What Is The Best Way To Implement Mixed ASP.NET Forms Auth (AD + DB)?

- 1 answer

I want to implement forms authentication on an ASP.NET website, the site should seek the user on the database to get some data and then authenticate against LDAP (Active Directory) to validate the user/password combo.

After that I need to keep a instance of class that represents the user to use it in various forms.

I tried to do it before with a login control, that checks the previous conditions and do an AuthenticateEventArgs.Authenticated = true and placed the object inside the session: Session ["user"] = authenticatedUser; but I had problem synchronizing both of them (the session expired before the auth cookie and I got NullReferenceExceptions when the pages tried to use the now defunct session object).

Which is the best way to accomplish this? Is there some way to sync the session timeout with the cookie lifespan? The user object should be saved in any other way? Did I miss the point?

UPDATE: I cannot use windows auth provider because the site should be accesible from outside out priate network.



I would use Windows Authentication as the main authentication provider, but roll my own simple database persistence for user information.

Your session method would work, you can adjust session timeout in IIS and match it to the authentication cookie timeout.

Also, you can do something like this in a HTTPModule to catch edge cases (app pool recycles etc) that also clear session


if (session["user"] == null)

This would force the user to authenticate.