|
-
October 8th, 2009, 10:16 AM
#1
Storing Login Status
After authentication a user I've been storing the login status in a session variable. Basically, like this,
Code:
Session.Item("UserLoginStatus") = UserLoginStatus.LoginSuccessful
UserLoginStatus is an enum I created to store possible login status codes so I don't have to worry about mistyping the code
Code:
Public Enum UserLoginStatus
Timeout
Logout
InvalidUserName
WrongPassword
AccountLocked
AccountDisabled
NotAuthorized
LoginSuccessful
End Enum
Anyway, my question is about storing the status is a session variable. Is that good/bad/ok? What is the best way to store login status?
Thanks
-
October 8th, 2009, 04:06 PM
#2
Re: Storing Login Status
I am not sure why you want to use Session, when you should be using the ASP.NET's built-in functionality for all this. If you are using Form's authentication then you are already half way through.
-
October 9th, 2009, 12:25 PM
#3
Re: Storing Login Status
I considered using forms authentication. However, I decided against. First, it uses cookies to store the token. I didn't like that idea. Plus, I wanted the login page to redirect back to the original page. If ASP.NET automatically redirects to the login page. I'll have no way to record the source page to have it redirect back. However, I suppose it's possible ASP.NET can do that. However, that doesn't matter since I can't use it because it uses cookes.
Thanks,
Scott
-
October 9th, 2009, 07:53 PM
#4
Re: Storing Login Status
Uses HIDDEN strings built INTO the webpage, that gets returned WITH the webpage to the server. Or do you mean a cookie stored on the hard drive?
-
October 10th, 2009, 05:49 AM
#5
-
October 12th, 2009, 12:26 PM
#6
Re: Storing Login Status
So the only other option is to have the token encoded in the url? Isn't that worse?
Maybe I'm missing something but doesn't having this in a cookie or in the url allow a person to be able to hack it and be able to bybase authentication? So it seems better to store the token on the server and relate it to their session id. However, ASP.NET doesn't seem to have that option. So that makes me wonder if missing something.
Thanks,
-
October 12th, 2009, 02:14 PM
#7
Re: Storing Login Status
Here is how you can mitigate the risk of un-secure cookieless sessions.
1. Make sure the communication is happening over a secured channel (SSL).
2. Tie the sessionid with the IP address from which the request is coming.
Having said that, cookiesless sessions are ideally suited for local intranet applications. May be your other option is to use http headers.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
If your question has been answered satisfactorily, and it has been helpful, then, please, Rate this Post!