I have an ASP.NET application with a custom made MembershipProvider to handle login, password change etc.
I just noticed that, if I login to a browser with an administrator account (let's call this Session A), the login works as normally, where I can see only administrator specific pages.
Now, if I login to a different browser with a non-administrator account (Session B), the session A gets "overwritten" by Session B. So, if I refresh the browser in Session A, the logged in user becomes the user logged in Session B.
Is there any way to create different sessions upon different logins? Am I missing something?
Here's how the ValidateUser method is handled in MyMembershipProvider.cs
public override bool ValidateUser(string username, string password)
{
FNHSessionManager sessionManager = new FNHSessionManager("defaultConnection");
UserRepository _userRepository = new UserRepository(sessionManager);
if (string.IsNullOrEmpty(password.Trim())) return false;
var user = _userRepository.GetByUsername(username);
if (user == null)
{
return false;
}
var passHash = PasswordHasher.ComputeHash(password, user.PasswordSalt, 3);
if(passHash == user.PasswordHash)
{
var newMembership = new MyMembershipUser(user.Role);
CustomMembershipUser = newMembership;
return true;
}
return false;
}
I don't have a very clear idea on how to handle the MembershipProvider in general.
I don't know how is it possible to create different sessions upon different logins.
Let me know if there's anything else that needs to be posted (methods in MyMembershipProvider.cs and such).