当您在 ASP.NET 2.0 中使用登录控件时，将值或数据从一个页面传递到另一个页面

Question

I am using Login Control available in ASP.NET 2.0 in the login page. Once the user is authenticated successfully against database, I am redirecting the user to home.aspx. Here, I want to pass on the User's name too to the home.aspx so that the user will be greeted with his/her name in the home.aspx. Ex: Welcome Smith

I am extracting the User's name from the users table in my database during the time I check for the login credentials.

Could someone please tell me how to do this in a secure way (may be not to secure, but a little)?

Thanks,

Answer 1

One good place for that kind of data would be in session. Try something like this on the first page:

this.Session["UserName"] = userName;

and then subsequent pages in that session for that user could access this.Session["UserName"] .

The best thing to do though is to create a static class to manage Session for you like so:

using System;
using System.Web;

static class SessionManager
{
    public static String UserName
    {
        get
        {
            return HttpContext.Current.Session["UserName"].ToString();
        }
        set
        {
            HttpContext.Current.Session["UserName"] = value;
        }
    }

        // add other properties as needed
}

Then your application can access session state like this:

SessionManager.UserName

This will give you maximum flexibility and scalability moving forward.

Answer 2

If you are using standard asp.net authentication then you should be able to access the users name through the User property of the page object.

User.Identity.Name

As Andrew suggested, Session is a common place to place a user name, though I avoid using session at all if possible.

You could set a cookie with the users name.

You could also set the DestinationPageUrl property of the login control to include the username in the query string. Though that feels/looks pretty lame.

Answer 3

As ScottS said, if you're using the standard login controls and a membership provider this information is already available to you in User.Identity.Name.

The only reason I'm posting an answer is to mention the LoginName control, which you can drop on a page/master page and have this done automatically for you:

<asp:LoginName id="LoginName1" runat="server" FormatString ="Welcome, {0}" />

This will render out "Welcome, Zhaph" when the user is logged in, or nothing if they are not.

You can also combine this quite nicely with the LoginView and LoginStatus controls:

<asp:LoginView ID="RegisterLink" runat="server">
  <AnonymousTemplate>
    <div class="titleRegistration">
      <a href="/Users/Register.aspx">Register</a> or 
    </div>
  </AnonymousTemplate>
  <LoggedInTemplate>
    <div class="titleRegistration">
      Welcome back
        <asp:LoginName ID="LoginName1" runat="server" /> -
    </div>
  </LoggedInTemplate>
</asp:LoginView>
<asp:LoginStatus ID="lsGeneral" runat="server"
  LogoutPageUrl="/Users/Logout.aspx" />

This combination of controls will do the following:

1. If the user isn't logged in display: Register or Login
2. If the user is logged in display: Welcome back Zhaph - Logout

The Login links is populated by the settings in web.config, and generated by the LoginStatus control.

Answer 4

yes as Andrew said, session is the primary place to store sensitive data.

but why a user's name is sensitive? You can save it in cookie and print it in your home.aspx whenever user comes in.

EDIT: You can use cookies in ASP.NET like that:

// Setting cookie : 
Response.Cookies["UserName"].Value = "Erhan";
Response.Cookies["UserName"].Expires = DateTime.Now.AddDays(7); // Persists 1 week

// Getting cookie : 
string username = string.Empty;
if(Request.Cookies["UserName"] != null)
{
    username = Server.HtmlEncode(Request.Cookies["UserName"].Value);
}

NOTE: Cookies stored at client's machine. so you should not use them to store sensitive data.