473,387 Members | 1,859 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > forms authentication security questions...

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Forms Authentication Security questions...

Hello, ASP.NET gurus!

I have read many pages on setting up a login screen to access a number of web pages using Forms Authentication and I am still trying to wrap my brain around the whole thing. However, I know that my knowledge on this topic has a few gaping holes ('cause it still ain't working!). I am going to present my code and explain what I am trying to accomplish then, hopefully, you'll respond with some helpful suggestions.

:)

The pages are in a folder called "Admin" and will be access through the company's Intranet by the path http://servername/admin/ . The page default.aspx handles the login and verification process and is supposed to move the user to the next page on a successful login.

default.aspx → (successful login) → admin.aspx

The code to verify the login seems to work when accessing the database, etc. However, when I add the lines (I think I need) in the Web.Config file I get a runtime error but I can't see what the problem is because the details are blocked.

Any suggestions / comments?
TIA...

Here's the code:

Web.Config:
<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>

<authorization>
<deny users="?" />
</authorization>

<authentication mode="Forms">
<forms name="Admin"
loginURL="default.aspx"
protection="All"
timeout="20"
path="/Admin" />
</authentication>

</configuration>
Default.aspx:
<%@ Page Language="VB" Inherits="Login" src="Default.vb" autoeventwireup="False" %>
<html>
....
</html>
Default.vb:
' Default.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Login
'For PostBack
Inherits Page

'Declare web objects
Protected pnlLogin as Panel
Protected pnlInvalidLogin as Panel
Protected txtLoginID as TextBox
Protected txtPassword as TextBox
Protected WithEvents btnLogin as Button

'global connection string for class
Private ConnString as String = "Data Source=SOLOMON4;Initial Catalog=Incident;User ID=Incident;Password=tech"

'Initialize web page with Page_Load
Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load

If Me.IsPostBack = False Then

Initialize()

End If

End Sub

Private Sub Initialize()

pnlInvalidLogin.Visible = False
pnlLogin.Visible = True
End Sub

Private Function Validated(ByVal Usr as String, ByVal Pwd as String) as Boolean
'Declare objects
Dim conn as New SqlConnection
Dim cmd as New SqlCommand
Dim dreader as SqlDataReader

'Initialize values
conn.ConnectionString = ConnString
cmd.Connection = conn
cmd.CommandText = "SELECT * FROM Admin"

Try
'Open connetion and import information to DataReader object
conn.Open()
dreader = cmd.ExecuteReader()

'Go through table of valid admin logins
Do While dreader.Read()
If UCase(dreader("LoginName")) = UCase(Usr) Then
Exit Do
Else
Validated = False
End If
Loop

'validate password
If UCase(dreader("Password")) = UCase(Pwd) Then
Validated = True
Else
Validated = False
End If

dreader.Close()

Catch err as Exception
'To err is human...Bail-out!!
Validated = False
Finally
'Clean up
conn.Close()
End Try
End Function
'Event Handlers
Private Sub btnLogin_Click(sender as Object, e as EventArgs) Handles btnLogin.Click

If Validated(txtLoginID.Text, txtPassword.Text) Then
'Redirect to admin.aspx page
Response.Redirect("admin.aspx")
Else
'unsuccessful login
pnlInvalidLogin.Visible = True
pnlLogin.Visible = False
End If

End Sub

End Class

Admin.aspx:
<%@ Page Language="VB" Inherits="Admin" src="Admin.vb" autoeventwireup="False" %>
<html>
....
</html>

Admin.vb:
' Admin.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Admin
'For PostBack
Inherits Page

Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load

'Not sure what to put in here!

End Sub

....

End Class

Nov 19 '05 #1
1 1783
Hi,

Basically ASP.NET Form Authentication Conducts in
following logic:

User tries to access a web page, e.g. admin.aspx, à Web
Server checks the user, if not authorizing à redirect to
Login page, in you case default.aspx. And add a query
string ReturnUrl=/admin/admin.aspx for late return.

In login page's btnLogin_Click, using following code:

Dim uid As String = txtUid.Text
Dim pwd As String = txtPws.Text
If Validated(uid, pwd) Then
FormsAuthentication.RedirectFromLoginPage(uid,fals e)
Else
' ...
End If

This will automatically redirect to admin.aspx, or other
page that user tied to access.

Hope it's helpful to you,

Elton Wang
el********@hotmail.com
-----Original Message-----
Hello, ASP.NET gurus!

I have read many pages on setting up a login screen to access a number of web pages using Forms Authentication
and I am still trying to wrap my brain around the whole
thing. However, I know that my knowledge on this topic
has a few gaping holes ('cause it still ain't working!).
I am going to present my code and explain what I am trying
to accomplish then, hopefully, you'll respond with some
helpful suggestions.
:)

The pages are in a folder called "Admin" and will be access through the company's Intranet by the path
http://servername/admin/ . The page default.aspx handles
the login and verification process and is supposed to move
the user to the next page on a successful login.
default.aspx ? (successful login) ? admin.aspx

The code to verify the login seems to work when accessing the database, etc. However, when I add the lines
(I think I need) in the Web.Config file I get a runtime
error but I can't see what the problem is because the
details are blocked.
Any suggestions / comments?
TIA...

Here's the code:

Web.Config:
<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>

<authorization>
<deny users="?" />
</authorization>

<authentication mode="Forms">
<forms name="Admin"
loginURL="default.aspx"
protection="All"
timeout="20"
path="/Admin" />
</authentication>

</configuration>
Default.aspx:
<%@ Page Language="VB" Inherits="Login" src="Default.vb" autoeventwireup="False" %><html>
....
</html>
Default.vb:
' Default.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Login
'For PostBack
Inherits Page

'Declare web objects
Protected pnlLogin as Panel
Protected pnlInvalidLogin as Panel
Protected txtLoginID as TextBox
Protected txtPassword as TextBox
Protected WithEvents btnLogin as Button

'global connection string for class
Private ConnString as String = "Data Source=SOLOMON4;Initial Catalog=Incident;User
ID=Incident;Password=tech"
'Initialize web page with Page_Load
Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load
If Me.IsPostBack = False Then

Initialize()

End If

End Sub

Private Sub Initialize()

pnlInvalidLogin.Visible = False
pnlLogin.Visible = True
End Sub

Private Function Validated(ByVal Usr as String, ByVal Pwd as String) as Boolean 'Declare objects
Dim conn as New SqlConnection
Dim cmd as New SqlCommand
Dim dreader as SqlDataReader

'Initialize values
conn.ConnectionString = ConnString
cmd.Connection = conn
cmd.CommandText = "SELECT * FROM Admin"

Try
'Open connetion and import information to DataReader object conn.Open()
dreader = cmd.ExecuteReader()

'Go through table of valid admin logins
Do While dreader.Read()
If UCase(dreader("LoginName")) = UCase (Usr) Then Exit Do
Else
Validated = False
End If
Loop

'validate password
If UCase(dreader("Password")) = UCase(Pwd) Then Validated = True
Else
Validated = False
End If

dreader.Close()

Catch err as Exception
'To err is human...Bail-out!!
Validated = False
Finally
'Clean up
conn.Close()
End Try
End Function
'Event Handlers
Private Sub btnLogin_Click(sender as Object, e as EventArgs) Handles btnLogin.Click
If Validated(txtLoginID.Text, txtPassword.Text) Then 'Redirect to admin.aspx page
Response.Redirect("admin.aspx")
Else
'unsuccessful login
pnlInvalidLogin.Visible = True
pnlLogin.Visible = False
End If

End Sub

End Class

Admin.aspx:
<%@ Page Language="VB" Inherits="Admin" src="Admin.vb" autoeventwireup="False" %><html>
....
</html>

Admin.vb:
' Admin.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Admin
'For PostBack
Inherits Page

Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load
'Not sure what to put in here!

End Sub

....

End Class


Nov 19 '05 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
Secure and Unsecure Web Directories using Forms Authentication
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms...
.NET Framework
1
ASP.NET Forms Authentication Questions...
by: Paul Daly (MCP) | last post by:
Background: I want to be able to authenticate users whose usernames & passwords are stored in a SQL database. I only want certain pages to require authentication. I have tried to implement this...
.NET Framework
3
Combine Forms Authentication with Windows
by: Nick | last post by:
I am working a new application...well actually a series of applications for my company. They want internal users to be able to go to a site and everything regarding security is transparent,...
.NET Framework
3
Forms authentication in a subfolder problem, please help
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be...
ASP.NET
9
forms authentication with loginurl on a remote machine
by: Hermit Dave | last post by:
Hi, I am making a web application (rather two applications) one which is host and used by customers when they are just browsing through products. The second application resides on a secure...
ASP.NET
0
ASP.NET Forms Authentication Best Practices
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET...
ASP.NET
0
IIS 6/ASP.NET Website Forms Authentication and Access Control Question
by: William F. Zachmann | last post by:
A web site that will run on Windows Server 2003 and IIS 6.0 needs to provide three levels of access, one for the public and two others for two levels of subscribers. This is a port of a prior site...
ASP.NET
4
forms authentication issue
by: WebBuilder451 | last post by:
I have an app that will direct to the login on any unauthorized access. It will redirect back to the calling page when authenticated. Now here is the problem. I'm allowing for user registration...
ASP.NET
5
Forms Authentication vs MembershipProvider
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the...
ASP.NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!