aspx security? - ASP.NET

Sam

I have successfully created authentication via web.config however I
discovered some security issues as follows:

1. ASPX Security
I have web application via asp.net and it is consist of following sections:
i. Administration
ii. Attendance
iii. Reporting

Each section has it own authorise user and it should not cross over.
Example, User A can login Administration but cannot access Attendance and
Reporting. How do I control it? Please help.

2. Login Security
How long web config allow use to access web application? How do aspx file
check whether user still can access or not?
Please find web.config and login.aspx files.


<configuratio n>
<appSettings>
<add key="Connection String"
value="server=K ULSQL01;databas e=Payroll;uid=p ayroll;pwd=pay8 8;" />
</appSettings>
<system.web>
<compilation debug="true" />
<authenticati on mode="Forms">
<forms name="Intranet" loginUrl="authe ntication.aspx"
protection="All " path="/" timeout="20"/>
</authentication>
<authorizatio n>
<deny users="?"/>
</authorization>
<customErrors mode="Off" />
</system.web>
</configuration>


<%@ Page Language="VB" %>
<%@ import Namespace="Syst em" %>
<%@ import Namespace="Syst em.Configuratio n" %>
<%@ import Namespace="Syst em.Data" %>
<%@ import Namespace="Syst em.Data.OleDB" %>
<%@ import Namespace="Syst em.Data.SqlClie nt" %>
<%@ import Namespace="Syst em.Data.SqlType s" %>
<%@ import Namespace="Syst em.Web.Security " %>
<script runat="server">

Sub defaultpage(Sen der as Object, e As EventArgs)
Response.Redire ct("default.asp x")
End Sub

Sub authenticate(Se nder as Object, e As EventArgs)
Dim con As New
SqlConnection(C onfigurationSet tings.AppSettin gs("ConnectionS tring"))

Dim cmd As New SqlCommand()
cmd.CommandText = "Select * from authentication where username ='"
& txtUsername.Tex t & "'"
cmd.Connection = con

Try
con.Open()

Dim FlagAuthenticat ion

FlagAuthenticat ion = "N"

Dim rd As SqlDataReader = cmd.ExecuteRead er()

While rd.read()
If rd("password"). ToString = txtPassword.Tex t Then
FormsAuthentica tion.RedirectFr omLoginPage(txt Username.Text,
false)
FlagAuthenticat ion = "Y"
Response.Redire ct("payroll.asp x")
Else
Response.Redire ct("warning.asp x")
End If
End While

rd.Close()

If FlagAuthenticat ion = "N"
Response.Redire ct("warning.asp x")

End If

Finally
con.Close()
End Try
End Sub

</script>

Nov 19 '05 #1

Subscribe Reply

1820

Steve C. Orr [MVP, MCSD]

I successfully developed an app using role-based forms authentication by
using the techniques outlined in these articles:
http://support.microsoft.com/default...b;en-us;311495
http://www.4guysfromrolla.com/webtech/121901-1.2.shtml

Here is another article you may find useful as well:
http://www.eggheadcafe.com/articles/20020906.asp
--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net

"Sam" <cy********@hot mail.com> wrote in message
news:%2******** ********@TK2MSF TNGP14.phx.gbl. ..

I have successfully created authentication via web.config however I
discovered some security issues as follows:

1. ASPX Security
I have web application via asp.net and it is consist of following
sections:
i. Administration
ii. Attendance
iii. Reporting

Each section has it own authorise user and it should not cross over.
Example, User A can login Administration but cannot access Attendance and
Reporting. How do I control it? Please help.

2. Login Security
How long web config allow use to access web application? How do aspx file
check whether user still can access or not?
Please find web.config and login.aspx files.


<configuratio n>
<appSettings>
<add key="Connection String"
value="server=K ULSQL01;databas e=Payroll;uid=p ayroll;pwd=pay8 8;" />
</appSettings>
<system.web>
<compilation debug="true" />
<authenticati on mode="Forms">
<forms name="Intranet" loginUrl="authe ntication.aspx"
protection="All " path="/" timeout="20"/>
</authentication>
<authorizatio n>
<deny users="?"/>
</authorization>
<customErrors mode="Off" />
</system.web>
</configuration>


<%@ Page Language="VB" %>
<%@ import Namespace="Syst em" %>
<%@ import Namespace="Syst em.Configuratio n" %>
<%@ import Namespace="Syst em.Data" %>
<%@ import Namespace="Syst em.Data.OleDB" %>
<%@ import Namespace="Syst em.Data.SqlClie nt" %>
<%@ import Namespace="Syst em.Data.SqlType s" %>
<%@ import Namespace="Syst em.Web.Security " %>
<script runat="server">

Sub defaultpage(Sen der as Object, e As EventArgs)
Response.Redire ct("default.asp x")
End Sub

Sub authenticate(Se nder as Object, e As EventArgs)
Dim con As New
SqlConnection(C onfigurationSet tings.AppSettin gs("ConnectionS tring"))

Dim cmd As New SqlCommand()
cmd.CommandText = "Select * from authentication where username ='"
& txtUsername.Tex t & "'"
cmd.Connection = con

Try
con.Open()

Dim FlagAuthenticat ion

FlagAuthenticat ion = "N"

Dim rd As SqlDataReader = cmd.ExecuteRead er()

While rd.read()
If rd("password"). ToString = txtPassword.Tex t Then

FormsAuthentica tion.RedirectFr omLoginPage(txt Username.Text, false)
FlagAuthenticat ion = "Y"
Response.Redire ct("payroll.asp x")
Else
Response.Redire ct("warning.asp x")
End If
End While

rd.Close()

If FlagAuthenticat ion = "N"
Response.Redire ct("warning.asp x")

End If

Finally
con.Close()
End Try
End Sub

</script>

Nov 19 '05 #2

Similar topics

2201

by: Abraham | last post by:

in my sql server database i have a table with the following fields; email username password secret_Questin i have connected this table to ASP.net... So can anyone give me the code of creating .aspx page (aspx.vb) that will require a user to enter password and

.NET Framework

1883

Printing Problem - II (in aspx page)

by: Niyazi | last post by:

Hi all, This my aspx page first line of code. <%@ Page CodeBehind="index.aspx.vb" Language="vb" AutoEventWireup="false" Inherits="TB.index" %> Than inside head tag I have following script(s) --------------------------------------------------------------------------------------------------------------------- <script language="JavaScript"> //Disable Mouse Right Click Button

.NET Framework

1889

Deploy ASPX, browse, get HTTP Error 404

by: Larry Brindise | last post by:

I have an asp.net application. I have used VStudio Web Deployment Project to create the MSI file. I copy the MSI file from my developer PC to my test server running Win2003Server Web Edition. I run the MSI to install - looks good so far - I see the global directory, etc. I try opening the app in IE via www.myweb.com/aspxfolder; where aspxfolder is the global directory. I get the wonderful "HTTP Error 404 - File or directory not found"...

ASP.NET

315

Want to Reboot server from ASPX page

by: Terry | last post by:

I am developing a asp.net web based service application for our product I am trying to trigger a reboot of the server based on a user request I believe I have all the appropriate code for AdjustingTokens etc an all those calls seem to succeed, however, the final call to ExitWindowsE is failing with 'Access Denied' In my machine.config, I have already set the userName to 'System' as seem to require this for some other functionality I...

ASP.NET

1259

Asp vs ASPX pages in terms of security

by: Patrick Olurotimi Ige | last post by:

Can asp pages have the same security integration like aspx pages? For example integrating ASPX pages with Active directory etc...forms auth and windows auth? We have a scenario some developers still use asp pages and use NTFS security:( what is the best way to explain the difference and the advantages fo using .Net/aspx pages over normal asp pages? cos i don't think asp pages can integeate directly with active Directory?

ASP.NET

1170

security issue with windows control in aspx

by: androoo | last post by:

Hi I have a windows control I embed onto an aspx page which is grabbing a dataset from the client and sending it to the server through a webservice. This works fine in a windows app. However when i put the aspx on a webpage there is a security issues that pops when user tries to use the windows ctrl.

ASP.NET

2429

2 or more partial classes and an aspx file in asp.net 2.0

by: ptass | last post by:

Hi In asp.net 2.0 an aspx files .cs file is a partial class and all works fine, however, I thought Iâ€™d be able to create another class file, call it a partial class and have that compile and load as a 3rd partial class. This would be handy so i can generate standard code into one of the partial classes, while having my custom code untouched

ASP.NET

1189

User Control Security in 2.0 aspx

by: Norsoft | last post by:

I have a .Net 1.1 application which is downloaded into an aspx page. It is a dll which inherits from System.Windows.Forms.UserControl. It works fine on a PC with only the 1.1 Framework. However, the control will not load on a PC with the 2.0 Framework installed. I know that IE will use the newest framework so I assume it is a security issue. At the assembly level I apply the following attributes;

ASP.NET

4691

How to Use SSL only for Login.aspx page

by: BizWorld | last post by:

Hi, I have a scenario where i need to configure only Login.aspx page to use SSL. All other application will run on HTTP protocol. If someone can guide me how to accomplish this. One of my idea is to keep login.aspx page in a seperate Virtual director and apply SSL only on that directory but i dont know if it will have an impact on session (may be it will create two sessions due to two different virtual directories). If some one can...

ASP.NET

8324

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

8842

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

8740

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

8516

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

6176

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

4173

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

4330

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

2743

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

1733

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General