473,326 Members | 2,196 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

aspx security?

Sam
I have successfully created authentication via web.config however I
discovered some security issues as follows:

1. ASPX Security
I have web application via asp.net and it is consist of following sections:
i. Administration
ii. Attendance
iii. Reporting

Each section has it own authorise user and it should not cross over.
Example, User A can login Administration but cannot access Attendance and
Reporting. How do I control it? Please help.

2. Login Security
How long web config allow use to access web application? How do aspx file
check whether user still can access or not?
Please find web.config and login.aspx files.

<!-- Web.Config Configuration File -->
<configuration>
<appSettings>
<add key="ConnectionString"
value="server=KULSQL01;database=Payroll;uid=payrol l;pwd=pay88;" />
</appSettings>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms name="Intranet" loginUrl="authentication.aspx"
protection="All" path="/" timeout="20"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<customErrors mode="Off" />
</system.web>
</configuration>

<!-- Login Authentication File -->
<%@ Page Language="VB" %>
<%@ import Namespace="System" %>
<%@ import Namespace="System.Configuration" %>
<%@ import Namespace="System.Data" %>
<%@ import Namespace="System.Data.OleDB" %>
<%@ import Namespace="System.Data.SqlClient" %>
<%@ import Namespace="System.Data.SqlTypes" %>
<%@ import Namespace="System.Web.Security" %>
<script runat="server">

Sub defaultpage(Sender as Object, e As EventArgs)
Response.Redirect("default.aspx")
End Sub

Sub authenticate(Sender as Object, e As EventArgs)
Dim con As New
SqlConnection(ConfigurationSettings.AppSettings("C onnectionString"))

Dim cmd As New SqlCommand()
cmd.CommandText = "Select * from authentication where username ='"
& txtUsername.Text & "'"
cmd.Connection = con

Try
con.Open()

Dim FlagAuthentication

FlagAuthentication = "N"

Dim rd As SqlDataReader = cmd.ExecuteReader()

While rd.read()
If rd("password").ToString = txtPassword.Text Then
FormsAuthentication.RedirectFromLoginPage(txtUsern ame.Text,
false)
FlagAuthentication = "Y"
Response.Redirect("payroll.aspx")
Else
Response.Redirect("warning.aspx")
End If
End While

rd.Close()

If FlagAuthentication = "N"
Response.Redirect("warning.aspx")

End If

Finally
con.Close()
End Try
End Sub

</script>
Nov 19 '05 #1
1 1807
I successfully developed an app using role-based forms authentication by
using the techniques outlined in these articles:
http://support.microsoft.com/default...b;en-us;311495
http://www.4guysfromrolla.com/webtech/121901-1.2.shtml

Here is another article you may find useful as well:
http://www.eggheadcafe.com/articles/20020906.asp
--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net


"Sam" <cy********@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP14.phx.gbl...
I have successfully created authentication via web.config however I
discovered some security issues as follows:

1. ASPX Security
I have web application via asp.net and it is consist of following
sections:
i. Administration
ii. Attendance
iii. Reporting

Each section has it own authorise user and it should not cross over.
Example, User A can login Administration but cannot access Attendance and
Reporting. How do I control it? Please help.

2. Login Security
How long web config allow use to access web application? How do aspx file
check whether user still can access or not?
Please find web.config and login.aspx files.

<!-- Web.Config Configuration File -->
<configuration>
<appSettings>
<add key="ConnectionString"
value="server=KULSQL01;database=Payroll;uid=payrol l;pwd=pay88;" />
</appSettings>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms name="Intranet" loginUrl="authentication.aspx"
protection="All" path="/" timeout="20"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<customErrors mode="Off" />
</system.web>
</configuration>

<!-- Login Authentication File -->
<%@ Page Language="VB" %>
<%@ import Namespace="System" %>
<%@ import Namespace="System.Configuration" %>
<%@ import Namespace="System.Data" %>
<%@ import Namespace="System.Data.OleDB" %>
<%@ import Namespace="System.Data.SqlClient" %>
<%@ import Namespace="System.Data.SqlTypes" %>
<%@ import Namespace="System.Web.Security" %>
<script runat="server">

Sub defaultpage(Sender as Object, e As EventArgs)
Response.Redirect("default.aspx")
End Sub

Sub authenticate(Sender as Object, e As EventArgs)
Dim con As New
SqlConnection(ConfigurationSettings.AppSettings("C onnectionString"))

Dim cmd As New SqlCommand()
cmd.CommandText = "Select * from authentication where username ='"
& txtUsername.Text & "'"
cmd.Connection = con

Try
con.Open()

Dim FlagAuthentication

FlagAuthentication = "N"

Dim rd As SqlDataReader = cmd.ExecuteReader()

While rd.read()
If rd("password").ToString = txtPassword.Text Then

FormsAuthentication.RedirectFromLoginPage(txtUsern ame.Text, false)
FlagAuthentication = "Y"
Response.Redirect("payroll.aspx")
Else
Response.Redirect("warning.aspx")
End If
End While

rd.Close()

If FlagAuthentication = "N"
Response.Redirect("warning.aspx")

End If

Finally
con.Close()
End Try
End Sub

</script>

Nov 19 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Abraham | last post by:
in my sql server database i have a table with the following fields; email username password secret_Questin i have connected this table to ASP.net... So can anyone give me the code of...
0
by: Niyazi | last post by:
Hi all, This my aspx page first line of code. <%@ Page CodeBehind="index.aspx.vb" Language="vb" AutoEventWireup="false" Inherits="TB.index" %> Than inside head tag I have following script(s)...
4
by: Larry Brindise | last post by:
I have an asp.net application. I have used VStudio Web Deployment Project to create the MSI file. I copy the MSI file from my developer PC to my test server running Win2003Server Web Edition. I...
5
by: Terry | last post by:
I am developing a asp.net web based service application for our product I am trying to trigger a reboot of the server based on a user request I believe I have all the appropriate code for...
1
by: Patrick Olurotimi Ige | last post by:
Can asp pages have the same security integration like aspx pages? For example integrating ASPX pages with Active directory etc...forms auth and windows auth? We have a scenario some developers...
4
by: androoo | last post by:
Hi I have a windows control I embed onto an aspx page which is grabbing a dataset from the client and sending it to the server through a webservice. This works fine in a windows app. However...
10
by: ptass | last post by:
Hi In asp.net 2.0 an aspx files .cs file is a partial class and all works fine, however, I thought I’d be able to create another class file, call it a partial class and have that compile and...
2
by: Norsoft | last post by:
I have a .Net 1.1 application which is downloaded into an aspx page. It is a dll which inherits from System.Windows.Forms.UserControl. It works fine on a PC with only the 1.1 Framework. However,...
6
by: BizWorld | last post by:
Hi, I have a scenario where i need to configure only Login.aspx page to use SSL. All other application will run on HTTP protocol. If someone can guide me how to accomplish this. One of my idea...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.