Problem with C# Web Authentication Library

[Carlo Razzeto]

Hello, I'm currently working on a small web project for my self. It's a
simple check book balancing web page for me. Anway, as part of the project I
working on a general web library called lib_web. In the lib_web namespance I
have a nested namespace called authentication with has a class web_auth that
has 2 static methods, on of which are called authenticate, which is the one
I"m having a problem with. The problem when I try to redirect "the user" to
the menu page I get the following exception:

There has been an error on page: default.aspx
Exception:
System.Threading.ThreadAbortException: Thread was being aborted.
at System.Threading.Thread.AbortInternal()
at System.Threading.Thread.Abort(Object stateInfo)
at System.Web.HttpResponse.End()
at System.Web.HttpResponse.Redirect(String url, Boolean endResponse)
at checkbook.WebForm1.Page_Load(Object sender, EventArgs e) in
c:\inetpub\wwwroot\finance\checkbook\default.aspx.cs:line 32
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Here is the code from lib_web.authentication.web_auth.authenticate()

public static bool authenticate(string dbase, HttpSessionState Session,
HttpRequest Request)
{
string ConnectionString = "Data Source=(local); User=sa;
Password=Oper64Hammer; Initial Catalog=" + dbase;
SqlConnection SQLConnection = new SqlConnection(ConnectionString);
SQLConnection.Open();
SqlDataReader Reader;
SqlCommand Command = new SqlCommand("", SQLConnection);
Command.CommandText = "SELECT * FROM Users WHERE user_name = '" +
Request.Form["username"] + "'";
try
{
Reader = Command.ExecuteReader();
}
catch(Exception ex)
{
throw ex;
}
if (Reader.Read())
{
if ((string) Reader["password"] == (string) Request.Form["password"])
{
Session.Add("user_id", Reader["user_id"]);
Reader.Close();
Command.Dispose();
SQLConnection.Dispose();
return true;
}
}
return false;
}

Here is the code for the web page calling the method:

if (Request.Form["username"] != null)
{
try
{
if (web_auth.authenticate("Checking_Account", Session, Request))
{
Response.Redirect("./menu.aspx", true);
}
else
{
Response.Redirect("./login.error.html", true);
}
}
catch(Exception ex)
{
EvntLog.WriteEntry("There has been an error on page: " + Current_Page +
"\nException:\n" + ex.ToString(),
EventLogEntryType.Error);
EvntLog.Dispose();
Response.Redirect("site_error.aspx?page=" + Current_Page);
}
}

 

[Sherif ElMetainy]

Hello

There is no problem. Response.Redirect(url, true) does call Thread.Abort in
order to end the response, and stop processing the current page. And
Thread.Abort throws a ThreadAbortException. This is the way
Response.Redirect works. ThreadAbortException is special in that when it is
caught it is rethrown unless you call Thread.ResetAbort. So you can catch
ThreadAbortException and ignore it.

So your code should look like this.
try{
// your code here
}
catch(ThreadAbortException) {
//Do nothing
}
catch(Exception ex) {
// handle other exception here
}

Best regards,
Sherif

Hello, I'm currently working on a small web project for my self. It's a
simple check book balancing web page for me. Anway, as part of the project I
working on a general web library called lib_web. In the lib_web namespance I
have a nested namespace called authentication with has a class web_auth that
has 2 static methods, on of which are called authenticate, which is the one
I"m having a problem with. The problem when I try to redirect "the user" to
the menu page I get the following exception:

There has been an error on page: default.aspx
Exception:
System.Threading.ThreadAbortException: Thread was being aborted.
at System.Threading.Thread.AbortInternal()
at System.Threading.Thread.Abort(Object stateInfo)
at System.Web.HttpResponse.End()
at System.Web.HttpResponse.Redirect(String url, Boolean endResponse)
at checkbook.WebForm1.Page_Load(Object sender, EventArgs e) in
c:\inetpub\wwwroot\finance\checkbook\default.aspx.cs:line 32
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Here is the code from lib_web.authentication.web_auth.authenticate()

public static bool authenticate(string dbase, HttpSessionState Session,
HttpRequest Request)
{
string ConnectionString = "Data Source=(local); User=sa;
Password=Oper64Hammer; Initial Catalog=" + dbase;
SqlConnection SQLConnection = new SqlConnection(ConnectionString);
SQLConnection.Open();
SqlDataReader Reader;
SqlCommand Command = new SqlCommand("", SQLConnection);
Command.CommandText = "SELECT * FROM Users WHERE user_name = '" +
Request.Form["username"] + "'";
try
{
Reader = Command.ExecuteReader();
}
catch(Exception ex)
{
throw ex;
}
if (Reader.Read())
{
if ((string) Reader["password"] == (string) Request.Form["password"])
{
Session.Add("user_id", Reader["user_id"]);
Reader.Close();
Command.Dispose();
SQLConnection.Dispose();
return true;
}
}
return false;
}

Here is the code for the web page calling the method:

if (Request.Form["username"] != null)
{
try
{
if (web_auth.authenticate("Checking_Account", Session, Request))
{
Response.Redirect("./menu.aspx", true);
}
else
{
Response.Redirect("./login.error.html", true);
}
}
catch(Exception ex)
{
EvntLog.WriteEntry("There has been an error on page: " + Current_Page +
"\nException:\n" + ex.ToString(),
EventLogEntryType.Error);
EvntLog.Dispose();
Response.Redirect("site_error.aspx?page=" + Current_Page);
}
}

 

[Guest]

Hi Carlo,

There are a few problems initially from a security point of view. By using the inline SQL Statement you can possibly suffer performance issues along with SQL Injection attacks. My choice would be to use stored procedures instead of the text statement. (i.e. form your own SQL Command and assign it SQLParameters)

In regards to the Response.Redirect, you should also try the command Server.Transfer("page.aspx")

Cheers
Jonathan Rucker


----- Carlo Razzeto wrote: ----

Hello, I'm currently working on a small web project for my self. It's
simple check book balancing web page for me. Anway, as part of the project
working on a general web library called lib_web. In the lib_web namespance
have a nested namespace called authentication with has a class web_auth tha
has 2 static methods, on of which are called authenticate, which is the on
I"m having a problem with. The problem when I try to redirect "the user" t
the menu page I get the following exception

There has been an error on page: default.asp
Exception
System.Threading.ThreadAbortException: Thread was being aborted
at System.Threading.Thread.AbortInternal(
at System.Threading.Thread.Abort(Object stateInfo
at System.Web.HttpResponse.End(
at System.Web.HttpResponse.Redirect(String url, Boolean endResponse
at checkbook.WebForm1.Page_Load(Object sender, EventArgs e) i
c:\inetpub\wwwroot\finance\checkbook\default.aspx.cs:line 3
For more information, see Help and Support Center a
http://go.microsoft.com/fwlink/events.asp

Here is the code from lib_web.authentication.web_auth.authenticate(

public static bool authenticate(string dbase, HttpSessionState Session
HttpRequest Request

string ConnectionString = "Data Source=(local); User=sa
Password=Oper64Hammer; Initial Catalog=" + dbase
SqlConnection SQLConnection = new SqlConnection(ConnectionString)
SQLConnection.Open()
SqlDataReader Reader
SqlCommand Command = new SqlCommand("", SQLConnection)
Command.CommandText = "SELECT * FROM Users WHERE user_name = '"
Request.Form["username"] + "'"
tr

Reader = Command.ExecuteReader()

catch(Exception ex

throw ex

if (Reader.Read()

if ((string) Reader["password"] == (string) Request.Form["password"]

Session.Add("user_id", Reader["user_id"])
Reader.Close()
Command.Dispose()
SQLConnection.Dispose()
return true


return false


Here is the code for the web page calling the method

if (Request.Form["username"] != null

tr

if (web_auth.authenticate("Checking_Account", Session, Request)

Response.Redirect("./menu.aspx", true)

els

Response.Redirect("./login.error.html", true)


catch(Exception ex

EvntLog.WriteEntry("There has been an error on page: " + Current_Page
"\nException:\n" + ex.ToString()
EventLogEntryType.Error)
EvntLog.Dispose()
Response.Redirect("site_error.aspx?page=" + Current_Page)