"Object reference not set to an instance of an object" error

[Lauchlan M]

Hi.

Using ASP.NET, getting an "Object reference not set to an instance of an
object" error.

In my login.aspx page I have:

string[] arrUserRoles = new string[] {"UserRole"};
Context.Items.Add("UserRoles", arrUserRoles);
Context.User = new
System.Security.Principal.GenericPrincipal(Context.User.Identity,
arrUserRoles);

In another page I have

string[] arrUserRoles = {}; <-- call this line a
arrUserRoles = (string[]) HttpContext.Current.Items["UserRoles"]; <--- Call
this line b . . . error on this line!
Label1.Text = arrUserRoles.Length.ToString();

If I comment out line b it works (displays 0 as it should). If I put line b
back in it throws the error.

Any suggestions on what's wrong?

Also, how do I test for the context variable arrUserRoles being defined?

Thanks!

Lauchlan M

 

[Teemu Keiski]

HttpContext is request specific i.e if you put something on Context.Items on
Page A, it is not there for Page B (unless you use Server.Transfer that
actually forwards the context but you can't use everywhere).

Basically you could put these into login cookie when user is logged in (or
otherwise roles assigned). Then on Application_AuthenticateRequest (in
global.asax) get the cookie and populate Context.User with the role details
from the cookie. If you use authentication (Forms auth), you would check in
Application_AuthenticateRequest that Request.IsAuthenticated is true
(because only then there would be login cookie with role data).

--
Teemu Keiski
MCP, Designer/Developer
Mansoft tietotekniikka Oy
http://www.mansoft.fi

AspInsiders Member, www.aspinsiders.com
ASP.NET Forums Moderator, www.asp.net
AspAlliance Columnist, www.aspalliance.com

 

[Lauchlan M]

HttpContext is request specific i.e if you put something on Context.Items
on

Page A, it is not there for Page B (unless you use Server.Transfer that
actually forwards the context but you can't use everywhere).

Basically you could put these into login cookie when user is logged in (or
otherwise roles assigned). Then on Application_AuthenticateRequest (in
global.asax) get the cookie and populate Context.User with the role details
from the cookie. If you use authentication (Forms auth), you would check in
Application_AuthenticateRequest that Request.IsAuthenticated is true
(because only then there would be login cookie with role data).

Thanks!

Is this the recommended way of keeping track of this security/roles data,
putting it in a cookie?

Is there some MS ASP.NET provided object that remains static over the
session? If I don't want to use cookies, should I create a session variable
for it (which seems to take away from the point of using MS's security
framework in the first place and begins to look more like a roll-your-own
exercise) and throw my roles info in there?

Thx

Lauchlan M

 

[Teemu Keiski]

Well,

that's up to you how you want to implement it and what is the demand for the
system. It all roots from the fact that every HttpContext (and the
underlying web request) is technically speaking stateless so custom means
are needed to make it stateful.

Forms authentication allows you to work in environment where cookies are not
enabled. See, if you persist into URL querystring a key/value pair where
name is the same as Forms Authentication cookie name (in web.config <forms
name=".ASPXAUTH"...>) and value is the encrypted Forms Authentication
ticket, it would work even if user has not enabled cookies. But the drawback
is that you would need to tweak the system to persist that key/value pair
into every hyperlink so that authentication is persisted while user
navigates in the system. ASP.NET does provide support for cookieless
sessions, but that's different thing from this that authnetication cookie
would be persisted.

--
Teemu Keiski
MCP, Designer/Developer
Mansoft tietotekniikka Oy
http://www.mansoft.fi

AspInsiders Member, www.aspinsiders.com
ASP.NET Forums Moderator, www.asp.net
AspAlliance Columnist, www.aspalliance.com