I wanted to ask you about this object:
According to MSDN it is like Session object just that it can be access from VB
classes and not only from code behind pages like Session object.
I created in my website my own MembershipProvider and ProfileProvider that base on MSSQL DB. and I am using the Login controls and that’s works fine.
But I need to allow access to the website with username + password and also with email+password.
That works fine since it easy to check which username has the enterd email and password and let him login - the profile is getting the needed values from the DB according to the username (email or username)
the problem is that I have some users that have the same email for different usernames and passwords (different accounts but same email)
so I need to identify them according to the password which is unique for each such customer.
the problem is that the ProfileProvider class does not know the password since it gets in the GetPropertyValues
method (which I Overrides in my custom Provider) only the username and isauthenticated values in the context As SettingsContext
my solution was to save the password in the HttpContext.Current.Session
when the user is authenticated in the ValidateUser
function of the custom MemberShipProvider class
and to retrieve it in the GetPropertyValues
function of the CustomProfileProvider like this:
Dim password As String = CStr(HttpContext.Current.Session("pass"))
so I can verify which user it not only by username (which can be email also)
but also by password.
that works fine also but it raises 2 questions:
1. is it safe from security point of view?
2. is it safe to keep it in that object? will it be kept all the time and the session variable won't "get lost"?
I set the HttpContext.Current.Session.Timeout
to the time I need.
sorry for the "long story" and thanks in advanced