Unrelated to your web,config question, why are you issuing the cookie manually?
This can be done for you by FormsAuthentication.SetAuthCookie or FormsAuthentication.RedirectFromLoginPage.
If Forms does it for you, then it will be encrypted and MAC protected. As
you've written it, the cookie is in plaintext and has the password in it
(the latter part seems unnecessary).
-Brock
DevelopMentor
http://staff.develop.com/ballen
[color=blue]
> Hi,
>
> I am creating a website where i want to allow some webforms to be
> accessible to all users, and those in a subdirectory available only to
> authenticated users.
>
> I have created a script to authenticate users from a stored sql
> database from a login page login.aspx.
>
> private void Submit1_ServerClick(object sender, System.EventArgs e)
> {
> if(Page.IsValid)
> {
> string redirect = "Forms//UserHome.aspx";
> if(ValidateUser(usernameTxtBx.Text.Trim(),
> passwordTxtBx.Text.Trim()))
> {
> // Create Cookie
> HttpCookie YLCcookie = new HttpCookie("username");
> YLCcookie.Value = "usernameTxtBx.Text, passwordTxtBx.Text";
> YLCcookie.Expires = DateTime.Now.AddDays(1);
> Response.Cookies.Add(YLCcookie);
> // Redirect the user to UserHome.aspx
> Response.Redirect(redirect);
> }
> else
> {
> messageLbl.Text = "Invalid Login, please try again.";
> }
> }
> }
> private bool ValidateUser(string txtUser, string txtPass)
> {
> // Declare conn from Web.Config
> SqlConnection conn = new
> SqlConnection(ConfigurationSettings.AppSettings["strConn"]);
> // Access Stored Procedure
> SqlCommand cmd = new SqlCommand("proc_ValidateUser", conn);
> cmd.CommandType = CommandType.StoredProcedure;
> // Create Parameters
> SqlParameter objParam1;
> SqlParameter objParam2;
> SqlParameter returnParam;
> objParam1 = cmd.Parameters.Add("@usrName", SqlDbType.NVarChar);
> objParam2 = cmd.Parameters.Add("@usrPassword", SqlDbType.NVarChar);
> returnParam = cmd.Parameters.Add("@Num_of_User", SqlDbType.Int);
> // Set the direction of the parameters
> objParam1.Direction = ParameterDirection.Input;
> objParam2.Direction = ParameterDirection.Input;
> returnParam.Direction = ParameterDirection.ReturnValue;
> // Set the values of the parameters
> objParam1.Value = txtUser;
> objParam2.Value = txtPass;
> try
> {
> if(conn.State.Equals(ConnectionState.Closed))
> {
> conn.Open();
> cmd.ExecuteNonQuery();
> }
> if((int)returnParam.Value < 1)
> {
> messageLbl.Text = "Invalid Login.";
> return false;
> }
> else
> {
> conn.Close();
> return true;
> }
> }
> catch (Exception ex)
> {
> messageLbl.Text = ex + "Error connecting to database. Please try
> again later.";
> return false;
> }
> finally
> {
> // Ensures connection has closed
> conn.Close();
> }
> }
> This works ok.
>
> If the user is not registered, there is a link on login.aspx to
> AddUser.aspx, allowing for registration. Both these pages should be
> accessible to all users.
>
> However, i have a number of forms in a subdirectory, WebForms, that i
> want to be accessible only if the user is logged in. the script above
> does this and works with regard to navigation within the site.
> however, if a person was to bookmark one of the secure forms currently
> they are able to navigate to it without logging in.
>
> I have edited the Web.Config file as follows:
>
> <authentication mode="Forms">
> <forms name="YLCcookie" loginUrl="login.aspx"
> protection="All" path="/" />
> </authentication>
> <authorization>
> <allow users="*" /> <!-- Allow all users -->
> </authorization>
> This allows all users access to login.aspx and AddUser.aspx, this
> works fine.
>
> I have then added a new section on the end of the Web.Config file as
> follows:
>
> <location path="WebForms">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> This stops all unauthenticated users from accessing the forms in the
> WebForms subdirectory, as i wanted. Currently, however, it also stops
> authenticated users too.
>
> Do i need to add <allow users= . . . > to this section?, or should the
> cookie in the submit script work in it's place? If i do need to add an
> <allow users= . . . > section, how can i securely do this from the
> user login data stored in the sql database?
>
> Thanks for your time in reading this far, i know it's a lengthy one,
> but thought i'd best give as much info as possible as i'm not wholey
> sure where the problem lies.
>
> Thanks again.
>[/color]
