Asp login authentication problems

[Assimalyst]

Hi,

I am creating a website where i want to allow some webforms to be
accessible to all users, and those in a subdirectory available only to
authenticated users.

I have created a script to authenticate users from a stored sql
database from a login page login.aspx.

private void Submit1_ServerClick(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
string redirect = "Forms//UserHome.aspx";

if(ValidateUser(usernameTxtBx.Text.Trim(),
passwordTxtBx.Text.Trim()))
{
// Create Cookie
HttpCookie YLCcookie = new HttpCookie("username");
YLCcookie.Value = "usernameTxtBx.Text, passwordTxtBx.Text";
YLCcookie.Expires = DateTime.Now.AddDays(1);
Response.Cookies.Add(YLCcookie);

// Redirect the user to UserHome.aspx
Response.Redirect(redirect);
}
else
{
messageLbl.Text = "Invalid Login, please try again.";
}
}
}

private bool ValidateUser(string txtUser, string txtPass)
{
// Declare conn from Web.Config
SqlConnection conn = new
SqlConnection(ConfigurationSettings.AppSettings["strConn"]);
// Access Stored Procedure
SqlCommand cmd = new SqlCommand("proc_ValidateUser", conn);
cmd.CommandType = CommandType.StoredProcedure;
// Create Parameters
SqlParameter objParam1;
SqlParameter objParam2;
SqlParameter returnParam;

objParam1 = cmd.Parameters.Add("@usrName", SqlDbType.NVarChar);
objParam2 = cmd.Parameters.Add("@usrPassword", SqlDbType.NVarChar);
returnParam = cmd.Parameters.Add("@Num_of_User", SqlDbType.Int);

// Set the direction of the parameters
objParam1.Direction = ParameterDirection.Input;
objParam2.Direction = ParameterDirection.Input;
returnParam.Direction = ParameterDirection.ReturnValue;

// Set the values of the parameters
objParam1.Value = txtUser;
objParam2.Value = txtPass;

try
{
if(conn.State.Equals(ConnectionState.Closed))
{
conn.Open();
cmd.ExecuteNonQuery();
}
if((int)returnParam.Value < 1)
{
messageLbl.Text = "Invalid Login.";
return false;
}
else
{
conn.Close();
return true;
}
}
catch (Exception ex)
{
messageLbl.Text = ex + "Error connecting to database. Please try
again later.";
return false;
}
finally
{
// Ensures connection has closed
conn.Close();
}
}

This works ok.

If the user is not registered, there is a link on login.aspx to
AddUser.aspx, allowing for registration. Both these pages should be
accessible to all users.

However, i have a number of forms in a subdirectory, WebForms, that i
want to be accessible only if the user is logged in. the script above
does this and works with regard to navigation within the site. however,
if a person was to bookmark one of the secure forms currently they are
able to navigate to it without logging in.

I have edited the Web.Config file as follows:

<authentication mode="Forms">
<forms name="YLCcookie" loginUrl="login.aspx"
protection="All" path="/" />
</authentication>

<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

This allows all users access to login.aspx and AddUser.aspx, this works
fine.

I have then added a new section on the end of the Web.Config file as
follows:

<location path="WebForms">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>

This stops all unauthenticated users from accessing the forms in the
WebForms subdirectory, as i wanted. Currently, however, it also stops
authenticated users too.

Do i need to add <allow users= . . . > to this section?, or should the
cookie in the submit script work in it's place? If i do need to add an
<allow users= . . . > section, how can i securely do this from the user
login data stored in the sql database?

Thanks for your time in reading this far, i know it's a lengthy one,
but thought i'd best give as much info as possible as i'm not wholey
sure where the problem lies.

Thanks again.

 

[Brock Allen]

Unrelated to your web,config question, why are you issuing the cookie manually?
This can be done for you by FormsAuthentication.SetAuthCookie or FormsAuthentication.RedirectFromLoginPage.
If Forms does it for you, then it will be encrypted and MAC protected. As
you've written it, the cookie is in plaintext and has the password in it
(the latter part seems unnecessary).

Hi,

I am creating a website where i want to allow some webforms to be
accessible to all users, and those in a subdirectory available only to
authenticated users.

I have created a script to authenticate users from a stored sql
database from a login page login.aspx.

private void Submit1_ServerClick(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
string redirect = "Forms//UserHome.aspx";
if(ValidateUser(usernameTxtBx.Text.Trim(),
passwordTxtBx.Text.Trim()))
{
// Create Cookie
HttpCookie YLCcookie = new HttpCookie("username");
YLCcookie.Value = "usernameTxtBx.Text, passwordTxtBx.Text";
YLCcookie.Expires = DateTime.Now.AddDays(1);
Response.Cookies.Add(YLCcookie);
// Redirect the user to UserHome.aspx
Response.Redirect(redirect);
}
else
{
messageLbl.Text = "Invalid Login, please try again.";
}
}
}
private bool ValidateUser(string txtUser, string txtPass)
{
// Declare conn from Web.Config
SqlConnection conn = new
SqlConnection(ConfigurationSettings.AppSettings["strConn"]);
// Access Stored Procedure
SqlCommand cmd = new SqlCommand("proc_ValidateUser", conn);
cmd.CommandType = CommandType.StoredProcedure;
// Create Parameters
SqlParameter objParam1;
SqlParameter objParam2;
SqlParameter returnParam;
objParam1 = cmd.Parameters.Add("@usrName", SqlDbType.NVarChar);
objParam2 = cmd.Parameters.Add("@usrPassword", SqlDbType.NVarChar);
returnParam = cmd.Parameters.Add("@Num_of_User", SqlDbType.Int);
// Set the direction of the parameters
objParam1.Direction = ParameterDirection.Input;
objParam2.Direction = ParameterDirection.Input;
returnParam.Direction = ParameterDirection.ReturnValue;
// Set the values of the parameters
objParam1.Value = txtUser;
objParam2.Value = txtPass;
try
{
if(conn.State.Equals(ConnectionState.Closed))
{
conn.Open();
cmd.ExecuteNonQuery();
}
if((int)returnParam.Value < 1)
{
messageLbl.Text = "Invalid Login.";
return false;
}
else
{
conn.Close();
return true;
}
}
catch (Exception ex)
{
messageLbl.Text = ex + "Error connecting to database. Please try
again later.";
return false;
}
finally
{
// Ensures connection has closed
conn.Close();
}
}
This works ok.

If the user is not registered, there is a link on login.aspx to
AddUser.aspx, allowing for registration. Both these pages should be
accessible to all users.

However, i have a number of forms in a subdirectory, WebForms, that i
want to be accessible only if the user is logged in. the script above
does this and works with regard to navigation within the site.
however, if a person was to bookmark one of the secure forms currently
they are able to navigate to it without logging in.

I have edited the Web.Config file as follows:

<authentication mode="Forms">
<forms name="YLCcookie" loginUrl="login.aspx"
protection="All" path="/" />
</authentication>
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>
This allows all users access to login.aspx and AddUser.aspx, this
works fine.

I have then added a new section on the end of the Web.Config file as
follows:

<location path="WebForms">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
This stops all unauthenticated users from accessing the forms in the
WebForms subdirectory, as i wanted. Currently, however, it also stops
authenticated users too.

Do i need to add <allow users= . . . > to this section?, or should the
cookie in the submit script work in it's place? If i do need to add an
<allow users= . . . > section, how can i securely do this from the
user login data stored in the sql database?

Thanks for your time in reading this far, i know it's a lengthy one,
but thought i'd best give as much info as possible as i'm not wholey
sure where the problem lies.

Thanks again.

 

[Assimalyst]

The C# cookie code was something i added in later when it wasn't
working in an attempt to fix the problem. I'm relatively new to all
this and wasn't sure if it had been created automatically. If it is
unecessary i will remove it.

Thanks.