How to do the proper login in a website - asp.net

I am a new bee creating an asp.net web application for my application. I will have different users and i didn't use any special forms or methods to do the login. I have access db , in there i have some user role, company,username , and password.
In my login page through text box i will get company username and password inputting by the end user. then i will check for the company and username (which is primary key in the table.) if the password matches then will find the user role and redirect to the pages for each user.
that works fine now.
I have a log out button which is sitting in the sitemaster page and
<div id="logout" runat="server" visible="false" class="navbar-brand1">
<a id="lo" runat="server" href="/Default">Log Out </a>
</div>
then in the pages where i want to show the log out i will call the code
Master.FindControl("logout").Visible = true;
it was working fine in respect of login in and login out . but infact the log out button just redirects to the first page on site and if we do the back arrow in the browser i can go back to the prevs page i was on. Is there any way i can do it neatly so that after log out even though if i go back on the browser it will ask for log in .
Any help will be really appreciated. I made a mistake and created complete application now i am worried about this feature so technically i am not logging out :(

Whenever a user opens a page in the system use below code to check if the session is valid
if (!IsPostBack)
{
if (Convert.ToString(Session["UserName"]).Length <= 0)
{
Response.Redirect("Login.aspx");
}
}
When the user clicks on SignOut button, make redirection to a SignOut.aspx page. Use below code in the form load event of SignOut.aspx to clear the session.
protected void Page_Load(object sender, EventArgs e)
{
Session.Abandon();
Session.Contents.RemoveAll();
System.Web.Security.FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
}

Well, your question is how to do the
proper login
The proper way is not to reinvent the wheel, but use the framework that is built in in ASP.NET
https://msdn.microsoft.com/en-us/library/ms731049%28v=vs.110%29.aspx
It will give you a lot of extra features, like using OpenAuth etc.
Example
"https://msdn.microsoft.com/en-us/library/aa354509%28v=vs.110%29.aspx

As #Chathuranga Ranasinghe mentioned I used session varibale to store the username details and i will check if the session variable empty then go to my default page otherwise continue.
if (((string)Session["iden"]) )
{
Response.Redirect("/Default.aspx");
}
i used this on the pages comes after logged in and it works fine for me now.

Related

ASP.NET membership provider, custom login control

I'm using the ASP.NET membership provider on my website. It works fine while using the Login Control in Visual Studio. However, I feel the Login Control has its limitation and I'm having a hard time making it fit to the design of my page. So instead of using that Login control, I'd like to be able to just create two TextBox's and a Button myself and use that to login instead. So my question is, can I create a custom login page with by creating my own textbox's and buttons? The code behind Login.aspx that I use with the login control right now looks like this:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
if (Membership.ValidateUser(Login1.UserName, Login1.Password) == true)
{
Login1.Visible = true;
Session["user"] = User.Identity.Name;
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true);
}
else
{
Response.Write("Invalid Login");
}
}
I tried changing Login1.UserName to TextBox1.Text and so on, but that didn't work. Any help is appreciated, thanks!
You should be removing Login1_Authenticate event and have a login button event to validate the credentials.
Or depending on how you submit back to server, such as ajax calls etc.
You can also use fiddler to see what's exactly being posted back to server.
PS. Why do not use ASP.net MVC?

Add additional text on TextChange asp.net

Reason i'd like to add additional text is because, for whatever reason when i try to login and it wants me to add "#domain.local".
Is it possible to add that automatically? I tried converting it to a template and used UserName_TextChanged but it didn't like what i was trying to do.
Any ideas?
Thanks.
Based on the information on the web.config you are using Forms Authentication with an LDAP provider. I am going to make the assumption that you are using the ASP.NET Login control on your page.
In order to handle the appending of #domain.local to a user name prior to login you should handle the LoggingIn Event from the control with something similar to the following:
void OnLoggingIn(object sender, System.Web.UI.WebControls.LoginCancelEventArgs e)
{
if (Login1.UserName.IndexOf("#domain.local", StringComparison.OrdinalIgnoreCase) == -1)
{
Login1.UserName += "#domain.local";
}
}
Of course you probably need a more precise process to determine the proper way to handle the user name.
You can find more information about the login control and its events here:
http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.login.loggingin(v=vs.110).aspx

What's the concise way to disable the page in asp.net?

In an imaginary situation, a user that shouldn't have access to a web page navigates to that page.
This page is a child page. The user should not have ANY functionality in this page, or even be able to see anything, but he (or she) should be able to still use the master page controls. What do you do to disable the page?
I thought perhaps making a control element .visible=false, but is this secure? Is there some other way I should be disabling a page?
Provide a nopermission.aspx page that has the desired master page you wish, then in Page_Load redirect to that page
protected void Page_Load(object sender, EventArgs e)
{
if(!HasPermission("User123")) //User does not have permission
Response.Redirect("nopermission.aspx");
//otherwise, the page continues as required
}
You can put whatever friendly information you wish in the nopermission page
Assuming I understood your question, and assuming you're referring to ASP.Net Web Forms, then look into <asp:LoginView /> controls.
It has an <AnonymousTemlate /> and a <LoggedInTemplate /> that represents the type of user respectively (anonymous or logged in, will be presented with the appropriate content).
It works with ASP.net Forms Authentication.
For detail: MSDN - ASP.Net Login Controls
Hth....
Making a control visible = false if a user doesn't have access to it should be secure because the nothing for this control is rendered by the server.
However, if a user tries to access a page they don't have access to, I usually log the activity and redirect them to a "sorry you don't have permissions to view this page" screen

How to restrict the user that is already connected

I am working in Asp.net and I want to restrict the user while login, if the same user is already logged in or already connected.. I am creating a table in sql server USERS_CONNECTED and placed a single field USER_ID in it. When ever a user is logged in it's id is searched in USERS_CONNECTED table. If id is not found then the user is allowed to connect and the user id is added in the said table. But the problem is when the X button(present on right top corner of the browser) is clicked to exit then the user id should be deleted from the USERS_CONNECTED table. WHERE SHOULD I WRITE THIS CODE ?? I MEAN ON WHAT EVENT ..
can anyone help...
Dev..
You can handle end of a session. Add something like this to global.asax.cs file:
protected void Session_End(object sender, EventArgs e)
{
// Remove user from the USERS_CONNECTED table
}
Just one thing to remember: it will not be fired immediately when the user closed his browser. This event will be fired when the session expires.
To me it sounds like you are trying to implement a form of authentication. What you can do is use Forms authentication that uses a cookie that will keep track of the user's activity. Have a look at this tutorial to see how it is implemented: Forms Auth Tutorial

Back button must not go to previous page after signing out

I am developing an asp.net web site and I am not using inbuilt authentication controls of asp.net. I have created manually tables for users for site.
What I want is as follows
After logging in user can access the pages (that is already done)
When user press sign out (user goes to specific page - example - default.aspx)
Now when user press "back" button of browser, it must not go to previous page (that is done in Yahoo pages - I want to implement the same)
To prevent users from seeing the previous page when pressing the back button you need to instruct the browser not to cache this page:
Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
Response.Cache.SetValidUntilExpires(false);
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
You could put this code in all authenticated pages, thus preventing them from being cached on client browsers.
For a page not to be cached the browser needs to respond appropriately to caching instructions, but there is no guarantee that this will work on every browser! (An appropriately evil person could write their own browser to ignore caching information, or write a proxy to strip it out...)
So you can't get this to work 100% of the time, but you're always going to face the problem that a user can easily take a screenshot, print out a page, save a copy on their disk, etc. once you've fed a page to them anyway...
the answer for you question is:
for When user press sign out. ( user goes to specific page - example - default.aspx )
you can add a LinkButton as Signout link and in the click event handler you can write
Response.Redirect("Default.aspx");
for Now when user press "back" button of browser It must not go to previous page
//add the following code to your code behind of the page
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
string strDisAbleBackButton;
strDisAbleBackButton = "<script language="javascript">\n";
strDisAbleBackButton += "window.history.forward(1);\n";
strDisAbleBackButton += "\n</script>";
ClientScript.RegisterClientScriptBlock(this.Page.GetType(), "clientScript", strDisAbleBackButton);
}
refer to csharpdotnetfreak.blogspot.com

Resources