开发者

asp.net make custom role provider (authorize) behave like the custom membership provider (authenticate) in expiration

I have the form authentication work fine with expiry 3 months cookie setting:

FormsAuthentication.Initialize();
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, this.txtUsername.Text, DateTime.Now
                    , DateTime.Now.AddMonths(3), true, string.Empty);

so even if IIS restarted or project rebuild occur the user still authenitaced until he choose to log out our 3 months passed.

as for the custom role provider [authorizing part] when the user login isValid() i add session variable:

HttpContext.Current.Session.Add开发者_运维知识库("userinfo", userInfo);

but as we know the session expire after web.config change, project build, IIS reboot or 20 mins passed by default.

all what I want is to make the system save Session["userinfo"] same as authentication [cookie] do but ofcourse without setting userinfo in cookie because that's not secure even the userId is considered security breach to be stored in cookie!

so how to accomplish that? i thought to store the user id in cookie but encrypted then if i found session expired but user still authenticated I'll reload the userInfo from DB but is that good enough or better approach available? and what about storing userInfo in authTicked in (string.Empty) in above code segment, is at accessible later and how to use it?


ok, sounds no body responded! so i choose to store the userId in the user-data section of the auth ticket:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, this.txtUsername.Text, DateTime.Now
                , DateTime.Now.AddMonths(3), true, UserInfo.UserId.ToString());

then when I need to check the userInfo I use the following property:

public UserInformation UserInfo
    {
        get
        {
            if (Session["userinfo"] == null)
            {
                FormsIdentity id = (FormsIdentity)User.Identity;
                FormsAuthenticationTicket ticket = id.Ticket;
                long userId = Convert.ToInt64(ticket.UserData);
                Session["userinfo"]=new MySqlMembershipProvider().LoadUserInfo(userId);
            }
            return (UserInformation)Session["userinfo"];
        }
    }

that's all. i thought of profile provider but i didn't like the idea of fetching the user permissions from db [9 tables structure] then re-store them under on record in sessions tables [its like circulating around yourself] beside if user perms or prefs updated more db hits required!!

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜