467,864 Members | 1,984 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 467,864 developers. It's quick & easy.

Forms Authentication Security questions...

Hello, ASP.NET gurus!

I have read many pages on setting up a login screen to access a number of web pages using Forms Authentication and I am still trying to wrap my brain around the whole thing. However, I know that my knowledge on this topic has a few gaping holes ('cause it still ain't working!). I am going to present my code and explain what I am trying to accomplish then, hopefully, you'll respond with some helpful suggestions.

:)

The pages are in a folder called "Admin" and will be access through the company's Intranet by the path http://servername/admin/ . The page default.aspx handles the login and verification process and is supposed to move the user to the next page on a successful login.

default.aspx → (successful login) → admin.aspx

The code to verify the login seems to work when accessing the database, etc. However, when I add the lines (I think I need) in the Web.Config file I get a runtime error but I can't see what the problem is because the details are blocked.

Any suggestions / comments?
TIA...

Here's the code:

Web.Config:
<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>

<authorization>
<deny users="?" />
</authorization>

<authentication mode="Forms">
<forms name="Admin"
loginURL="default.aspx"
protection="All"
timeout="20"
path="/Admin" />
</authentication>

</configuration>
Default.aspx:
<%@ Page Language="VB" Inherits="Login" src="Default.vb" autoeventwireup="False" %>
<html>
....
</html>
Default.vb:
' Default.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Login
'For PostBack
Inherits Page

'Declare web objects
Protected pnlLogin as Panel
Protected pnlInvalidLogin as Panel
Protected txtLoginID as TextBox
Protected txtPassword as TextBox
Protected WithEvents btnLogin as Button

'global connection string for class
Private ConnString as String = "Data Source=SOLOMON4;Initial Catalog=Incident;User ID=Incident;Password=tech"

'Initialize web page with Page_Load
Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load

If Me.IsPostBack = False Then

Initialize()

End If

End Sub

Private Sub Initialize()

pnlInvalidLogin.Visible = False
pnlLogin.Visible = True
End Sub

Private Function Validated(ByVal Usr as String, ByVal Pwd as String) as Boolean
'Declare objects
Dim conn as New SqlConnection
Dim cmd as New SqlCommand
Dim dreader as SqlDataReader

'Initialize values
conn.ConnectionString = ConnString
cmd.Connection = conn
cmd.CommandText = "SELECT * FROM Admin"

Try
'Open connetion and import information to DataReader object
conn.Open()
dreader = cmd.ExecuteReader()

'Go through table of valid admin logins
Do While dreader.Read()
If UCase(dreader("LoginName")) = UCase(Usr) Then
Exit Do
Else
Validated = False
End If
Loop

'validate password
If UCase(dreader("Password")) = UCase(Pwd) Then
Validated = True
Else
Validated = False
End If

dreader.Close()

Catch err as Exception
'To err is human...Bail-out!!
Validated = False
Finally
'Clean up
conn.Close()
End Try
End Function
'Event Handlers
Private Sub btnLogin_Click(sender as Object, e as EventArgs) Handles btnLogin.Click

If Validated(txtLoginID.Text, txtPassword.Text) Then
'Redirect to admin.aspx page
Response.Redirect("admin.aspx")
Else
'unsuccessful login
pnlInvalidLogin.Visible = True
pnlLogin.Visible = False
End If

End Sub

End Class

Admin.aspx:
<%@ Page Language="VB" Inherits="Admin" src="Admin.vb" autoeventwireup="False" %>
<html>
....
</html>

Admin.vb:
' Admin.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Admin
'For PostBack
Inherits Page

Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load

'Not sure what to put in here!

End Sub

....

End Class

Nov 19 '05 #1
  • viewed: 1609
Share:
1 Reply
Hi,

Basically ASP.NET Form Authentication Conducts in
following logic:

User tries to access a web page, e.g. admin.aspx, Web
Server checks the user, if not authorizing redirect to
Login page, in you case default.aspx. And add a query
string ReturnUrl=/admin/admin.aspx for late return.

In login page's btnLogin_Click, using following code:

Dim uid As String = txtUid.Text
Dim pwd As String = txtPws.Text
If Validated(uid, pwd) Then
FormsAuthentication.RedirectFromLoginPage(uid,fals e)
Else
' ...
End If

This will automatically redirect to admin.aspx, or other
page that user tied to access.

Hope it's helpful to you,

Elton Wang
el********@hotmail.com
-----Original Message-----
Hello, ASP.NET gurus!

I have read many pages on setting up a login screen to access a number of web pages using Forms Authentication
and I am still trying to wrap my brain around the whole
thing. However, I know that my knowledge on this topic
has a few gaping holes ('cause it still ain't working!).
I am going to present my code and explain what I am trying
to accomplish then, hopefully, you'll respond with some
helpful suggestions.
:)

The pages are in a folder called "Admin" and will be access through the company's Intranet by the path
http://servername/admin/ . The page default.aspx handles
the login and verification process and is supposed to move
the user to the next page on a successful login.
default.aspx ? (successful login) ? admin.aspx

The code to verify the login seems to work when accessing the database, etc. However, when I add the lines
(I think I need) in the Web.Config file I get a runtime
error but I can't see what the problem is because the
details are blocked.
Any suggestions / comments?
TIA...

Here's the code:

Web.Config:
<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>

<authorization>
<deny users="?" />
</authorization>

<authentication mode="Forms">
<forms name="Admin"
loginURL="default.aspx"
protection="All"
timeout="20"
path="/Admin" />
</authentication>

</configuration>
Default.aspx:
<%@ Page Language="VB" Inherits="Login" src="Default.vb" autoeventwireup="False" %><html>
....
</html>
Default.vb:
' Default.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Login
'For PostBack
Inherits Page

'Declare web objects
Protected pnlLogin as Panel
Protected pnlInvalidLogin as Panel
Protected txtLoginID as TextBox
Protected txtPassword as TextBox
Protected WithEvents btnLogin as Button

'global connection string for class
Private ConnString as String = "Data Source=SOLOMON4;Initial Catalog=Incident;User
ID=Incident;Password=tech"
'Initialize web page with Page_Load
Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load
If Me.IsPostBack = False Then

Initialize()

End If

End Sub

Private Sub Initialize()

pnlInvalidLogin.Visible = False
pnlLogin.Visible = True
End Sub

Private Function Validated(ByVal Usr as String, ByVal Pwd as String) as Boolean 'Declare objects
Dim conn as New SqlConnection
Dim cmd as New SqlCommand
Dim dreader as SqlDataReader

'Initialize values
conn.ConnectionString = ConnString
cmd.Connection = conn
cmd.CommandText = "SELECT * FROM Admin"

Try
'Open connetion and import information to DataReader object conn.Open()
dreader = cmd.ExecuteReader()

'Go through table of valid admin logins
Do While dreader.Read()
If UCase(dreader("LoginName")) = UCase (Usr) Then Exit Do
Else
Validated = False
End If
Loop

'validate password
If UCase(dreader("Password")) = UCase(Pwd) Then Validated = True
Else
Validated = False
End If

dreader.Close()

Catch err as Exception
'To err is human...Bail-out!!
Validated = False
Finally
'Clean up
conn.Close()
End Try
End Function
'Event Handlers
Private Sub btnLogin_Click(sender as Object, e as EventArgs) Handles btnLogin.Click
If Validated(txtLoginID.Text, txtPassword.Text) Then 'Redirect to admin.aspx page
Response.Redirect("admin.aspx")
Else
'unsuccessful login
pnlInvalidLogin.Visible = True
pnlLogin.Visible = False
End If

End Sub

End Class

Admin.aspx:
<%@ Page Language="VB" Inherits="Admin" src="Admin.vb" autoeventwireup="False" %><html>
....
</html>

Admin.vb:
' Admin.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Admin
'For PostBack
Inherits Page

Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load
'Not sure what to put in here!

End Sub

....

End Class


Nov 19 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Paul Daly (MCP) | last post: by
3 posts views Thread by Kris van der Mast | last post: by
reply views Thread by Anonieko Ramos | last post: by
4 posts views Thread by WebBuilder451 | last post: by
5 posts views Thread by Rory Becker | last post: by
reply views Thread by jack112 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.