Roles not loaded at in LoggedIn event

[Guest]

I've a simple asp.net applicaiton in which I'm using the login control.

I trap the LoggedIn event and then decide which pages to redirect the user
to based on their role.

The problem is that no roles appear to be loaded at this point.

Curiously, if I login twice, the second time the roles are available and in
general if I log in then the roles shown seem to be for the PREVIOUS login.

I can find no way to force the reloading of roles and I have no idea what is
happening here despite some hours spent scouring the net!

No doubt it is obvious, but sadly, not to me!

Iain

 

[Guest]

I've a simple asp.net applicaiton in which I'm using the login control.

I trap the LoggedIn event and then decide which pages to redirect the user
to based on their role.

The problem is that no roles appear to be loaded at this point.

Does anyone have any ideas about this? It would seem that I'm either doing
something terribly stupid or there is a serious flaw in the way in which the
Roles are handled. I prefer the first option (<g>), but I can't see it!


Iain

 

[Peter Bradley]

I've never used the login control, but presumably the onus is on you to get
the roles. A quick look at the help for the login control doesn't show that
it provides any features such as role retrieval.

Roles could, for example, be stored in an RDBMS or in some sort of Directory
Service, or in an XML file or even in a text file. How have you arranged
for the roles to be retrieve?

HTH


Peter

 

[Guest]

I've never used the login control, but presumably the onus is on you to get
the roles. A quick look at the help for the login control doesn't show that
it provides any features such as role retrieval.

Hi, Peter.

YOu will see from my first post that a resubmit of the login page picks up
the roles correctly. The roles are present in the same SQLExpress database
as the users.

The symptoms are as if the roles are not loaded until after the LoggedIn
event is called, which is plain bizzare.

Iain

 

[Peter Bradley]

Where is your code that loads the roles?


Peter

Hi, Peter.

YOu will see from my first post that a resubmit of the login page picks up
the roles correctly. The roles are present in the same SQLExpress
database
as the users.

The symptoms are as if the roles are not loaded until after the LoggedIn
event is called, which is plain bizzare.

Iain

 

[Peter Bradley]

Just had a look at the help for the control:
<quote>
Notes to Implementers Custom authentication schemes should set the
Authenticated property to true to indicate that a user has been
authenticated. When a user submits his or her login information, the Login
control first raises the LoggingIn event, then the Authenticate event, and
finally the LoggedIn event.

</quote>

So, if it were me, I'd retrieve the roles in the Authenticate event. Since
we use Forms authentication, I'd then store them as a delimited string in a
FormsAuthenticationTicket, which I'd then encrypt and store in a cookie.
The Application_AuthenticateRequest event handler can then retrieve and
decrypt the cookie, get the roles stored and put them into an Identity
object in a Principal object.

HTH



Peter

 

[Guest]

Just had a look at the help for the control:
<quote>
Notes to Implementers Custom authentication schemes should set the
Authenticated property to true to indicate that a user has been
authenticated. When a user submits his or her login information, the Login
control first raises the LoggingIn event, then the Authenticate event, and
finally the LoggedIn event.

</quote>

So, if it were me, I'd retrieve the roles in the Authenticate event. Since
we use Forms authentication, I'd then store them as a delimited string in a
FormsAuthenticationTicket, which I'd then encrypt and store in a cookie.
The Application_AuthenticateRequest event handler can then retrieve and
decrypt the cookie, get the roles stored and put them into an Identity
object in a Principal object.

Hi, Peter.

I'm not using custom authentication and as I'm checking roles (with
User.IsInRole("MyRole")) in the LoggedIn Event this should be equivalent to
doing it in the Authenticated event. I've worked around this, by not
checking the role in the login form, but rather redirecting the form to a
holding page, checking there for the role (which works) and then redirecting
again if need be.

I would have to regard this as a bug. It's not the way I would expect it to
work.

Other oddities I've picked up (which I think are plain wrong!) are..

If you login without first logging out, the login does not work. YOu remain
logged in as the previous user.

If you login as a new user, the session is not restarted.

My work around is to use FormsAuthentication.SignOut() to force a log off
(why is this not part of the Membership class?) and also to clear the session
in the LogginIn event.

Dear Microsoft, a spoonful of documentation would have saved me a
considerable time of messing around.

Iain