I'm stuck...
If the user checked the 'Remember Me' box in Login Control in my web app, when they come back the MembershipProvider seems to authenticate them just fine. BUT, the user doesn't have the appropriate CustomIdentity that I wrote.
I'm using <deny users="?">, so the site doesn;t allow anonymous access.
I need a seuugestion for how and when to reload my session("CSLAPrincipal") when the user returns having clicked the Remember Me box.
Any ideas? Am I missing something obvious?
Kevin
I think I will look into BeginRequest event in global.asax, where the server code attempts to retrieve an encrypted security token from in-memory session or client's cookie. If the security token is found, the server code can decrypt it to retrieve the corresponding BusinessPrincipal from the db.
William:
I think I will look into BeginRequest event in global.asax, where the server code attempts to retrieve an encrypted security token from in-memory session or client's cookie. If the security token is found, the server code can decrypt it to retrieve the corresponding BusinessPrincipal from the db.
William, if I do this, how do I get the password to re-login the user? I guess I could create a Username only version of Login, or store the pass in the cookie, but both sound like bad security.
Am I missing something?
This is what I ended up doing.
Something seems strange about this entire mechanism.... I just can't find any way for the MembershipProvided to manage this.
In the "security token" being created, you can choose to embed both the user name and password, then encrypt them with some secured key on the server. The end users would not be able to decrypt this encrypted data you stored on the client.
Alternatively, you can choose to create an overloaded Login method, which takes only the user name as parameter.
Regards,
William
Copyright (c) Marimer LLC