p2p.wrox.com Forums

p2p.wrox.com Forums (http://p2p.wrox.com/index.php)
-   BOOK: Beginning ASP.NET 3.5 : in C# and VB BOOK ISBN: 978-0-470-18759-3 (http://p2p.wrox.com/forumdisplay.php?f=389)
-   -   Question about HttpContext.Current.Session (http://p2p.wrox.com/showthread.php?t=79327)

barakros May 6th, 2010 09:50 AM

Question about HttpContext.Current.Session
 
Hi Imar
I wanted to ask you about this object:
HttpContext.Current.Session
According to MSDN it is like Session object just that it can be access from VB classes and not only from code behind pages like Session object.

I created in my website my own MembershipProvider and ProfileProvider that base on MSSQL DB. and I am using the Login controls and that’s works fine.
But I need to allow access to the website with username + password and also with email+password.
That works fine since it easy to check which username has the enterd email and password and let him login - the profile is getting the needed values from the DB according to the username (email or username)

the problem is that I have some users that have the same email for different usernames and passwords (different accounts but same email)
so I need to identify them according to the password which is unique for each such customer.

the problem is that the ProfileProvider class does not know the password since it gets in the GetPropertyValues method (which I Overrides in my custom Provider) only the username and isauthenticated values in the context As SettingsContext parameter object.

my solution was to save the password in the HttpContext.Current.Session
like this:
Code:

HttpContext.Current.Session("pass")=password
when the user is authenticated in the ValidateUser function of the custom MemberShipProvider class

and to retrieve it in the GetPropertyValues function of the CustomProfileProvider like this:
Code:

Dim password As String = CStr(HttpContext.Current.Session("pass"))
so I can verify which user it not only by username (which can be email also)
but also by password.

that works fine also but it raises 2 questions:
1. is it safe from security point of view?
2. is it safe to keep it in that object? will it be kept all the time and the session variable won't "get lost"?
I set the HttpContext.Current.Session.Timeout to the time I need.

sorry for the "long story" and thanks in advanced

Barak

Imar May 6th, 2010 09:56 AM

It wouldn't be my solution. Separating users by password is a bad idea. What if someone changes his password? This is where user names are for. I would try to rearchitect the solution.

To answer the question: yes, it's more or less safe to store it in Session state since no-on has access to it directly. However, it's still tricky and can lead to information disclosure, IMO. You could have a logging module that sends out errors and may include session data so it could still "leak" out of your application.

Can you please post questions that are not directly relayed to my book in a general ASP.NET category: http://p2p.wrox.com/asp-net-3-5-436/ Makes it easier for everyone to find stuff.

Cheers,

Imar

barakros May 6th, 2010 10:11 AM

thanks for the quick reply.

the users can't change their password (it is given by my customer people) but that a good point.
the username is offcourse unique and can not be changed.
is there another way to achive what I need ?

thanks
Barak

Imar May 6th, 2010 10:23 AM

Quote:

is there another way to achive what I need ?
Create unique user names, or let them enter a user name and e-mail address.

Somehow, you need to be able to uniquely identify them....

Imar


All times are GMT -4. The time now is 01:44 PM.

Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.