asp.net-membership

In the global.asax file for the Application_AuthenticationRequest I'm setting the Thread.CurrentPrincipal to a custom principal. I also set the HttpContext.Current.User to the same principal. However later in the app when I need to cast the Thread.CurrentPrincipal to our custom type, I get a runtime error saying: Unable to cast object of type 'System.Web.Security.RolePrincipal' to type 'OurCustomPrincipal'. How did the Thread.CurrentPrincipal get reset to RolePrincipal, and more to the point how do I keep it at the CustomPrincipal we set in the global.asax Thanks in advance You surely have

I added a custom field to the UserProfile table named ClassOfYear and I'm able to get the data into the profile during registration like this: var confirmationToken = WebSecurity.CreateUserAndAccount(model.UserName, model.Password, propertyValues: new { ClassOfYear = model.ClassOfYear }, requireConfirmationToken: true); However, now I want to be able to update the profile when I manage it but I can't seem to find a method to do so. Do I need to simply update the UserProfile table myself? If not, what is the appropriate way of doing this? FYI, I'm using Dapper as my data access layer, just in

We're using the standard ASP.net membership features that come with asp.net. Certain accounts in our membership database have a "Locked Out" flag set to true - when/how does this happen? After a configurable number of failed logins (maxInvalidPasswordAttempts, default = 5) within a configurable length of time (passwordAttemptWindow, default = 10 minutes), the account will be locked out. see here for membership related configuration properties These 4 guys did a great job of explaining in depth the asp.net membership controls <system.web> ... authentication & authorization settings ...

What are the differences (behind the scenes) between Page.User.Identity and Request.LogonUserIdentity? Not the differences in type, name, etc but the differences in how they're implemented behind the scenes (i.e. one calls windows xxx api and the other calls asp.net xxx api...). It depends on what mechanism you are using to authenticate users, and what settings you have for impersonation. For example, under the VS development server, using Forms authentication, the standard SQL membership provider and the following code: // m_LoggedIn is a Literal control on the page: m_LoggedIn.Text = string

Is there a way to force ASP.NET to sign out from it's authentication when the browser is closed or the user types in a new address? If the browser is left open then I need to keep the user authenticated, so a long timeout on the authentication ticket is preferable. Not sure if this is still an issue but this resolved the issue for me. Just add the following to the Page_Load event of your Start Page: protected void Page_Load(object sender, EventArgs e) { if (Request.UrlReferrer == null || string.IsNullOrEmpty(Request.UrlReferrer.AbsolutePath)) { Session.Abandon(); FormsAuthentication.SignOut();