku BOOK: ASP.NET MVC Website Programming Problem Design Solution ISBN: 9780470410950 0 January 20th, 2010 08:53 AM
How do I get my current client Session id ? badgolfer ASP.NET 1.0 and 1.1 Basics 1 October 25th, 2004 08:02 AM
HttpContext.Current.Cache used to store user info? flyin General .NET 11 April 6th, 2004 03:57 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.