Forms Authentication Security questions...

From: Elton Wang (elton_at_discussions.microsoft.com)
Date: 01/07/05 

Date: Fri, 7 Jan 2005 10:11:07 -0800

Hi,

Basically ASP.NET Form Authentication Conducts in
following logic:

User tries to access a web page, e.g. admin.aspx, à Web
Server checks the user, if not authorizing à redirect to
Login page, in you case default.aspx. And add a query
string ReturnUrl=/admin/admin.aspx for late return.

In login page's btnLogin_Click, using following code:

Dim uid As String = txtUid.Text
Dim pwd As String = txtPws.Text
If Validated(uid, pwd) Then
      FormsAuthentication.RedirectFromLoginPage(uid,false)
Else
   ' ...
End If

This will automatically redirect to admin.aspx, or other
page that user tied to access.

Hope it's helpful to you,

Elton Wang
elton_wang@hotmail.com
>-----Original Message-----
>Hello, ASP.NET gurus!
>
> I have read many pages on setting up a login screen
to access a number of web pages using Forms Authentication
and I am still trying to wrap my brain around the whole
thing. However, I know that my knowledge on this topic
has a few gaping holes ('cause it still ain't working!).
I am going to present my code and explain what I am trying
to accomplish then, hopefully, you'll respond with some
helpful suggestions.
>
>:)
>
> The pages are in a folder called "Admin" and will be
access through the company's Intranet by the path
http://servername/admin/ . The page default.aspx handles
the login and verification process and is supposed to move
the user to the next page on a successful login.
>
> default.aspx ? (successful login) ? admin.aspx
>
> The code to verify the login seems to work when
accessing the database, etc. However, when I add the lines
(I think I need) in the Web.Config file I get a runtime
error but I can't see what the problem is because the
details are blocked.
>
>Any suggestions / comments?
>TIA...
>
>Here's the code:
>
>Web.Config:
><!-- Web.Config Configuration File -->
>
><configuration>
> <system.web>
> <customErrors mode="Off"/>
> </system.web>
>
> <authorization>
> <deny users="?" />
> </authorization>
>
> <authentication mode="Forms">
> <forms name="Admin"
> loginURL="default.aspx"
> protection="All"
> timeout="20"
> path="/Admin" />
> </authentication>
>
></configuration>
>
>
>Default.aspx:
><%@ Page Language="VB" Inherits="Login" src="Default.vb"
autoeventwireup="False" %>
><html>
>....
></html>
>
>
>Default.vb:
>' Default.vb
>'
>
>Imports Microsoft.VisualBasic
>Imports System
>Imports System.Web
>Imports System.Web.UI
>Imports System.Web.UI.WebControls
>Imports System.Web.UI.HtmlControls
>Imports System.Web.Security
>Imports System.Data
>Imports System.Data.OleDb
>Imports System.Data.SqlClient
>
>Public Class Login
> 'For PostBack
> Inherits Page
>
> 'Declare web objects
> Protected pnlLogin as Panel
> Protected pnlInvalidLogin as Panel
> Protected txtLoginID as TextBox
> Protected txtPassword as TextBox
> Protected WithEvents btnLogin as Button
>
> 'global connection string for class
> Private ConnString as String = "Data
Source=SOLOMON4;Initial Catalog=Incident;User
ID=Incident;Password=tech"
>
> 'Initialize web page with Page_Load
> Private Sub Page_Load(sender as Object, e as
EventArgs) Handles MyBase.Load
>
> If Me.IsPostBack = False Then
>
> Initialize()
>
> End If
>
> End Sub
>
> Private Sub Initialize()
>
> pnlInvalidLogin.Visible = False
> pnlLogin.Visible = True
> End Sub
>
> Private Function Validated(ByVal Usr as String, ByVal
Pwd as String) as Boolean
> 'Declare objects
> Dim conn as New SqlConnection
> Dim cmd as New SqlCommand
> Dim dreader as SqlDataReader
>
> 'Initialize values
> conn.ConnectionString = ConnString
> cmd.Connection = conn
> cmd.CommandText = "SELECT * FROM Admin"
>
> Try
> 'Open connetion and import information to
DataReader object
> conn.Open()
> dreader = cmd.ExecuteReader()
>
> 'Go through table of valid admin logins
> Do While dreader.Read()
> If UCase(dreader("LoginName")) = UCase
(Usr) Then
> Exit Do
> Else
> Validated = False
> End If
> Loop
>
> 'validate password
> If UCase(dreader("Password")) = UCase(Pwd)
Then
> Validated = True
> Else
> Validated = False
> End If
>
> dreader.Close()
>
> Catch err as Exception
> 'To err is human...Bail-out!!
> Validated = False
> Finally
> 'Clean up
> conn.Close()
> End Try
> End Function
>
>
> 'Event Handlers
> Private Sub btnLogin_Click(sender as Object, e as
EventArgs) Handles btnLogin.Click
>
> If Validated(txtLoginID.Text, txtPassword.Text)
Then
> 'Redirect to admin.aspx page
> Response.Redirect("admin.aspx")
> Else
> 'unsuccessful login
> pnlInvalidLogin.Visible = True
> pnlLogin.Visible = False
> End If
>
> End Sub
>
>End Class
>
>
>
>Admin.aspx:
><%@ Page Language="VB" Inherits="Admin" src="Admin.vb"
autoeventwireup="False" %>
><html>
>....
></html>
>
>Admin.vb:
>' Admin.vb
>'
>
>Imports Microsoft.VisualBasic
>Imports System
>Imports System.Web
>Imports System.Web.UI
>Imports System.Web.UI.WebControls
>Imports System.Web.UI.HtmlControls
>Imports System.Web.Security
>Imports System.Data
>Imports System.Data.OleDb
>Imports System.Data.SqlClient
>
>Public Class Admin
> 'For PostBack
> Inherits Page
>
> Private Sub Page_Load(sender as Object, e as
EventArgs) Handles MyBase.Load
>
> 'Not sure what to put in here!
>
> End Sub
>
>....
>
>End Class
>
>
>
>
>

Quantcast