I'm new to ASPX and VB.NET and i'm trying to create two different content for two kinds of users.
Actually all pages for a normal user are ready and now i'm trying to make the Admin part i've created a folder Administrator in which there is a index.aspx that only user that logged and have as role in the database "ADMIN" should access it.
The loggin part is done as the following:
Protected Sub loginBtn_Click(sender As Object, e As EventArgs)
If UserExists(username.Value, password.Value) Then
FormsAuthentication.SetAuthCookie(username.Value, False)
If username.Value = "gab" Then
Page.Response.Redirect("\Administrator\Index.aspx", True)
Else
Page.Response.Redirect("Default.aspx", True)
End If
Else
username.Value = ""
ClientScript.RegisterStartupScript(Me.[GetType](), "alert", "openModal();", True)
End If
End Sub
For now i just check if the username is "gab" but lately i'd a function that SELECT the role from the database.
The issue is that if a normal user log and in the path just write \Administrator\index.aspx he can access that folder and even if an administrator change path to "Default.aspx" he can access content of a normal user
I would do that a normal user could see just his aspx pages and the admin just pages in Administrator folder but i need some suggestions on how to do it.
There are a number of ways you can do it, including many not listed here.
You may consider checking the permissions of each user on page load and redirecting them when necessary. This does add mean that you are hitting the database again on each page load, so you'll need to take that into consideration.
You may also try using client side storage, like a cookie, and running the checks client side. You'll want to be careful with what you store on the client side as it may open up security vulnerabilities.
If I knew more about your project, I may be able to give you more specifics.
Related
Well, I have 2 ASP.NET WebForm websites, running on production on the same windows server machine, let's call them site A and site B. There are some pages in website A in which there is an iFrame, pointing to website B. I want my users to be authenticated on site B when they browse site B through site A (through iFrames). In order to do that, the source of my iFrame on my site A is like that :
B.com/index.aspx?guid={aGuid}&pageIWant={pageIWant}
So, I will not go into details there because it works and it is not the problem, but how it works basically is that in the Page_Load of index.aspx.vb of my site B, I get the guid in the querystrings representing a user, I get this user from database, I log this user using forms authentication and then I redirect the user to the "pageIWant", another querystrings parameter. So, here is what I do in the page_load, basically :
/*Get the guid*/
Dim user = /*get user from guid*/
/*some checks*/
FormsAuthentication.SetAuthCookie(user.Login, True)
Select Case Request.QueryString("pageIWant")
Case "1"
Response.Redirect("documents.aspx")
Case "2"
/*etc*/
End Select
The index.aspx page of site B does not require authentication, but the page "documents.aspx" does. Hopefully, I did authenticate my user in the page load of index.aspx, so I go through Application_AuthenticateRequest in the Global.asax.vb and everything is fine, my user can access the page. Here is the code in my Application_AuthenticateRequest method :
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
If Request.IsAuthenticated Then
If Request.Cookies("ESERVICES_LOGIN") IsNot Nothing Then
Dim aTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Request.Cookies("ESERVICES_LOGIN").Value)
HttpContext.Current.User = New GenericPrincipal(New GenericIdentity(aTicket.Name), aTicket.UserData.Split(","c))
Else
FormsAuthentication.SignOut()
HttpContext.Current.User = New GenericPrincipal(New GenericIdentity(String.Empty, String.Empty), New String() {})
Response.Clear()
End If
End If
End Sub
In this case, when I redirect to the page "documents.aspx", the Request.IsAuthenticated is set to true because I previously called FormsAuthentication.SetAuthCookie(user.Login, True)
Here is the problem : since I installed on my windows server machine (hosting the websites) the two following KBs :
https://support.microsoft.com/en-us/help/4534978/kb4534978
https://support.microsoft.com/en-us/help/4535104/kb4535104
Request.IsAuthenticated is still false when I redirect to "documents.aspx" page, despite the fact that I call FormsAuthentication.SetAuthCookie before... and no exception is thrown ! My user is not logged in anymore.
I uninstalled the two KB and the problem is not occuring anymore, so I am sure there is something with one of those two KBs that causes my problem.
Something really strange is that when I try to reproduce the problem in localhost, I do not face the problem at all -> the problem seems to happen only when website A and website B do not have the same domain name. I've made multiple tests about this hypothesis and it seems to be true.
So, there is something wrong with the framework (or how I use it), and because of that, FormsAuthentication does not work properly through iFrame, when the iFrame source does not have the same domain name as the iFrame container, and when those two KBs are installed on the windows server machine hosting the website. That is silly and I cannot find the problem when debugging.
Please note that in both case, wheter authentication works or not, my auth cookie is created successfully...
Would someone have any idea about what's happening there? Do not hesitate to ask any questions if my problem is not clear.
Regards
I found an explanation.
Since 2019, Microsoft is releasing KBs that changes the default value of the "SameSite" attribute for the cookies. Before, when creating an auth cookie with FormsAuthentication.SetAuthCookie, the SameSite attribute was not specified, and in most browsers, the default value for it was "none" and it worked just fine. (this is not the case with Chrome anymore since february 2020, the default value became "lax").
Now, with the KBs I mentionned, the default value became "Strict", that's why my authentication doesn't work anymore in my case.
So, I'll have to specify the samesite attribute of my auth cookie to "None" manually if possible, and think about the security issues I could have with that. As a last resort, I could also just use the same domain name for my two websites.
Ok so far i have working the ability to log in and access a certain web page ('bookrepair.aspx') through the use of roles and permissions. I used this to then deny any non-logged on users which works however it throws me up the "Server in '/' Application error". However i would like it to redirect the user to the home page ('home.aspx') and display a message to them saying "Only logged in users can access Book Repair"
So for i have this piece of code in my 'bookrepair.aspx' page
Private Sub Pages_BookRepair_Load(sender As Object, e As EventArgs) Handles Me.Load
If Not Me.Page.User.Identity.IsAuthenticated Then
Response.Redirect("Home.aspx")
MsgBox("Only logged in user's can access Book Repair")
End If
End Sub
However i still get the "Server in '/' Application error when trying to access it not logged in.
Any ideas?
I don't use the User.Identity functionality just because of all the issues you have to address in order to authenticate users. I make it simple and set a flag in either the Session or ViewState object which would indicated whether or not the user is logged on. For example:
If Session("LoggedOn") = "NO" Then
Response.Redirest("MainPage.aspx", False) 'False to indicate that the rest of the code in the procedure is not to be executed.
End IF
It's what works best for me, I have total control over it, do not have to worry that the browser supports it because Session is maintained on the server. I've never had an issue with it.
I have a website using ASP.net ... I use the ASP.net website administration tool accessed from Visual Web Developer to add/modify user access to the site. I've noticed that if the user has checked the "remember me" box to auto log in, then disabling or deleting the account has no effect until the cookie is removed. Why is this? Can there be some type of logic put in the code behind that will deny access or redirect them to an error message for disabled or deleted accounts?
This is currently what I have in my code behind...
Protected Sub Page_Init(sender As Object, e As System.EventArgs) Handles Me.Init
If User.Identity.IsAuthenticated Then
Response.Redirect("~/homepage")
End If
End Sub
Also this is below the Page_Init section...
Protected Sub LoginUser_LoginError(sender As Object, e As System.EventArgs) Handles LoginUser.LoginError
LoginUser.FailureText = "Invalid Username or Password - Please Try Again"
Dim usrInfo As MembershipUser = Membership.GetUser(LoginUser.UserName)
If usrInfo IsNot Nothing Then
If usrInfo.IsLockedOut Then
LoginUser.FailureText = "Your account has been locked - Contact the system administrator"
ElseIf Not usrInfo.IsApproved Then
LoginUser.FailureText = "Your account is disabled - Contact the system administrator"
End If
End If
End Sub
Thanks for the help!
As you've noticed, IsAuthenticated will return true for a user even after they've been removed. This is because the call only checks the contents of the authentication cookie, which still resides on their system.
One solution to this is to enable role-based security for the site. Using roles means that you can protect sections of your site from certain categories of users, e.g. making the administration pages visible only to a subset of accounts.
This role information is saved in the backing store, not the cookie, so it has to be properly checked every time. It's also deleted when the user is deleted, so your protected pages will be inaccessible to the user as soon as they're removed.
You should still be able to manage all this through the web-based tools, too.
More here:
http://msdn.microsoft.com/en-us/library/5k850zwb.aspx
The solution is simple: in global.asax.cs, implement session_start and sign out the user if it does not exist in the database:
protected void Session_Start()
{
if (User.Identity.IsAuthenticated
&& // !(user exists in the database)
)
{
// Remove this forms-authentication cookie, and redirect to sign in without processing this request any further.
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
}
}
I have an internal asp.net app that uses the fileupload control to put data files in a "drop" folder. I would like to lock down this folder so only users that are part of a local group can actually authenticate and upload the file.
I have created a group on the server, added the domain users to the local group. I have then given that group write access to the "drop" directory.
When I try to upload a file to the directory I get the expected login screeen but my login doesn't work and after several tries the page errors out with "Access to path '\server\path\fubar\drop folder name\filename.txt" is denied"
How do I set it up so that each user has to login but the login actually works?
TIA
J
You are experiencing a permission issue.
1) You need to set up impersonation on the IIS webserver (http://msdn.microsoft.com/en-us/library/134ec8tc.aspx). This will allow the network credentials to be passed through from any internet explorer browser to the web server.
2) You then need to right click on the upload folder and then go to 'properties' --> 'security' --> 'edit' --> 'add' --> type in the name of the users/groups --> click ok --> select correct privaliges (Read and Modify).
NOTE: if you are operating a an internal web application you dont need the user to log in. Thats the whole point of impersonation. No point in makign people log in if they have authenticated on the network already.
If you must make them log in over the top then you need to validate them against your AD server and then change the user that the page is operting under programatically like this:
protected void Page_Load(object sender, EventArgs e)
{
this.User.Identity = new NetworkCredential("username", "password");
}
Here is our current setup. We have Active Directory configured (domain named mis1) that handles all of our authentication issues. We have our web applications setup for impersonation=true so that we can have our database queries called as the user logged in. For this particular application, IIS is set to Anonymous access to we can have Forms Authentication.
For our database security, we have local groups setup on the database server and add users into these groups as needed per application. For instance, we would have a "FancyPantsManager" group and a "FancyPantsUser" group for the same FancyPants application. We then setup SQL Server 2005 logins to map to these local groups on the server.
What I want to do is to present a login page for the user that authenticates off of AD and then if successful, goes to the database server to get their roles (by calling xp_logininfo) to store in the user's session.
So far I have the forms authentication successfully authenticating off of Active Directory by doing a p/Invoke on the LogonUser method from the avapi32.dll file. I then take the resulting token and generate a WindowsIdentity object and impersonate the user. The code looks like this:
Private Sub loginMain_Authenticate _
(ByVal sender As Object, _
ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) _
Handles loginMain2.Authenticate
' Assume variables properly declared
IsAuthenticated = LogonUser(UserName, LOGON_DOMAIN, UserPass,
LOGON_TYPE, LOGON_PROVIDER, ResultToken)
If IsAuthenticated
' Setup impersonation for validated user.
WindowsId = New WindowsIdentity(ResultToken)
IdentContext = WindowsId.Impersonate()
' Call stored procedure to retrieve roles using validated user for login.
GetUserRoles(UserName)
End If
End Sub
When I step through the debugger and enter my proper Id and password. I am authenticated, and looking at the WindowsIdentity object that is generated, it states my Id is "mis1\c07884" which is precisely what is needed for impersonation to get to the SQL Server. However, when the GetRoles method is called, I get the following error message:
System.Data.SqlClient.SqlException: Could not obtain information
about Windows NT group/user 'c07884', error code 0xffff0002.
It seems to me that something is not occurring properly with the impersonation process. What am I missing?
An eye out to this question might help?
Active Directory: Retrieving User Information
Edited to remove irelevant content.
xp_logininfo. Looks like you invoke it passing in the account name as the user name w/o domain. Which actually explains why the error messages says c07884 not found and not mis1\c07884 not found as it should. The error 0xFFFF002 is probably error 2 ERROR_FILE_NOT_FOUND.
Right now the quickest fix is probably to pass the correct account name:
GetUserRoles(string.Format("{0}\\{1}"), LOGON_DOMAIN, UserName));
You should consider rewriting the procedure to retrieve the impersonated user info by calling x_logininfo with no arguments to return the info of the current user. Better still, just SELECT * FROM sys.login_token.
If all you nee din ASP is the group membership, you already have it in WindowsIdentity.Groups.