Session vs. RoleProvider

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Arthur Dent
    #1

    Session vs. RoleProvider

    Please help... i am stumped...

    I have an app, written in VB.NET fwiw. I have a custom RoleProvider class,
    cuz i finally got tired enough of hacking with application variables, to
    learn the "correct" way to do roles. ;) ....

    Now, the problem, is that my RoleProvider, and my FormsAuthentica tion
    Session do not stay together. That is to say, i frequently see cases where
    the session will expire, but the RoleProvider does not. Now, they both have
    their expiration timeouts set to the same values in the web.config file.

    So what i wind up with is being able to access the "locked down" areas of my
    site (because my RoleProvider is still providing the correct roles) even
    though my forms authentication has expired. How can i force
    FormsAuthentica tion and a custom RoleProvider to stay in lock-step???
    This is a major problem, and comprises a pretty significant security hole.
    Even though FA has expired, and it SHOULD send me back to my login page, it
    doesn't because the RoleProvider is still saying i have "Admin" rights (or
    whatever rights, for the 'secured' section).

    I hope someone can help me with this; Thanks in advance,
    - Arthur Dent.

    Tags: None
    • Alexey Smirnov
      #2
      Re: Session vs. RoleProvider

      On May 15, 6:07 pm, "Arthur Dent" <hitchhikersgui deto-n...@yahoo.com>
      wrote:
      Please help... i am stumped...
      >
      I have an app, written in VB.NET fwiw. I have a custom RoleProvider class,
      cuz i finally got tired enough of hacking with application variables, to
      learn the "correct" way to do roles. ;) ....
      >
      Now, the problem, is that my RoleProvider, and my FormsAuthentica tion
      Session do not stay together. That is to say, i frequently see cases where
      the session will expire, but the RoleProvider does not. Now, they both have
      their expiration timeouts set to the same values in the web.config file.
      >
      So what i wind up with is being able to access the "locked down" areas of my
      site (because my RoleProvider is still providing the correct roles) even
      though my forms authentication has expired. How can i force
      FormsAuthentica tion and a custom RoleProvider to stay in lock-step???
      This is a major problem, and comprises a pretty significant security hole.
      Even though FA has expired, and it SHOULD send me back to my login page, it
      doesn't because the RoleProvider is still saying i have "Admin" rights (or
      whatever rights, for the 'secured' section).
      >
      I hope someone can help me with this; Thanks in advance,
      - Arthur Dent.
      Hi Arthur,

      1. can you post here the code of your custom role provider?
      2. what timeout value you have set in the authentication tag of the
      web.config file?

      BR,

        Comment

        Previous template Next
        Working...