SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    Learning... tahirjadoon's Avatar
    Join Date
    Jan 2003
    Posts
    775
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Global.asax - WindowsAuthentication_Authenticate - SessionState null and Multiple Cal

    This is an internal application that uses windows authentication. In WindowsAuthentication_Authenticate method, i am getting the logged in user from the db. If the user is not found or marked as gone then i redirect the user to an error page.

    1. WindowsAuthentication_Authenticate This method executes multiple times, including css or js files referenced in the head section.



    Code:
    <link href="@Url.Stylesheet("Layout.css")" rel="stylesheet" type="text/css" /> 
    <script src="@Url.Script("Tools/extensions.js")" type="text/javascript"></script>
    In this case, if i have 3 style sheets and 2 js files referenced then this method executes 6 times.


    2. Session State Null

    Per problem # 1 above, i don't want to hit DB multiple times. To work around it, i tried putting the user information in a session. Here i am getting HttpContext.Current.Session is null. In web.config i don't have any configuration regarding session.

    Here is my complete code...

    Code:
     protected void WindowsAuthentication_Authenticate(object sender, WindowsAuthenticationEventArgs e)         
    {                          
    bool isUserFound = false; bool isUserGone = false; UtilityService utility = newUtilityService(); string rawurl = HttpContext.Current.Request.RawUrl; if (e.Identity.IsAuthenticated) {
    if (userPlaceHolder == null) //local property to tackle hitting DB multiple times {
    UserInternal userInternal = utility.GetLoggedInUser(e.Identity.Name); if (userInternal != null) {
    userPlaceHolder = userInternal; isUserFound = true; //TODO: check for gone, you can use userInternal or userPlaceHolder isUserGone = false;
    }
    } else {
    isUserFound = true; //TODO: check for gone, use userPlaceHolder isUserGone = false;
    }
    } //set the user if (isUserFound && !isUserGone) {
    string role = String.IsNullOrWhiteSpace(userPlaceHolder.UserClass) ? String.Empty : userPlaceHolder.UserClass; // Setting the current user and role in the Principal e.User = new System.Security.Principal.GenericPrincipal(e.Identity, newstring[] { role }); HttpContext.Current.User = e.User;
    } //handle gone and user not found if (!rawurl.LowerInvariantContains(ControllerNames.Message) && !rawurl.LowerInvariantContains(".css") && !rawurl.LowerInvariantContains(".js") && !rawurl.LowerInvariantContains(".jpg") && !rawurl.LowerInvariantContains(".gif") && !rawurl.LowerInvariantContains(".png")) {
    if (!isUserFound || isUserGone) {
    string url = String.Empty; if (isUserGone) url = utility.GetSiteRestrictedLink(ProcessingMessagesEnum.UserLocked); else url = utility.GetSiteRestrictedLink(ProcessingMessagesEnum.UserNotAuthorizedToViewSite); ; HttpContext.Current.Response.Redirect(url);
    }
    }
    }
    The beauty of life is not dependent on how happy you are,
    but on how happy others can be because of you...

  2. #2
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Remember each request is a separate execution of the global context, hence the general advice to move static assets off to a separate server. So your windows auth calls make sense -- your stylesheets and such are a request and windows auth is being performed.

    Several ways around this, what are you trying to achieve here?

  3. #3
    Learning... tahirjadoon's Avatar
    Join Date
    Jan 2003
    Posts
    775
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Basically,

    I want to check the logged in user against the DB for the following two conditions
    1. user is in the employee db
    2. user is not marked as gone

    If any of the above conditions is true then i want to redirect the user to the error page. (Active dir should handle this and user should not get authenticated at the first place. I am doing redundant checks, what if HR has updated the employee db but systems failed to update at their end).

    Should i move the checking to application start since that executes only once? If yes, then how can i set the user:
    Code:
    // Setting the current user and role in the Principal                 
    e.User = new System.Security.Principal.GenericPrincipal(e.Identity, newstring[] { role });                 
    HttpContext.Current.User = e.User;
    I only want to hit the DB once in WindowsAuthentication_Authenticate.
    The beauty of life is not dependent on how happy you are,
    but on how happy others can be because of you...

  4. #4
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Application start won't work unless this is single instance. Session start might work since it is per-user, but I hate to rely upon sessions.

    It is happening once per request, trick is your setup is running every request through .NET so each resource re-authenticate. Since HttpModules are global, that is how it rolls.

    Easiest solution is probably to find a way to setup the static resources to not end up running through the .NET pipeline.

  5. #5
    SitePoint Wizard webcosmo's Avatar
    Join Date
    Oct 2007
    Location
    Boston, MA
    Posts
    1,433
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    This process could be much simplified if you would use a login page where you do all the authentication things.

    If you use a master page you can check authentication state. if not auth. redirect to login page.

    Or you can use a httphandler for the redirect part that could do the checking job on every request.

  6. #6
    Learning... tahirjadoon's Avatar
    Join Date
    Jan 2003
    Posts
    775
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This apps requirement is windows authentication and not the form.

    I have some checks/traps in place now and testing.
    The beauty of life is not dependent on how happy you are,
    but on how happy others can be because of you...

  7. #7
    Learning... tahirjadoon's Avatar
    Join Date
    Jan 2003
    Posts
    775
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    wwb_99, looks like the request executes for css and js resources etc only on the local dev. Remote dev site is not doing this.
    The beauty of life is not dependent on how happy you are,
    but on how happy others can be because of you...

  8. #8
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Well, that would help. Basically, IIS6 won't, but IIS7 in integrated mode and/or cassini will execute all code through the managed pipeline.

  9. #9
    Learning... tahirjadoon's Avatar
    Join Date
    Jan 2003
    Posts
    775
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by humanoid View Post
    I ask again:
    Several ways to handle this situation, what you are trying to achieve here?
    My post #3 above has the details...

    Application uses windows authentication.

    At a central location, i want to make the checks specified in post#3.

    I don't want to handle this via base controller.
    The beauty of life is not dependent on how happy you are,
    but on how happy others can be because of you...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •