We can use MasterPage for integrating the layout of the header and footer for example.
But we can use it for Server Sides operations like checking Session for user login.
Is this method risky? What are the disadvantages if we are using this method?
There is no disadvantages in the Session using master pages. Otherwise it helps checking session values, as no need to check the values at every page. It can be checked only in master page and will effect on all the pages.
I don't think we should check session for user login manually in code. ASP.NET provides us with Forms Authentication which already does that for us. Authentication is another concern that should not be mixed with page logic (separation of concerns)
Master pages can be used to check whether session exists of a authenticated user of no else redirect the user to login screen.
On login screen try using ASP.NET login controls.
Related
I am creating a customer module in asp.net website project. i developed login page and from login page i am entering to customer home page. here i am giving menu items like
customerprofile
2.customerpurchased items
3.customervieweditems
4.customerbiilingpage like
here for every page i need used login id that should come directly in pageload.
please any one help me how to pass login user id to above 4 pages.
You should look into authentication for this site. Search on FormsAuthentication using a FormsAuthenticationTicket, or use the newer Memebership and Roles functionality. Do this properly and you really don't "pass" the login aroun, you read it from the HttpContext.Current.User.Identity container.
why not you use Session ? Session is the best case for your scenario. or if you wanted to use Authentication mechanism, then Go for Membership Provider, FormsAuthentication. How To Implement Simple Forms Authentication
Session["UserID"]=yourUseID;
to retreive
var userID=Session["UserID"].ToStrin();
I am developing a site and in this site i m building a functionality to capture a screen shot of a page. In my site i am using forms authentication.now first of all.
So when user login to the website he/she has to enter the credentials and then go to their profile page.
So now i am just creating a thumbnail of the user profile page using WebBrowser Control but the problem is , i m using forms authentication and it's always capture the login forms page because of forms authentication.
So Please help me ASAP.
In that case you will need to perform login programtically for forms authentication. Here is the piece of code which will be required.
FormsAuthentication.SetAuthCookie(UserName, false);
And here is more info
http://weblogs.asp.net/joseguay/archive/2009/03/23/the-asp-net-capsule-2-login-programmatically-with-forms-authentication.aspx.
However, be aware that the code you are using for creation of screenshot might not go well with it. So take care of this. These posts might help you in that case Send credentials to WebBrowser
You have to simulate forms authentication via WebBrowser control - essentially, use document object model (Document property) to locate user name/password input boxes, set their values and trigger submit (either inject java-script to do form submit OR use DOM to simulate login button click).
IMO, better way would be to use WebRequest (HttpWebRequest) to simulate the POST to login page to do authentication and then issue request to user profile page. Get the page html(from response) and load it in Web Browser control using DocumentText property.
In case, you have control over the server site, you may modify user profile page to allow un-authenticated access over certain requests (for example, from local machine or specified IP etc).
I'm currently developing an ASP.NET website, and I'm using ASP.NET's built-in Login control with client-side cookie generation for state management.
Unfortunately, as I didn't figure out how to append custom information (generated by other controls on my application) to the Login control self-generated cookie, my application generates an additional cookie to store that additional info. Basically, I have two cookies: one managed by the Login control and another managed by me, programatically.
What I would like to know is if it's possible to merge my additional information into the infrastructure's Login control self-generated cookie. This would prevent some issues with the "sliding timeout" feature that could result on my "custom cookie" expiring with the user being logged in - I could solve this one with a custom HTTP Module to prevent it, but that seems to me as an "inelegant" solution.
Any brilliant mind could help me out with this?
Thanks in advance for your attention and support.
Yes, you can store data in the UserData property of the authentication ticket. Please see the section "Storing the Username of the Admin User Who Logged On As Another User" at https://web.archive.org/web/20210304120451/https://www.4guysfromrolla.com/articles/102208-1.aspx
However, you might find the User Profile system to be more useful. https://web.archive.org/web/20211020111657/https://www.4guysfromrolla.com/articles/101106-1.aspx
i am writing a login page in asp.net c# not using login control.
i can create account and log in without problems as a user.
the pages that require login has a separate master page.
and i want to check if the user is logged in in masterpage page_preinit function
but the problem is that child page event functions are called before masterpage's so i could experience a problem like session expire in child page before i get to check it in master page. is there anyway around this?
ok found the event im looking for. second one on the list
http://msdn.microsoft.com/en-us/library/dct97kc3.aspx
Are you using FormsAuthentication? You shouldn't need to worry about this. Authentication happens in the IIS pipeline before the Request is handed off to your Page object, and if the user's authentication fails, it will never get there, being redirected to the login page instead.
None of your PreInit code should be called by an unauthenticated user if the page is protected by FormsAuthentication.
This is one of many reasons why rolling-your-own authentication is a risky approach. There are lots of corner cases.
Since you're storing the user ID in the Session object, then once the session expires, you can't access it any more; it doesn't matter if it's from the child page or the Master page.
Instead of using Session, it would be better to use cookies. You could have a long life on the cookie itself, with the login expiration time encoded in the value of the cookie or kept in the database, keyed by the value of the cookie. That way, the session could expire, but you would still be able to refresh it or take some other action, rather than just reporting an error.
I'm attempting to convert a home-grown login system to the standard asp.net login control included in .net. I want all communication on the website for a user not logged in to be in clear text, but lock everything in SSL once the user logs in - including the transmission of the username and password.
I had this working before by loading a second page - "loginaction.aspx" - with a https: prefix, then pulling out the username and password by looking for the proper textbox controls in Request.Form.Keys. Is there a way to do something similar using the .net login controls? I dont want to have a seperate login page, but rather include this control (within a loginview) on every page on the site.
You're not going to be able to do what you're talking about simply, because the postback (which is what the login control uses) is going to be whatever the page's security is (SSL or non-SSL).
Your best bet in this scenario is to use an IFRAME which contains an HTTPS (SSL) page that just contains thelogin control. You might have to redirect to another page after login that lets you jump out of the IFRAME.
Plan B would be to have a separate form on the page (outside your main FORM) which has the ACTION property point to another page where you handle the login. You will have to roll your your own login code to handle the forms authentication.
I was able to accomplish this by adding an OnClientClick event to the login button control and set it to the following javascript function.
`
function forceSSLSubmit()
{
var strAction = document.forms[0].action.toString();
if (strAction.toLowerCase().indexOf("http:") == 0) {
strAction = "https" + strAction.substring(4);
document.forms[0].action = strAction;
}
}
`
You aren't going to be able to have your site as non-SSL, with a login box on every page, and then submit the username and password via SSL.
The only way to really accomplish this is to use frames of some sort. This way your entire page could be non-SSL, but the login frame would have to be SSL.
The usual ways of doing this is to either lock down the entire site with SSL, don't worry about having the username and password SSL encrypted and go to SSL after they log in, or go the frame route I mentioned above.