User Authentication

[Guest]

When a user accesses our site, I would like to authenticate them and redirect
them to the login page if they are not authenticated. Problem is that the
method I am using in global runs more than once and the line where I check
the session username returns an error the second time through. The error is:
Object reference not set to an instance of an object. This code works in a
VS2003 project we have. Has it changed? Is there a better way to check to see
if a user is authenticated than what I am using? Thank you.

protected void Application_AcquireRequestState(Object sender, EventArgs e)
{
bool authenticationRequired = true;
string filePath = string.Empty;

if (HttpContext.Current.Session["Username"] != null) //Error here on second
iteration
{
filePath = HttpContext.Current.Request.FilePath.ToLower();

foreach (string pageFile in PagesThatDoNotRequireLogin)
{
if (filePath.LastIndexOf(pageFile) >= 0)
{
authenticationRequired = false;
break;
}
}

if (authenticationRequired)
{
HttpContext.Current.Response.Redirect(HttpContext.Current.Request.ApplicationPath + "/Index.aspx", true);
}
}
}

 

[Peter Bradley]

I've said this many times, but I'm firmly of the opinion that you should use
Forms Authentication and role-based security. A quick Google will bring up
loads of material on the subject, e.g.

http://www.15seconds.com/issue/020220.htm

or

http://www.ondotnet.com/pub/a/dotnet/2003/01/06/formsauthp1.html

The above are just two, basic tutorials on Forms Authentication. You should
also check out role-based authorisation, e.g.

http://aspnet.4guysfromrolla.com/articles/082703-1.aspx

Once you have this set up, you can decorate your classes and/or methods with
attributes that will do the security checks you need (i.e. check a user is
logged in and has the correct authorisations). When security checks fail,
users are returned to the login page, if that's what you want.

Why reinvent the wheel?

HTH


Peter

 

[Guest]

Thanks a lot, I'll read those articles and look at forms authentication.

I've said this many times, but I'm firmly of the opinion that you should use
Forms Authentication and role-based security. A quick Google will bring up
loads of material on the subject, e.g.

http://www.15seconds.com/issue/020220.htm

or

http://www.ondotnet.com/pub/a/dotnet/2003/01/06/formsauthp1.html

The above are just two, basic tutorials on Forms Authentication. You should
also check out role-based authorisation, e.g.

http://aspnet.4guysfromrolla.com/articles/082703-1.aspx

Once you have this set up, you can decorate your classes and/or methods with
attributes that will do the security checks you need (i.e. check a user is
logged in and has the correct authorisations). When security checks fail,
users are returned to the login page, if that's what you want.

Why reinvent the wheel?

HTH


Peter

When a user accesses our site, I would like to authenticate them and
redirect
them to the login page if they are not authenticated. Problem is that the
method I am using in global runs more than once and the line where I check
the session username returns an error the second time through. The error
is:
Object reference not set to an instance of an object. This code works in a
VS2003 project we have. Has it changed? Is there a better way to check to
see
if a user is authenticated than what I am using? Thank you.

protected void Application_AcquireRequestState(Object sender, EventArgs e)
{
bool authenticationRequired = true;
string filePath = string.Empty;

if (HttpContext.Current.Session["Username"] != null) //Error here on
second
iteration
{
filePath = HttpContext.Current.Request.FilePath.ToLower();

foreach (string pageFile in PagesThatDoNotRequireLogin)
{
if (filePath.LastIndexOf(pageFile) >= 0)
{
authenticationRequired = false;
break;
}
}

if (authenticationRequired)
{
HttpContext.Current.Response.Redirect(HttpContext.Current.Request.ApplicationPath
+ "/Index.aspx", true);
}
}
}