Using Forms Authentication & Custom (Csla) Principal/Identity

Using Forms Authentication & Custom (Csla) Principal/Identity

Old forum URL: forums.lhotka.net/forums/t/5214.aspx


kenb posted on Friday, August 08, 2008

If you've followed the instructions on page 535 of Expert C# 2005 Business Objects, then you've created an ASP.Net website which uses Forms Authentication in conjunction with custom Csla-based Principal and Identity objects.

After implementing this, I noticed odd behavior where the user passed authorization checks (those defined in web.config <authorization> section) even after his session timed out from inactivity (and the Csla-based Principal/Identity is lost).

To address this issue, I've modified Rocky's code by changing:

If principal Is Nothing Then
   ' didn't get a principal from Session, so
   ' set it to the unathenticated MyCslaBasedPrincipal
   MyCslaBasedPrincipal.Logout()
Else
   ' use the principal from session
   Csla.ApplicationContext.User = principal
End If

To:

If principal Is Nothing Then
   If User.Identity.IsAuthenticated AndAlso TypeOf User.Identity Is System.Web.Security.FormsIdentity Then
      ' We should only get here when the session expires after
      ' we have logged in (have a valid FormsIdentity)
      FormsAuthentication.SignOut()
      Response.Redirect(Request.Url.PathAndQuery)
   End If
   ' didn't get a principal from Session, so
   ' set it to the unathenticated MyCslaBasedPrincipal
   MyCslaBasedPrincipal.Logout()
Else
   ' use the principal from session
   Csla.ApplicationContext.User = principal
End If

RockfordLhotka replied on Friday, August 08, 2008

That's a nice change - thanks for sharing it!

I'll probably incorporate this into PTWeb at some point.

JoeFallon1 replied on Friday, August 08, 2008

I wrote virtually that same code 3-4 years ago.

Very useful.

Joe

 

kenb replied on Tuesday, September 09, 2008

Due to WebResource.axd requests, I've found it is also necesary to wrap the relevent code with a check like this:

If TypeOf HttpContext.Current.Handler Is IRequiresSessionState Then
...
End If

Copyright (c) Marimer LLC