473,804 Members | 2,132 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Forms authentication, user login status is not maintained

I am testing ASP.NET 2.0 Forms athentication with user credentials in
SQL Server 2005. I don't want to put user credentials in web.config,
so the credentials section is commented out. The following is the
relevant part in my web.config.

<authenticati on mode="Forms">
<forms name=".MyWebApp Auth"
path="/"
loginUrl="Defau lt.aspx"
protection="All "
timeout="30">

<!-- I will get username
and password from SQL Server.
<credentials>
<user name="myusernam e" password="mypas sword"/>
</credentials>
-->
</forms>
</authentication>

<!-- keep out anonymous users -->
<authorizatio n>
<deny users="?"/>
</authorization>

My login page is Default.aspx as you see from above. The code-behind
of Default.aspx, i.e., Default.aspx.cs , calls a stored procedure in
SQL Server 2005, which takes the user name and password as its
parameters. It returns 1 if the username/password pair is found,
otherwise, it returns 0.

In Default.aspx.cs , I say:

if (validateUser(n ame, password) == 1)
{
Response.Redire ct("UserProfile .aspx");
}
else
{
// authentication failed. show a message
lblMessage.Text = "Invalid username/password."
}

validateUser is simply a method I implement to validate the user. I
know the login process itself works OK. In other words, validateUser
method does return 1 if the username/password pair is found in the
database, and it does return 0 if the username/password pair is not
found.

But, the user is kicked back to Default.aspx immediately after he is
redirected to UserProfile.asp x.

This must have to do with the section in web.config, which says:

<!-- keep out anonymous users -->
<authorizatio n>
<deny users="?"/>
</authorization>

Because if I comment out this section, the user can be successfully
redirected to UserProfile.asp x and stays on that page nicely.

So, apparently, my user login satus is not maintained in the
application.

I cannot google out topics on maintaining user login status. Please
give me a hint. Thanks a lot.

Jun 29 '07 #1
2 4526
Hi antony,

an***********@y ahoo.com schrieb:
My login page is Default.aspx as you see from above. The code-behind
of Default.aspx, i.e., Default.aspx.cs , calls a stored procedure in
SQL Server 2005, which takes the user name and password as its
parameters. It returns 1 if the username/password pair is found,
otherwise, it returns 0.
Just a thought here - it seems like you are not using the membership
provider for the logon process (you call your own stored procedure) and
rely on the integrated authorization mechansims for access control.
What I think happens is that you call the stored proc, but authorization
manager does not know that a user signed on. Therefore, the provider
redirects you to the login page.

My advice is to either use the membership provider that's included with
asp.net (downside: your database has to have the tables required which
aspnet_regsql can set up for you).
Or, if you want to keep the custom stored proc etc., create your own
membership provider.
Or, as a third option, don't rely on the authorization manager (the part
with deny ="?") but have your own routine, i.e. set a session variable
after succesful login, and check for that session variable in the
page_load of each page (and if it isn't there, redirect to your login
page manually).

Bottom line: You have to use an asp.net membership provider to use the
authorization features.

Scott Guthrie has a collection of good links on this and other
security-related matters on
http://weblogs.asp.net/scottgu/archi...esources-.aspx

Hope this helps,

Roland
Jun 30 '07 #2
Hi Anthony,

glad I could be of help.
On a side note, as you wrote it is a lot of work to check whether the
user is logged in via a session variable in each page_load. However, you
can do that in one single page and derive every other page from that
(i.e. extend the Page class). This way, you would have to do this only
once. But you still have to remember to change the base class of your
pages though.

Anyway, I think it is the "cleaner" way to stick with the membership
providers from asp.net.

Good luck,

Roland
Jun 30 '07 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
6
4845
Secure and Unsecure Web Directories using Forms Authentication
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and the other named Public. I placed my web.config file in my
.NET Framework
2
1730
Problem in forms auth, not going back to members page
by: Senthil | last post by:
1. Created a new C# web application project 2. Change the name of webform1 to login.aspx 3. And in the .cs file change the name of the class to login, and include System.web.security namespace. 4. Place a textbox and a button in the login.aspx form. 5. Have the following code in the button click event. if (true) { FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, false)
.NET Framework
2
1385
authentication project
by: jayt33 | last post by:
im working on a project that involves creating a back end solution to authenticate and manage user accounts for a website. im new to python and am looking for some good references that can help me with this task. the requirements for the project are as follows:
Python
11
3612
Forms Authentication Problem
by: ElmoWatson | last post by:
I tried on the Security newgroup, as well as other places, and haven't gotten an answer yet - - I'm pulling my hair out over this one. I'm trying to get Forms Authentication working.....I can get any requested page to automatically go to the Login.aspx page, AND, the ReturnURL querystring is correct in the address bar, but no matter what, I can't get it, once the user is authenticated, to redirect to the new page. It ALWAYS refreshes the...
ASP.NET
3
4874
Forms authentication in a subfolder problem, please help
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be protected by forms authentication. When I create forms authentication at root level it works but when I move my code up to the subfolder I get this error: Server Error in '/TestProjects/FormsAuthenticationTestingArea' Application.
ASP.NET
0
4253
ASP.NET Forms Authentication Best Practices
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET Applications and owner of Access Microsystems. Doug can be reached at doug@accessmicrosystems.com. --------------------------------------------------------------------------------
ASP.NET
3
3048
GenericPrincipal without Forms Authentication
by: Harold Crump | last post by:
Greetings, I need to implement GenericPrincipal based authentication without using ASP.NET Forms Authentication. I know it is much simpler using Forms Authentication, but in this case, I have no control over the matter. I have two pages - login.aspx and home.aspx. Following is the Click event of the login button on the login.aspx page
ASP.NET
4
424
Forms Authentication
by: =?Utf-8?B?R3V1czEyMw==?= | last post by:
Hi, I created a web site on a remote server. To logon the user must enter a user id and password. The site is uses Forms Authentication. The web config file looks as follows: <configuration> <system.web> <customErrors mode="Off"/>
ASP.NET
5
6803
Forms Authentication No Cache AND avoiding Web Page Has Expired Ms
by: =?Utf-8?B?Y2hlY2tyYWlzZXJAY29tbXVuaXR5Lm5vc3BhbQ== | last post by:
I have a site which I secure with forms authentication. When the user's sign on and hit one of the secure pages, I have this line in my code to ensure that the browser does not cache the page; and someone cannot navigate back to an cached image of the page in theory after the user has signed off. Response.Cache.SetCacheability(HttpCacheability.NoCache); This works all right, except when the user decides to use the browser's back...
ASP.NET
0
9715
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
10353
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10356
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
10099
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
6869
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5536
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5675
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4314
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
3003
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us