Hi everyone!

How do I know when a user has logged in if he logs in using a cookie?

By default, when he logs in entering a username and password,
I can catch that inside my authenticate method,
but what if he logs in automatically?

 (I'm not using the new login controls and/or object model nor do I want to use that)

Where should I update the lastlogindate in such a case? In

Application_AuthenticateRequest? The code for this function is as follows:

  Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
    
    Dim userInformation As String = [String].Empty

    If HttpContext.Current.User IsNot Nothing AndAlso _
       HttpContext.Current.User.Identity.IsAuthenticated AndAlso _
       TypeOf HttpContext.Current.User.Identity Is FormsIdentity Then
      'If Request.IsAuthenticated Then
      
      Dim sCookieName As String = FormsAuthentication.FormsCookieName
      If Request.Cookies(sCookieName) IsNot Nothing AndAlso Request.Cookies(sCookieName).Value <> "" Then
        Dim fat As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Context.Request.Cookies(sCookieName).Value)
        userInformation = fat.UserData

        Dim info As String() = userInformation.Split(New Char() {";"c})

        HttpContext.Current.User = New helperclasses.CustomPrincipal(User.Identity, Convert.ToInt32(info(0).ToString()), info(1).ToString(), info(2).ToString(), Convert.ToInt32(info(3).ToString()), info(4).ToString(), Convert.ToInt32(info(5).ToString()), info(6).ToString())
      End If
    End If

  End Sub
  

The parameter userIsOnline, when set to True, will update a timestamp in the data store indicating the date/time the user was last requested. This timestamp can then be used to calculate the total number of users online. The remaining methods will perform similar operations but on a specified user.

GetUser() As MembershipUser

GetUser(userIsOnline As Boolean) As MembershipUser
  
   GetUser(username As String) As MembershipUser
  
   GetUser(username As String,
   userIsOnline As Boolean) As MembershipUser

 Fetching the Logged-on User

<%@ Page Language="VB" %>

<script runat="server">

  Public Sub Page_Load()
    Dim user As MembershipUser

    ' Get the currently logged-on user and
    ' update the user's online timestamp
    user = Membership.GetUser(True)

    UserName.Text = user.Username

  End Sub

</script>

<html>

  <body style="FONT-FAMILY: Verdana">

  <H1>Get User</H1>

  <hr />

     <form runat="server">
       The currently logged-on user is:
       <asp:literal id="UserName" runat="server" />
  </form>

  </body>
</html>

  

Yes, but, as I told you,

I'm not using the new login controls and/or object model nor do I want to use that

so, there's no  MembershipUser object for me,

I prefer my own custom implementation,

my problem is: How and where to catch the event of a user logging on using a cookie?

nothing more, nothing less 

during the login event itself and the page load

so if a user requests a page...during page_load the authentication tickets is passed and if the authentication cookies hasnt expired then..the user is in....hence this is one place.

yes, but the login event isn't fired is the 'cookie' case,

the Application_AuthenticateRequest method is just constructing the CustomPrincipal object (from the cookie string) and puts that in HttpContext.Current.User 

however, the  Application_AuthenticateRequest method runs many times on every page,

so where should I put my code to update the lastlogindate property?

(putting on every page's load event is not an option of course, I don't want to update my database so often for such a thing) 

use Session_end event in Global.asax and this will work whenever a user session dies, which will happen as soon as the user closes the browser (all sessions will die..)

protected void Session_End(Object sender, EventArgs e)
        {
            if(Session["ID"] != null)
                //dosomething

        }

To make this work with login, set session[id] to null when the user logs out, and set the session whenever the user is in..either by login or cookies..i.e. after user is authenticated.

However these should be used with caution because keep in mind that there are some circumstances in which this event might not
fire:

* If the session is terminated manually (for instance you click the stop
button in Visual Studio.)
* If you are not using the standard in proc sessions (i.e. you're using SQL
Server to store state.)

I believe there are a few other obscure things that could prevent it from
firing too, so take this into account when designing your solution by having
some kind of cleanup routine to handle any sessions that slip through the
cracks.

Here is a link to make sure all that doesnt happen

http://forums.asp.net/p/7504/7504.aspx#7504

Please let me know what you think.

Many thanks

set the session whenever the user is in..either by login or cookies..i.e. after user is authenticated.

My problem is that the user is NOT authenticated when he logs in using cookies,
I guess that's how formsauthentication works, of I'm missing sth,

login occurs "automatically" somehow in this case (at least for me)!

I guess that I still should authenticate the user if he logins with a cookie, but where? when? 

First of all user is authenticated even when the logon is using cookies

Authentication begins when the user requests for a page from the protected application. The server checks if the user is already authenticated by searching for an authentication cookie that contains the authentication ticket in the request.

How that happens is not a magic but is as follows

The class that does that magic for you is formsauthenticationmodule class and in there there is a authenticate event

The FormsAuthenticationModule exposes an Authenticate event that enables you to provide a custom IPrincipal object for the User property of the current HttpContext. The Authenticate event is accessed by specifying a subroutine named FormsAuthentication_OnAuthenticate in the Global.asax file for your ASP.NET application.

public void FormsAuthentication_OnAuthenticate(object sender, FormsAuthenticationEventArgs args)
{
  if (FormsAuthentication.CookiesSupported)
  {
    if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
    {
      try
      {
        FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(
          Request.Cookies[FormsAuthentication.FormsCookieName].Value);
        
        args.User = new System.Security.Principal.GenericPrincipal(
          new Samples.AspNet.Security.MyFormsIdentity(ticket),
          new string[0]);
      }
      catch (Exception e)
      {
        // Decrypt method failed.
      }
    }
  }
  else
  {
    throw new HttpException("Cookieless Forms Authentication is not " +
                            "supported for this application.");
  }
}

This is how it all happens, please refer here http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationmodule.aspx

You would also like to know that there is also another event called PostAuthenticate Event 

The FormsAuthenticationModule class constructs a GenericPrincipal object and stores it in the HTTP context. The GenericPrincipal object holds a reference to a FormsIdentity instance that represents the currently authenticated user. 
You should allow forms authentication to manage these tasks for you.
 
 If your applications have specific requirements, such as setting the User property to a custom class that implements the IPrincipal interface, your application should handle the PostAuthenticate event. 
The PostAuthenticate event occurs after the FormsAuthenticationModule has verified the forms authentication cookie and created the GenericPrincipal and FormsIdentity objects. 
Within this code, you can construct a custom IPrincipal object that wraps the FormsIdentity object, and then store it in the HttpContext. User property. 
Note  
 If you do this, you will also need to set the IPrincipal reference on the Thread.CurrentPrincipal property to ensure that the HttpContext object and the thread point to the same authentication information. 
  
 
Please let me know if you understand it correctly now..

Yes, I know all these stuff,
since I have already implemented FormsAuthentication in my project,

my problem is that

FormsAuthentication_OnAuthenticate event (inside global.asax) is called MANY MANY times for a single form only and I don't want to update my database that many times,

how should I make it happen ONCE and only once?

 Thanks in advance! 

When you are using Forms authentication, the sequence of events triggered by an unauthenticated user who attempts to access a secured file or resource (where URL authorization denies the user access), is shown in Figure

Now one strategy to get this only once is, to compare the request strings.

Suppose the user requests gallery.aspx/or main page--(the authentication begins). If its straight login you know already what to do, if however its an automatic login, set a flag when the page requested and page submitted are equal and do first db write. After the db write, create a session object. Now of course evertime the two will equate to true because the user has authentication but the session object will remain what you set after db write. As soon as the application is closed at user end, this session will finish and hence --a signal for new write once user logs on.

explanation here without request as mentioned above

create a global object in FormsAuthentication_OnAuthenticate in global.asax. Initialize a session in your pages which initially has null value so Session["LoginCheck"] ="YourValue"

now if (globalobject=="SetValue" && Session["loginCheck"]==YourValue")

       {

         // do a db write for date and change session value

          Session["LoginCheck"]="DbWritten";   

       }

 and now you only have only one condition when this will be true. After user closes their browser or logs out, the session is back reset.

You can also use IsAuthenticated if you have implemented it as a global object to verify the login and use the session as directed.

Hope this helps.

Please let me know your thoughts.

patrickdrd:

Yes, I know all these stuff, since I have already implemented FormsAuthentication in my project, my problem is that FormsAuthentication_OnAuthenticate event (inside global.asax) is called MANY MANY times for a single form only and I don't want to update my database that many times,

how should I make it happen ONCE and only once?

Thanks in advance!

Since this is really just a classic data persistence question, another option to look at is creating some kind of cache object at the application level to store last login dates for all users, and have that write all changes to the database at some specified interval. There should be some examples out there that show how to do this in a generic sense that you can make use of.

patrickdrd:

(putting on every page's load event is not an option of course, I don't want to update my database so often for such a thing) 

One thing that isn't clear is whether you're really trying to identify the user's actual last "login" time, or if you consider last login time to be the last time the user interacted with the system (IE your last page request is your last login).

If naturehermit has already given you the answer you need just mark one of his posts and ignore these from me.
 

guys, I just need to get the date (I don't care so much about time, just date)
a user entered my site,

can someone provide me with the details (or hints) in order to implement it?
 

Patrick,

Have you read the stuff I provided? Have you tried it?

Many thanks

tried with the following code inside Application_AuthenticateRequest,

but I get an error that session is nothing 

If Context Is Nothing OrElse Context.Session Is Nothing OrElse Context.Session("LastLogin") Is Nothing OrElse Context.Session("LastLogin").ToString = String.Empty Then
  Dim cust As New helperclasses.Customer
  cust.UpdateLastLogin(helperclasses.CustomPrincipal.GetUser.Email)
  Session("LastLogin") = Date.Now
End If

No you cant use session in global.asax.

Create the session in your pages, because Session object will be initialized there. And then use that approach. (Hard work hey)

How should I create it,
since session does not have a NEW (constructor) method?

And in which event?

I think that authenticate_request is called before each page 

Sessions are created like so in c#

Session["SessionName"] = SomeValue

There is a session_start in global.asax for managing static sessions(however do not store any confidential info there)

In this you can check some authentication flag and assign a session value based on that flag.

if both session and flag are somevalue do a db write, else if they are different ignore.

http://msdn2.microsoft.com/en-us/library/system.web.sessionstate.httpsessionstate.sessionid.aspx. (and also answer from previous post, sessions are available after acquireRequestState in global.asax).

Just to also let you know there are many events in global.asax

yes, but I get an error: Session state is not available in this context even if I use:

Session("LastLogin") = String.Empty

in Session_Start event