tags:

views:

207

answers:

1
+2  Q: 

Session management and linking user accounts with OpenID, in ASP.NET

I am currently playing with DotNetOpenAuth to make an ASP.NET (C#) website use OpenID instead of the normal login-password routine for user and session handling.

Up till now, I have added the DotNetOpenAuth.dll into my project and tried a test login page with the following:

<rp:OpenIdLogin ID="OpenIdLogin1" runat="server" />

When I run the page, I enter a valid myopenid url and the website redirects to the myopenid page, where I enter my password, and upon success, it returns back to my default.aspx, due to the following in my web.config:

<authentication mode="Forms">
    <forms defaultUrl="/Default.aspx" loginUrl="~/Login.aspx"/>
</authentication>

Now that the user is "logged in", how can handle my session? At the moment, I don't know how I can, for example, check if the session is still alive or how to terminate the session.

My basic question is, how can I manage the session once the user is authenticated with OpenID ?

[Update]

I am now using the following to check for authentication: HttpContext.Current.User, and with that I can now check if a user is authenticated with a session.

Now is there a possible way on how I can "link" user details that are stored in my database with an openid account?

+1  A: 

OpenID logins with the OpenIdLogin control are (by default) no different than a username+password login from ASP.NET's point of view. As you've discovered HttpContext.Current.User is set on each incoming HTTP request based on an HTTP cookie that ASP.NET FormsAuthentication sends to the browser in order to keep the session consistent from request to request. While you're in a page or its code-behind, the Page.User property is an even more convenient means.

But if you're doing access control, rather than check whether there's a logged in user in every page, it's best to use the <authorization> tag in your web.config file to force the user to be logged in before accessing certain pages or directories of pages.

As far as linking user details, the key you want to associate with your users' details is the OpenID Claimed Identifier, which is what OpenIdLogin automatically assigns to the Username value for FormsAuthentication. So you can retrieve or store user details in your database based on the value of HttpContext.Current.User.Identity.Name, which will be the reliable and proven unique value for each user.

Andrew Arnott  2010-03-08 23:05:14

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?