Forms Authentication Security questions...

T

The Eeediot

Hello, ASP.NET gurus!

I have read many pages on setting up a login screen to access a number of web pages using Forms Authentication and I am still trying to wrap my brain around the whole thing. However, I know that my knowledge on this topic has a few gaping holes ('cause it still ain't working!). I am going to present my code and explain what I am trying to accomplish then, hopefully, you'll respond with some helpful suggestions.

:)

The pages are in a folder called "Admin" and will be access through the company's Intranet by the path http://servername/admin/ . The page default.aspx handles the login and verification process and is supposed to move the user to the next page on a successful login.

default.aspx → (successful login) → admin.aspx

The code to verify the login seems to work when accessing the database, etc. However, when I add the lines (I think I need) in the Web.Config file I get a runtime error but I can't see what the problem is because the details are blocked.

Any suggestions / comments?
TIA...

Here's the code:

Web.Config:
<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>

<authorization>
<deny users="?" />
</authorization>

<authentication mode="Forms">
<forms name="Admin"
loginURL="default.aspx"
protection="All"
timeout="20"
path="/Admin" />
</authentication>

</configuration>


Default.aspx:
<%@ Page Language="VB" Inherits="Login" src="Default.vb" autoeventwireup="False" %>
<html>
....
</html>


Default.vb:
' Default.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Login
'For PostBack
Inherits Page

'Declare web objects
Protected pnlLogin as Panel
Protected pnlInvalidLogin as Panel
Protected txtLoginID as TextBox
Protected txtPassword as TextBox
Protected WithEvents btnLogin as Button

'global connection string for class
Private ConnString as String = "Data Source=SOLOMON4;Initial Catalog=Incident;User ID=Incident;Password=tech"

'Initialize web page with Page_Load
Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load

If Me.IsPostBack = False Then

Initialize()

End If

End Sub

Private Sub Initialize()

pnlInvalidLogin.Visible = False
pnlLogin.Visible = True
End Sub

Private Function Validated(ByVal Usr as String, ByVal Pwd as String) as Boolean
'Declare objects
Dim conn as New SqlConnection
Dim cmd as New SqlCommand
Dim dreader as SqlDataReader

'Initialize values
conn.ConnectionString = ConnString
cmd.Connection = conn
cmd.CommandText = "SELECT * FROM Admin"

Try
'Open connetion and import information to DataReader object
conn.Open()
dreader = cmd.ExecuteReader()

'Go through table of valid admin logins
Do While dreader.Read()
If UCase(dreader("LoginName")) = UCase(Usr) Then
Exit Do
Else
Validated = False
End If
Loop

'validate password
If UCase(dreader("Password")) = UCase(Pwd) Then
Validated = True
Else
Validated = False
End If

dreader.Close()

Catch err as Exception
'To err is human...Bail-out!!
Validated = False
Finally
'Clean up
conn.Close()
End Try
End Function


'Event Handlers
Private Sub btnLogin_Click(sender as Object, e as EventArgs) Handles btnLogin.Click

If Validated(txtLoginID.Text, txtPassword.Text) Then
'Redirect to admin.aspx page
Response.Redirect("admin.aspx")
Else
'unsuccessful login
pnlInvalidLogin.Visible = True
pnlLogin.Visible = False
End If

End Sub

End Class



Admin.aspx:
<%@ Page Language="VB" Inherits="Admin" src="Admin.vb" autoeventwireup="False" %>
<html>
....
</html>

Admin.vb:
' Admin.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Admin
'For PostBack
Inherits Page

Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load

'Not sure what to put in here!

End Sub

....

End Class
 
E

Elton Wang

Hi,

Basically ASP.NET Form Authentication Conducts in
following logic:

User tries to access a web page, e.g. admin.aspx, à Web
Server checks the user, if not authorizing à redirect to
Login page, in you case default.aspx. And add a query
string ReturnUrl=/admin/admin.aspx for late return.

In login page's btnLogin_Click, using following code:

Dim uid As String = txtUid.Text
Dim pwd As String = txtPws.Text
If Validated(uid, pwd) Then
FormsAuthentication.RedirectFromLoginPage(uid,false)
Else
' ...
End If

This will automatically redirect to admin.aspx, or other
page that user tied to access.

Hope it's helpful to you,

Elton Wang
(e-mail address removed)
-----Original Message-----
Hello, ASP.NET gurus!

I have read many pages on setting up a login screen
Click to expand...
to access a number of web pages using Forms Authentication
and I am still trying to wrap my brain around the whole
thing. However, I know that my knowledge on this topic
has a few gaping holes ('cause it still ain't working!).
I am going to present my code and explain what I am trying
to accomplish then, hopefully, you'll respond with some
helpful suggestions.
:)

The pages are in a folder called "Admin" and will be
Click to expand...
access through the company's Intranet by the path
http://servername/admin/ . The page default.aspx handles
the login and verification process and is supposed to move
the user to the next page on a successful login.
default.aspx ? (successful login) ? admin.aspx

The code to verify the login seems to work when
Click to expand...
accessing the database, etc. However, when I add the lines
(I think I need) in the Web.Config file I get a runtime
error but I can't see what the problem is because the
details are blocked.
Any suggestions / comments?
TIA...

Here's the code:

Web.Config:
<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>

<authorization>
<deny users="?" />
</authorization>

<authentication mode="Forms">
<forms name="Admin"
loginURL="default.aspx"
protection="All"
timeout="20"
path="/Admin" />
</authentication>

</configuration>


Default.aspx:
<%@ Page Language="VB" Inherits="Login" src="Default.vb" autoeventwireup="False" %>
<html>
....
</html>


Default.vb:
' Default.vb
'

Imports Microsoft.VisualBasic
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Web.Security
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient

Public Class Login
'For PostBack
Inherits Page

'Declare web objects
Protected pnlLogin as Panel
Protected pnlInvalidLogin as Panel
Protected txtLoginID as TextBox
Protected txtPassword as TextBox
Protected WithEvents btnLogin as Button

'global connection string for class
Private ConnString as String = "Data
Click to expand...
Source=SOLOMON4;Initial Catalog=Incident;User
ID=Incident;Password=tech"
'Initialize web page with Page_Load
Private Sub Page_Load(sender as Object, e as EventArgs) Handles MyBase.Load

If Me.IsPostBack = False Then

Initialize()

End If

End Sub

Private Sub Initialize()

pnlInvalidLogin.Visible = False
pnlLogin.Visible = True
End Sub

Private Function Validated(ByVal Usr as String, ByVal Pwd as String) as Boolean
'Declare objects
Dim conn as New SqlConnection
Dim cmd as New SqlCommand
Dim dreader as SqlDataReader

'Initialize values
conn.ConnectionString = ConnString
cmd.Connection = conn
cmd.CommandText = "SELECT * FROM Admin"

Try
'Open connetion and import information to DataReader object
conn.Open()
dreader = cmd.ExecuteReader()

'Go through table of valid admin logins
Do While dreader.Read()
If UCase(dreader("LoginName")) = UCase (Usr) Then
Exit Do
Else
Validated = False
End If
Loop

'validate password
If UCase(dreader("Password")) = UCase(Pwd) Then
Validated = True
Else
Validated = False
End If

dreader.Close()

Catch err as Exception
'To err is human...Bail-out!!
Validated = False
Finally
'Clean up
conn.Close()
End Try
End Function


'Event Handlers
Private Sub btnLogin_Click(sender as Object, e as
Click to expand...
EventArgs) Handles btnLogin.Click
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

2005-FormsAuthentication, Httpcontext.current.user is always nothi 4
Inherit Base Page Class 1
Webservice error - please help 2
can't retrieve connection string from web.config 2
page_load is ignored / asp.net 2.0 2
custom control - doesn't show 2
LINQ and blobs 4
xml data connection in Web Services 18

Top