tags:

views:

441

answers:

3
+1  Q: 

What is the best way to implement mixed ASP.NET forms auth (AD + DB)?

I want to implement forms authentication on an ASP.NET website, the site should seek the user on the database to get some data and then authenticate against LDAP (Active Directory) to validate the user/password combo.

After that I need to keep a instance of class that represents the user to use it in various forms.

I tried to do it before with a login control, that checks the previous conditions and do an AuthenticateEventArgs.Authenticated = true and placed the object inside the session: Session ["user"] = authenticatedUser; but I had problem synchronizing both of them (the session expired before the auth cookie and I got NullReferenceExceptions when the pages tried to use the now defunct session object).

Which is the best way to accomplish this? Is there some way to sync the session timeout with the cookie lifespan? The user object should be saved in any other way? Did I miss the point?

Thank you.

UPDATE: I cannot use windows auth provider because the site should be accesible from outside out priate network.

+1  A: 

I would use Windows Authentication as the main authentication provider, but roll my own simple database persistence for user information.

Your session method would work, you can adjust session timeout in IIS and match it to the authentication cookie timeout.

Also, you can do something like this in a HTTPModule to catch edge cases (app pool recycles etc) that also clear session

Psuedocode:

if (session["user"] == null)
{
    Authentication.SignOut();
}

This would force the user to authenticate.

FlySwat  2008-10-15 22:29:33
HTTPModule? could you tell me more about it?
AlbertEin  2008-10-15 22:38:56
would Session_End on a Global.asax do the trick?
AlbertEin  2008-10-15 22:46:04
I'd do it on Application_BeginRequest in global.asaxHttpModules are basically compiling global.asax into seperate dll's. Good for modularity
FlySwat  2008-10-15 22:49:09
Why is better Begin_Request than Session_end?
AlbertEin  2008-10-15 23:00:40
If Session is gone, you want to redirect to the authentication page immediately.
FlySwat  2008-10-15 23:32:27
But when session is gone shouldn't the forms take care of that if i do FormsAuthetincation.Signout () ?
AlbertEin  2008-10-15 23:34:14
A: 

I set the session and auth cookie timeout values to the same value. I use sliding windows for my auth cookie. I also make it a habit to never assume that values I get out of the session are non-null before attempting to use them. I often abstract all of the session functionality out into a proxy class that contains strongly typed properties for the values I store in the session. The error handling for bad session data is localized in the proxy.

tvanfosson  2008-10-16 00:09:38
So, there's no elegant and automatic way to always have them synced together?
AlbertEin  2008-10-16 16:37:23
A: 

Storing the user info in the session will work fine. To sync session timeout and auth cookie timeout, just edit your web.config:

<sessionState timeout="XX" />
<authentication mode="Forms">
  <forms loginUrl="Login.aspx" timeout="XX" />
</authentication>

Both values are in minutes.

Test for null EVERY time you get a value from the Session!

Bryan  2008-10-17 08:45:15
why should i test for null? what's so unrealiable about the session that you cannot trust the value wich should contain?
AlbertEin  2008-10-17 15:49:49

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps