M
mike parr
I am using Forms authentication for the first time, and I'm having
problems with it. I have 3 pages relating to the login, default.aspx,
default_new_user.aspx and default_user.aspx.
Default.aspx is for checking for a cookie so that I can authorise the
user and send them to default_user.aspx (which is for users who have
logged in/been authenticated successfully) :
private void Page_Load(object sender, System.EventArgs e)
{
if (!(Page.IsPostBack))
{
if (!(Session["LiveSession"] == "True"))
{
Session["LiveSession"] = "True";
}
}
if (Request.Cookies["CallUK"] != null)
{
Response.Redirect("default_user.aspx");
}
else
{
Response.Redirect("default_new_user.aspx");
}
}
Default_user.aspx is a default screen greeting the user and setting up
several session variables :
private void Page_Load(object sender, System.EventArgs e)
{
if (!(Session["LiveSession"] == "True"))
{
Response.Clear(); //clear buffer
Response.Redirect("expired.aspx");
Response.End();
}
//get session details
int intCookieValue =
Convert.ToInt32(Request.Cookies["CallUK"].Value);
string strGetUserDetails = "SELECT CUST_NAME, MAIN_CUST_ID FROM
CUSTOMERS WHERE CUG = " + intCookieValue;
SqlConnection objConnection = new
SqlConnection(ConfigurationSettings.AppSettings["strConnectTest"]);
SqlDataReader objDataReader = null;
SqlCommand objCommand = new SqlCommand(strGetUserDetails,
objConnection);
objConnection.Open();
objDataReader = objCommand.ExecuteReader();
if (objDataReader.Read() == true)
{
Session["UserName"] =
objDataReader.GetString(objDataReader.GetOrdinal("CUST_NAME"));
Session["CustomerID"] =
objDataReader.GetString(objDataReader.GetOrdinal("MAIN_CUST_ID"));
Session["CUG"] = intCookieValue;
}
}
Default_new_user.aspx is used to login users that don't have a cookie on
their machine :
protected void btnLogin_Click(object sender,
System.Web.UI.ImageClickEventArgs e)
{
if (Page.IsValid == true)
{
string strEMailAddress, strPassword;
if (txtEMailAddress.Text == "")
{
Response.Redirect("invalid_login.aspx");
}
if (txtPassword.Text == "")
{
Response.Redirect("invalid_login.aspx");
}
//sql injection
StringBuilder sbdEMailAddress = new
StringBuilder(txtEMailAddress.Text, 0, txtEMailAddress.Text.Length,
100);
strEMailAddress = Convert.ToString(sbdEMailAddress.Replace("'",
"''"));
StringBuilder sbdPassword = new StringBuilder(txtPassword.Text, 0,
txtPassword.Text.Length, 100);
strPassword = Convert.ToString(sbdPassword.Replace("'", "''"));
//database check
string strValidateLogin;
bool blnValidateLogin = false;
strValidateLogin = "SELECT A.CUST_NAME AS 'CUST_NAME',
A.MAIN_CUST_ID AS 'MAIN_CUST_ID', A.CUG AS 'CUG' ";
strValidateLogin += "FROM CUSTOMERS A INNER JOIN ";
strValidateLogin += "CONTACTS B ON A.CUG = B.CUG ";
strValidateLogin += "WHERE A.PASSWORD = '" + strPassword + "' AND
B.E_MAIL = '" + strEMailAddress + "'";
SqlConnection objConnection = new
SqlConnection(ConfigurationSettings.AppSettings["strConnectTest"]);
SqlDataReader objDataReader = null;
SqlCommand objCommand = new SqlCommand(strValidateLogin,
objConnection);
try
{
objConnection.Open();
objDataReader = objCommand.ExecuteReader();
if (objDataReader.Read() == true)
{
Session["UserName"] =
objDataReader.GetString(objDataReader.GetOrdinal("CUST_NAME"));
Session["CustomerID"] =
objDataReader.GetString(objDataReader.GetOrdinal("MAIN_CUST_ID"));
Session["CUG"] =
objDataReader.GetInt32(objDataReader.GetOrdinal("CUG"));
blnValidateLogin = true;
}
else
{
blnValidateLogin = false;
}
}
catch
{
blnValidateLogin = false;
}
if (blnValidateLogin == true)
{
//successful login
Response.Cookies["CallUK"].Value =
Convert.ToString(Session["CUG"]);
Response.Cookies["CallUK"].Expires = DateTime.MaxValue;
FormsAuthentication.RedirectFromLoginPage(Convert.ToString(Session[
"CUG"]), true);
}
else
{
Response.Redirect("invalid_login.aspx");
}
}
}
On this login page, btnLogin_Click (above) after being called by the
click event, continues to call itself over and over again. I get the
feeling I'm trying to do stuff with Forms Authentication either the
wrong way, or stuff that it isn't intended to be able to do.
Can somebody please help me out with this?
Cheers,
Mike
problems with it. I have 3 pages relating to the login, default.aspx,
default_new_user.aspx and default_user.aspx.
Default.aspx is for checking for a cookie so that I can authorise the
user and send them to default_user.aspx (which is for users who have
logged in/been authenticated successfully) :
private void Page_Load(object sender, System.EventArgs e)
{
if (!(Page.IsPostBack))
{
if (!(Session["LiveSession"] == "True"))
{
Session["LiveSession"] = "True";
}
}
if (Request.Cookies["CallUK"] != null)
{
Response.Redirect("default_user.aspx");
}
else
{
Response.Redirect("default_new_user.aspx");
}
}
Default_user.aspx is a default screen greeting the user and setting up
several session variables :
private void Page_Load(object sender, System.EventArgs e)
{
if (!(Session["LiveSession"] == "True"))
{
Response.Clear(); //clear buffer
Response.Redirect("expired.aspx");
Response.End();
}
//get session details
int intCookieValue =
Convert.ToInt32(Request.Cookies["CallUK"].Value);
string strGetUserDetails = "SELECT CUST_NAME, MAIN_CUST_ID FROM
CUSTOMERS WHERE CUG = " + intCookieValue;
SqlConnection objConnection = new
SqlConnection(ConfigurationSettings.AppSettings["strConnectTest"]);
SqlDataReader objDataReader = null;
SqlCommand objCommand = new SqlCommand(strGetUserDetails,
objConnection);
objConnection.Open();
objDataReader = objCommand.ExecuteReader();
if (objDataReader.Read() == true)
{
Session["UserName"] =
objDataReader.GetString(objDataReader.GetOrdinal("CUST_NAME"));
Session["CustomerID"] =
objDataReader.GetString(objDataReader.GetOrdinal("MAIN_CUST_ID"));
Session["CUG"] = intCookieValue;
}
}
Default_new_user.aspx is used to login users that don't have a cookie on
their machine :
protected void btnLogin_Click(object sender,
System.Web.UI.ImageClickEventArgs e)
{
if (Page.IsValid == true)
{
string strEMailAddress, strPassword;
if (txtEMailAddress.Text == "")
{
Response.Redirect("invalid_login.aspx");
}
if (txtPassword.Text == "")
{
Response.Redirect("invalid_login.aspx");
}
//sql injection
StringBuilder sbdEMailAddress = new
StringBuilder(txtEMailAddress.Text, 0, txtEMailAddress.Text.Length,
100);
strEMailAddress = Convert.ToString(sbdEMailAddress.Replace("'",
"''"));
StringBuilder sbdPassword = new StringBuilder(txtPassword.Text, 0,
txtPassword.Text.Length, 100);
strPassword = Convert.ToString(sbdPassword.Replace("'", "''"));
//database check
string strValidateLogin;
bool blnValidateLogin = false;
strValidateLogin = "SELECT A.CUST_NAME AS 'CUST_NAME',
A.MAIN_CUST_ID AS 'MAIN_CUST_ID', A.CUG AS 'CUG' ";
strValidateLogin += "FROM CUSTOMERS A INNER JOIN ";
strValidateLogin += "CONTACTS B ON A.CUG = B.CUG ";
strValidateLogin += "WHERE A.PASSWORD = '" + strPassword + "' AND
B.E_MAIL = '" + strEMailAddress + "'";
SqlConnection objConnection = new
SqlConnection(ConfigurationSettings.AppSettings["strConnectTest"]);
SqlDataReader objDataReader = null;
SqlCommand objCommand = new SqlCommand(strValidateLogin,
objConnection);
try
{
objConnection.Open();
objDataReader = objCommand.ExecuteReader();
if (objDataReader.Read() == true)
{
Session["UserName"] =
objDataReader.GetString(objDataReader.GetOrdinal("CUST_NAME"));
Session["CustomerID"] =
objDataReader.GetString(objDataReader.GetOrdinal("MAIN_CUST_ID"));
Session["CUG"] =
objDataReader.GetInt32(objDataReader.GetOrdinal("CUG"));
blnValidateLogin = true;
}
else
{
blnValidateLogin = false;
}
}
catch
{
blnValidateLogin = false;
}
if (blnValidateLogin == true)
{
//successful login
Response.Cookies["CallUK"].Value =
Convert.ToString(Session["CUG"]);
Response.Cookies["CallUK"].Expires = DateTime.MaxValue;
FormsAuthentication.RedirectFromLoginPage(Convert.ToString(Session[
"CUG"]), true);
}
else
{
Response.Redirect("invalid_login.aspx");
}
}
}
On this login page, btnLogin_Click (above) after being called by the
click event, continues to call itself over and over again. I get the
feeling I'm trying to do stuff with Forms Authentication either the
wrong way, or stuff that it isn't intended to be able to do.
Can somebody please help me out with this?
Cheers,
Mike