Session vs. RoleProvider

A

Arthur Dent

Please help... i am stumped...

I have an app, written in VB.NET fwiw. I have a custom RoleProvider class,
cuz i finally got tired enough of hacking with application variables, to
learn the "correct" way to do roles. ;) ....

Now, the problem, is that my RoleProvider, and my FormsAuthentication
Session do not stay together. That is to say, i frequently see cases where
the session will expire, but the RoleProvider does not. Now, they both have
their expiration timeouts set to the same values in the web.config file.

So what i wind up with is being able to access the "locked down" areas of my
site (because my RoleProvider is still providing the correct roles) even
though my forms authentication has expired. How can i force
FormsAuthentication and a custom RoleProvider to stay in lock-step???
This is a major problem, and comprises a pretty significant security hole.
Even though FA has expired, and it SHOULD send me back to my login page, it
doesn't because the RoleProvider is still saying i have "Admin" rights (or
whatever rights, for the 'secured' section).

I hope someone can help me with this; Thanks in advance,
- Arthur Dent.
 
G

Guest

Please help... i am stumped...

I have an app, written in VB.NET fwiw. I have a custom RoleProvider class,
cuz i finally got tired enough of hacking with application variables, to
learn the "correct" way to do roles. ;) ....

Now, the problem, is that my RoleProvider, and my FormsAuthentication
Session do not stay together. That is to say, i frequently see cases where
the session will expire, but the RoleProvider does not. Now, they both have
their expiration timeouts set to the same values in the web.config file.

So what i wind up with is being able to access the "locked down" areas of my
site (because my RoleProvider is still providing the correct roles) even
though my forms authentication has expired. How can i force
FormsAuthentication and a custom RoleProvider to stay in lock-step???
This is a major problem, and comprises a pretty significant security hole.
Even though FA has expired, and it SHOULD send me back to my login page, it
doesn't because the RoleProvider is still saying i have "Admin" rights (or
whatever rights, for the 'secured' section).

I hope someone can help me with this; Thanks in advance,
- Arthur Dent.
Click to expand...

Hi Arthur,

1. can you post here the code of your custom role provider?
2. what timeout value you have set in the authentication tag of the
web.config file?

BR,
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problems With Custom RoleProvider and Forms Authentication 8
Problems with the RoleProvider 0
RoleProvider question -- help please (.NET 2.0) 4
MembershipProvider/RoleProvider Problems 1
Custom RoleProvider + <allow roles> not working 3
inconsistent timeout periods 1
Roles.IsUserInRole maps call to GetRolesForUser... Why? 7
Roles/Groups in ASP.NET 2.0 6

Members online

No members online now.
Total: 33 (members: 0, guests: 33)
Robots: 301

Forum statistics

Threads
473,996
Messages
2,570,238
Members
46,826
Latest member
robinsontor

Latest Threads

Top