How to Install a Principal in an ASP.Net Application
I am writing a web application for a client. Users will have a one-time key that they will use to initially identify themselves to the app. Once the application verifies that the key is valid, it will deliver them to a page where they can create a regular account for all subsequent logins. The account creation page should only be accessible after entering the key and should not be accessible otherwise. Ie, it shouldn't be available to users registered with a regular account. This is asp.net 3.0 using a custom membership provider.
My plan is to create a temporary account based on the key and authenticate the user with that account. This allows them to access the creator page (which is protected by the location tag) where they can create an official account. Then I authenticate them with my new account and delete the temporary account. Stream: The user is taken to the page where they enter the key. If the key is valid, I create a temporary account, call FormsAuthentication.SetAuthCookie and redirect to the account creation page. It all works, although it seems a little complicated.
The problem is that the user's creator page is accessible to any authenticated user; I only want it to be available during the time between signing in to the key and creating an official account. So I thought I would create a special role for the temporary account and make the created user page available only to that role and no one else. I created my own Principal object with a specific role and tried to set it up when I authenticate the temporary account, but I can't get that to work.
I really hope I don't have to write a role provider to create a role just to do this.
How can I make this work? There should be an easier way!
source to share
Why not just create a real account when you enter the key. Give it some random name and then let them change the name and other details. Then you don't need a user create page, just enter the input page and the account data edit page. If you are interested in getting account details, you can configure it (perhaps via code on MasterPage) so that incomplete accounts are always redirected to the edit details page until the details are entered.
Or you could provide them with the required data in addition to the key code on the key entry page and simply use that data when creating an account.
source to share
My advice is to avoid using temporary accounts when checking a user. Instead, create your own logic to validate the registration key. Then, at the head of the page, you can check if the user is an authenticated user (SetAuthCookie was called) and navigate to another page if that's true.
You might even be able to change page access to deny this page for authenticated users (I know you can disable accounts for unauthenticated users, but I'm not sure if you can go the other direction ).
The key, however, is to not rely on the membership provider if in fact the user is not already a member!
source to share