If you've followed the instructions on page 535 of Expert C# 2005 Business Objects, then you've created an ASP.Net website which uses Forms Authentication in conjunction with custom Csla-based Principal and Identity objects.
After implementing this, I noticed odd behavior where the user passed authorization checks (those defined in web.config <authorization> section) even after his session timed out from inactivity (and the Csla-based Principal/Identity is lost).
To address this issue, I've modified Rocky's code by changing:
If principal Is Nothing Then ' didn't get a principal from Session, so ' set it to the unathenticated MyCslaBasedPrincipal MyCslaBasedPrincipal.Logout() Else ' use the principal from session Csla.ApplicationContext.User = principal End If
To:
If principal Is Nothing Then If User.Identity.IsAuthenticated AndAlso TypeOf User.Identity Is System.Web.Security.FormsIdentity Then ' We should only get here when the session expires after ' we have logged in (have a valid FormsIdentity) FormsAuthentication.SignOut() Response.Redirect(Request.Url.PathAndQuery) End If ' didn't get a principal from Session, so ' set it to the unathenticated MyCslaBasedPrincipal MyCslaBasedPrincipal.Logout() Else ' use the principal from session Csla.ApplicationContext.User = principal End If
That's a nice change - thanks for sharing it!
I'll probably incorporate this into PTWeb at some point.
I wrote virtually that same code 3-4 years ago.
Very useful.
Joe
Due to WebResource.axd requests, I've found it is also necesary to wrap the relevent code with a check like this:
If TypeOf HttpContext.Current.Handler Is IRequiresSessionState Then ... End If
Copyright (c) Marimer LLC