Hi everyone!

How do I know when a user has logged in if he logs in using a cookie?

By default, when he logs in entering a username and password,
I can catch that inside my authenticate method,
but what if he logs in automatically?

 (I'm not using the new login controls and/or object model nor do I want to use that)

Where should I update the lastlogindate in such a case? In

Application_AuthenticateRequest? The code for this function is as follows:

 

 

  Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
    
    Dim userInformation As String = [String].Empty

    If HttpContext.Current.User IsNot Nothing AndAlso _
       HttpContext.Current.User.Identity.IsAuthenticated AndAlso _
       TypeOf HttpContext.Current.User.Identity Is FormsIdentity Then
      'If Request.IsAuthenticated Then
      
      Dim sCookieName As String = FormsAuthentication.FormsCookieName
      If Request.Cookies(sCookieName) IsNot Nothing AndAlso Request.Cookies(sCookieName).Value <> "" Then
        Dim fat As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Context.Request.Cookies(sCookieName).Value)
        userInformation = fat.UserData

        Dim info As String() = userInformation.Split(New Char() {";"c})

        HttpContext.Current.User = New helperclasses.CustomPrincipal(User.Identity, Convert.ToInt32(info(0).ToString()), info(1).ToString(), info(2).ToString(), Convert.ToInt32(info(3).ToString()), info(4).ToString(), Convert.ToInt32(info(5).ToString()), info(6).ToString())
      End If
    End If

  End Sub
  

  Thanks in advance!

The parameter userIsOnline, when set to True, will update a timestamp in the data store indicating the date/time the user was last requested. This timestamp can then be used to calculate the total number of users online. The remaining methods will perform similar operations but on a specified user.

 

 

GetUser() As MembershipUser

GetUser(userIsOnline As Boolean) As MembershipUser
  
   GetUser(username As String) As MembershipUser
  
   GetUser(username As String,
   userIsOnline As Boolean) As MembershipUser

 Fetching the Logged-on User

<%@ Page Language="VB" %>

<script runat="server">

  Public Sub Page_Load()
    Dim user As MembershipUser

    ' Get the currently logged-on user and
    ' update the user's online timestamp
    user = Membership.GetUser(True)

    UserName.Text = user.Username

  End Sub

</script>

<html>

  <body style="FONT-FAMILY: Verdana">

  <H1>Get User</H1>

  <hr />

     <form runat="server">
       The currently logged-on user is:
       <asp:literal id="UserName" runat="server" />
  </form>

  </body>
</html>

  

Yes, but, as I told you,

I'm not using the new login controls and/or object model nor do I want to use that

so, there's no  MembershipUser object for me,

I prefer my own custom implementation,

my problem is: How and where to catch the event of a user logging on using a cookie?

nothing more, nothing less 

during the login event itself and the page load

so if a user requests a page...during page_load the authentication tickets is passed and if the authentication cookies hasnt expired then..the user is in....hence this is one place.

yes, but the login event isn't fired is the 'cookie' case,

the Application_AuthenticateRequest method is just constructing the CustomPrincipal object (from the cookie string) and puts that in HttpContext.Current.User 

however, the  Application_AuthenticateRequest method runs many times on every page,

so where should I put my code to update the lastlogindate property?

(putting on every page's load event is not an option of course, I don't want to update my database so often for such a thing) 

use Session_end event in Global.asax and this will work whenever a user session dies, which will happen as soon as the user closes the browser (all sessions will die..)

protected void Session_End(Object sender, EventArgs e)
        {
            if(Session["ID"] != null)
                //dosomething

        }

To make this work with login, set session[id] to null when the user logs out, and set the session whenever the user is in..either by login or cookies..i.e. after user is authenticated.

However these should be used with caution because keep in mind that there are some circumstances in which this event might not
fire:

* If the session is terminated manually (for instance you click the stop
button in Visual Studio.)
* If you are not using the standard in proc sessions (i.e. you're using SQL
Server to store state.)

I believe there are a few other obscure things that could prevent it from
firing too, so take this into account when designing your solution by having
some kind of cleanup routine to handle any sessions that slip through the
cracks.

Here is a link to make sure all that doesnt happen

http://forums.asp.net/p/7504/7504.aspx#7504

Please let me know what you think.

Many thanks

set the session whenever the user is in..either by login or cookies..i.e. after user is authenticated.

 

My problem is that the user is NOT authenticated when he logs in using cookies,
I guess that's how formsauthentication works, of I'm missing sth,

login occurs "automatically" somehow in this case (at least for me)!

I guess that I still should authenticate the user if he logins with a cookie, but where? when? 

First of all user is authenticated even when the logon is using cookies

Authentication begins when the user requests for a page from the protected application. The server checks if the user is already authenticated by searching for an authentication cookie that contains the authentication ticket in the request.

How that happens is not a magic but is as follows

The class that does that magic for you is formsauthenticationmodule class and in there there is a authenticate event

The FormsAuthenticationModule exposes an Authenticate event that enables you to provide a custom IPrincipal object for the User property of the current HttpContext. The Authenticate event is accessed by specifying a subroutine named FormsAuthentication_OnAuthenticate in the Global.asax file for your ASP.NET application.

public void FormsAuthentication_OnAuthenticate(object sender, FormsAuthenticationEventArgs args)
{
  if (FormsAuthentication.CookiesSupported)
  {
    if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
    {
      try
      {
        FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(
          Request.Cookies[FormsAuthentication.FormsCookieName].Value);
        
        args.User = new System.Security.Principal.GenericPrincipal(
          new Samples.AspNet.Security.MyFormsIdentity(ticket),
          new string[0]);
      }
      catch (Exception e)
      {
        // Decrypt method failed.
      }
    }
  }
  else
  {
    throw new HttpException("Cookieless Forms Authentication is not " +
                            "supported for this application.");
  }
}

This is how it all happens, please refer here http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationmodule.aspx

You would also like to know that there is also another event called PostAuthenticate Event 

The FormsAuthenticationModule class constructs a GenericPrincipal object and stores it in the HTTP context. The GenericPrincipal object holds a reference to a FormsIdentity instance that represents the currently authenticated user. 
You should allow forms authentication to manage these tasks for you.
 
 If your applications have specific requirements, such as setting the User property to a custom class that implements the IPrincipal interface, your application should handle the PostAuthenticate event. 
The PostAuthenticate event occurs after the FormsAuthenticationModule has verified the forms authentication cookie and created the GenericPrincipal and FormsIdentity objects. 
Within this code, you can construct a custom IPrincipal object that wraps the FormsIdentity object, and then store it in the HttpContext. User property. 
Note  
 If you do this, you will also need to set the IPrincipal reference on the Thread.CurrentPrincipal property to ensure that the HttpContext object and the thread point to the same authentication information. 
  
 
Please let me know if you understand it correctly now..

Yes, I know all these stuff,
since I have already implemented FormsAuthentication in my project,

my problem is that

FormsAuthentication_OnAuthenticate event (inside global.asax) is called MANY MANY times for a single form only and I don't want to update my database that many times,

how should I make it happen ONCE and only once?

 Thanks in advance! 

 

When you are using Forms authentication, the sequence of events triggered by an unauthenticated user who attempts to access a secured file or resource (where URL authorization denies the user access), is shown in Figure

Now one strategy to get this only once is, to compare the request strings.

Suppose the user requests gallery.aspx/or main page--(the authentication begins). If its straight login you know already what to do, if however its an automatic login, set a flag when the page requested and page submitted are equal and do first db write. After the db write, create a session object. Now of course evertime the two will equate to true because the user has authentication but the session object will remain what you set after db write. As soon as the application is closed at user end, this session will finish and hence --a signal for new write once user logs on.

 

explanation here without request as mentioned above

create a global object in FormsAuthentication_OnAuthenticate in global.asax. Initialize a session in your pages which initially has null value so Session["LoginCheck"] ="YourValue"

now if (globalobject=="SetValue" && Session["loginCheck"]==YourValue")

       {

         // do a db write for date and change session value

          Session["LoginCheck"]="DbWritten";   

       }

 

 and now you only have only one condition when this will be true. After user closes their browser or logs out, the session is back reset.

 

You can also use IsAuthenticated if you have implemented it as a global object to verify the login and use the session as directed.

Hope this helps.

Please let me know your thoughts.

patrickdrd:

Yes, I know all these stuff, since I have already implemented FormsAuthentication in my project, my problem is that FormsAuthentication_OnAuthenticate event (inside global.asax) is called MANY MANY times for a single form only and I don't want to update my database that many times,

how should I make it happen ONCE and only once?

Thanks in advance!

I'm a bit confused why this event is firing so many times for you. Does Application_AuthenticateRequest also fire multiple times per page load (it doesn't for me)? How about Application_AuthorizeRequest?

I think you need to first make a decision: Are you willing to update your database on every page load? If so you just need to find the right event to use. As mentioned, Application_AuthenticateRequest fires only once per page load for me in my test. If that doesn't work for you then Page_Load or a base Page class may be your answer. You simply need to find the right event that fires *once* for each page load.

If you don't want to update your database once on every page load, then you should look at creating a session object, updating the date value in the session once every page load (need to identify same location/event as above), and then writing it to the database on session expiration. The session expiration timeout will be the value that you determine is long enough to wait between database writes, since the user could return to your site at any given time and pick up their previous session if you allow them to (they may or may not have closed their window).

Since this is really just a classic data persistence question, another option to look at is creating some kind of cache object at the application level to store last login dates for all users, and have that write all changes to the database at some specified interval. There should be some examples out there that show how to do this in a generic sense that you can make use of.

patrickdrd:

(putting on every page's load event is not an option of course, I don't want to update my database so often for such a thing) 

Sorry, I missed this on my first couple reads through the thread.

One thing that isn't clear is whether you're really trying to identify the user's actual last "login" time, or if you consider last login time to be the last time the user interacted with the system (IE your last page request is your last login).

If naturehermit has already given you the answer you need just mark one of his posts and ignore these from me.
 

guys, I just need to get the date (I don't care so much about time, just date)
a user entered my site,

can someone provide me with the details (or hints) in order to implement it?
 

Patrick,

Have you read the stuff I provided? Have you tried it?

Many thanks