asp.net security: For authentication we are using an external DB. I can use Forms
authentication and use the loginUrl="MyLoginForm.aspx" just fine. But
for authorization, we cannot use a static list of roles for people,
their authorization depends on factors which change as they use the
system.

We must determine roles on every page hit, using information in our
custom identity, which is changed as user uses system. I examine
custom identity, determine roles, create principal accordingly, then
attach it to HttpContext.Current.User. But after redirecting to
another page, the HttpContext.Current.User identity reverts back to a
"Windows" identity and also the principal's information is gone too
(reverts to generic principal without my role info).

How does one modify the HttpContext.Current.User and have it persist
between redirects? Thanks!

This is no longer an issue. I've decided to handle the matter
differently. Thanks!

Hello martymcdonald@comcast.net,

normally - the place to attach roles to a Principal and replace Context.User
is in the Authenticate_Request event (in Global.asax or a HttpModule).

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]