S
Sam
I have successfully created authentication via web.config however I
discovered some security issues as follows:
1. ASPX Security
I have web application via asp.net and it is consist of following sections:
i. Administration
ii. Attendance
iii. Reporting
Each section has it own authorise user and it should not cross over.
Example, User A can login Administration but cannot access Attendance and
Reporting. How do I control it? Please help.
2. Login Security
How long web config allow use to access web application? How do aspx file
check whether user still can access or not?
Please find web.config and login.aspx files.
<!-- Web.Config Configuration File -->
<configuration>
<appSettings>
<add key="ConnectionString"
value="server=KULSQL01;database=Payroll;uid=payroll;pwd=pay88;" />
</appSettings>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms name="Intranet" loginUrl="authentication.aspx"
protection="All" path="/" timeout="20"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<customErrors mode="Off" />
</system.web>
</configuration>
<!-- Login Authentication File -->
<%@ Page Language="VB" %>
<%@ import Namespace="System" %>
<%@ import Namespace="System.Configuration" %>
<%@ import Namespace="System.Data" %>
<%@ import Namespace="System.Data.OleDB" %>
<%@ import Namespace="System.Data.SqlClient" %>
<%@ import Namespace="System.Data.SqlTypes" %>
<%@ import Namespace="System.Web.Security" %>
<script runat="server">
Sub defaultpage(Sender as Object, e As EventArgs)
Response.Redirect("default.aspx")
End Sub
Sub authenticate(Sender as Object, e As EventArgs)
Dim con As New
SqlConnection(ConfigurationSettings.AppSettings("ConnectionString"))
Dim cmd As New SqlCommand()
cmd.CommandText = "Select * from authentication where username ='"
& txtUsername.Text & "'"
cmd.Connection = con
Try
con.Open()
Dim FlagAuthentication
FlagAuthentication = "N"
Dim rd As SqlDataReader = cmd.ExecuteReader()
While rd.read()
If rd("password").ToString = txtPassword.Text Then
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text,
false)
FlagAuthentication = "Y"
Response.Redirect("payroll.aspx")
Else
Response.Redirect("warning.aspx")
End If
End While
rd.Close()
If FlagAuthentication = "N"
Response.Redirect("warning.aspx")
End If
Finally
con.Close()
End Try
End Sub
</script>
discovered some security issues as follows:
1. ASPX Security
I have web application via asp.net and it is consist of following sections:
i. Administration
ii. Attendance
iii. Reporting
Each section has it own authorise user and it should not cross over.
Example, User A can login Administration but cannot access Attendance and
Reporting. How do I control it? Please help.
2. Login Security
How long web config allow use to access web application? How do aspx file
check whether user still can access or not?
Please find web.config and login.aspx files.
<!-- Web.Config Configuration File -->
<configuration>
<appSettings>
<add key="ConnectionString"
value="server=KULSQL01;database=Payroll;uid=payroll;pwd=pay88;" />
</appSettings>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms name="Intranet" loginUrl="authentication.aspx"
protection="All" path="/" timeout="20"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<customErrors mode="Off" />
</system.web>
</configuration>
<!-- Login Authentication File -->
<%@ Page Language="VB" %>
<%@ import Namespace="System" %>
<%@ import Namespace="System.Configuration" %>
<%@ import Namespace="System.Data" %>
<%@ import Namespace="System.Data.OleDB" %>
<%@ import Namespace="System.Data.SqlClient" %>
<%@ import Namespace="System.Data.SqlTypes" %>
<%@ import Namespace="System.Web.Security" %>
<script runat="server">
Sub defaultpage(Sender as Object, e As EventArgs)
Response.Redirect("default.aspx")
End Sub
Sub authenticate(Sender as Object, e As EventArgs)
Dim con As New
SqlConnection(ConfigurationSettings.AppSettings("ConnectionString"))
Dim cmd As New SqlCommand()
cmd.CommandText = "Select * from authentication where username ='"
& txtUsername.Text & "'"
cmd.Connection = con
Try
con.Open()
Dim FlagAuthentication
FlagAuthentication = "N"
Dim rd As SqlDataReader = cmd.ExecuteReader()
While rd.read()
If rd("password").ToString = txtPassword.Text Then
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text,
false)
FlagAuthentication = "Y"
Response.Redirect("payroll.aspx")
Else
Response.Redirect("warning.aspx")
End If
End While
rd.Close()
If FlagAuthentication = "N"
Response.Redirect("warning.aspx")
End If
Finally
con.Close()
End Try
End Sub
</script>