I set two sessions which I fill from a database:
Session("username") = reader.Item("user_name").ToString
Session("department") = reader.Item("user_department").ToString
to add restrictions depending on department the user is signing in from (IT department, customer service, etc..)
Sessions are readable from the form LogIn.aspx to the form Default.aspx
But in other pages:
IF Session("Department")<>"IT"
Response.Redirect("LogIn.aspx")
End If
This redirects to LogIn.aspx and Session("Department") equals Nothing
Any idea on why it is doing so? I tried searching for something missing in my code and I couldn't find anything.
The key is case sensitive, so change it to "department". Currently it's set to "Department"
Instead of this
IF Session("Department")<>"IT"
use this
IF Session("department")<>"IT"
spell mistake( Keys are case sensitive).
And use if condition with safety like this
If Session("department") IsNot Nothing AndAlso Not Session("department").ToString().Equals("IT") Then
Related
I would like to test cookie poisoning so I want to edit one of my projects. There, I would like to write cookies which will contain subtotal of products and the checkout page will use it again to show the subtotal. I am not sure whether my thinking is correct or not and also my cookies are not working.
First, I put these codes under addcart button method:
Dim aCookie As New HttpCookie("SubTotal")
aCookie.Value = objShopCart.ComputeSubTotal().ToString()
aCookie.Expires = DateTime.Now.AddDays(1)
HttpContext.Current.Response.Cookies.Add(aCookie)
And in the checkout page;
If (Request.Cookies("aCookie") IsNot Nothing) Then
Dim subTotal As String
If (Request.Cookies("aCookie")("SubTotal") IsNot Nothing) Then
subTotal = Request.Cookies("aCookie")("SubTotal")
lblSubTotal.Text = subTotal
End If
End If
According to the above codes, I cannot read the cookies. The Request.Cookies("aCookie") is always nothing I don't know why. And for the cookie poisoning demo is I intend to intercept the cookie of when I put things into the shopcart and edit it so when I got to checkout page, its shown with wrong info of subtotal etc. Appreciate to any help.
You need to retrieve the cookie value by the same name you saved it. For example,
If (Request.Cookies("SubTotal") IsNot Nothing) Then
Dim subTotal As String
subTotal = Request.Cookies("SubTotal").Value
End If
Just FYI, you do not want to save the subtotal in cookie, because it can be manipulated easily at client side. Save it in session state or recalculate it in check out page again.
I need to be able to handle an HTML encoded ampersand in my .Net code.
So the Url is
http://myite.com/index.aspx?language=en&Refresh=true
There is no way of changing this as it has been generated by something else so this is out of my control.
How can I read the Refresh parameter?
I have tried
HttpUtility.UrlDecode(Request.QueryString("Refresh"))
but my Request.QueryString("Refresh") is actually empty, so this is pointless, as is Uri.EscapeDataString.
This can't be the first time this has happened, but I'm struggling to find a solution, as most people would say use UrlEncoding, but as I said, the Url is out of my control.
& in your query string should be %26.
Since you can't correct the url.
You can read the refresh value as:
Request.QueryString("amp;Refresh");
Note that the developer of the service you are using may correct this in future.
It would be good to be ready for that already.
var refresh = Request.QueryString("amp;Refresh");
if(String.IsNullOrEmpty(refresh))
refresh = Request.QueryString("Refresh");
nunespascal answer pretty much solves your problem. There are some alternate methods.
If its guaranteed that your Refresh parameter is the second key in the QueryStringCollection then you can use Request.QueryString(1)
Another method is to do a Contains on the QueryStringCollection.
If Request.QueryString IsNot Nothing AndAlso Request.QueryString.AllKeys.Count() > 0 Then
Dim refreshKey = Request.QueryString.AllKeys.FirstOrDefault(Function(nv) nv.Contains("Refresh"))
If refreshKey IsNot Nothing Then
Dim refreshValue = Request.QueryString(refreshKey)
End If
End If
Afternoon all,
Im am displaying the username on a web page to state who has locked the web page for editing. I am using the following code...
If String.IsNullOrEmpty(lock.LockedBy) Then
lock.LockedBy = User.Identity.Name
hdnIsLockedBy.Value = User.Identity.Name
lock.AgendaID = Integer.Parse(lblAgendaNumber.Text)
End If
I understand that User.Identity.Name brings back the Domain\Name. I was wondering if i can just pull back the name of the user only as i cant see any suitable alternatives?
Regards
Betty
If you can assume that the domain name will be the same for all users, simply strip it from User.Identity.Name using String.Replace
User.Identity.Name.Replace("MyDomainName\", "")
I'd just do something like this:
lock.LockedBy = User.Identity.Name.Contains("\\")? User.Identity.Name.Substring(name.IndexOf("\\")+1):User.Identity.Name;
If it's something you are doing often, move it to a function.
I have this code when to sign in User , that string sUserData is properly set.
Dim sUserData As String = HttpContext.Current.Request.Cookies("UserID").Value & "|" & HttpContext.Current.Request.Cookies("UserName").Value & "|" & HttpContext.Current.Request.Cookies("UserEmail").Value
Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
HttpContext.Current.Session("UserID"), DateTime.Now, _
DateTime.Now.AddDays(6), True, sUserData, _
FormsAuthentication.FormsCookiePath)
HttpContext.Current.Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(fat)))
Then I have code where I check if the user if signed in in a Shared (static) method in a Public Class like this :
If HttpContext.Current.User.Identity.IsAuthenticated Then
EndIf
And that works just fine , but if I put the same line in Page_load instead of a Shared Method of a class it will never go into this If statement
If HttpContext.Current.User.Identity.IsAuthenticated Then
EndIf
Why is this happening , and is there some way to re-write this to work in the code-behind Page_Load instead of having to put it in a class ,The class is used in a header to allow access to certain pages - so that works fine. But I need another way of authentication of user on Default page to change labels and buttons based on weather the user is logged in or not , and this can not be done in a class.
Have you tried putting the page event overrides into an actual page event override (i.e. OnLoad) instead of the Page_Load event hook implementation? More performant (fewer layers of invoke), slight difference in life-cycle which may suit your needs and may distill the cause of these symptoms.
There may be a sequencing issue / race condition if the context of the static method call and the Page_Load, I think Wiktor Zychla pointed you in the direction of fiddler already.
I have an ASP.NET application on our company's intranet. And a funky security requirement.
I need to check to see if a given username is in a certain role. I cannot use
Page.User.IsInRole("MyDomain\MyGroup")
because
Page.User.Identity.Name
Returns an empty string. Because of some lovely specifications for this program, I have to keep anonymous access enabled in IIS. Seems to rule out any page.user.identity stuff.
So I did find a way to (at least) get the current user (from System.Environment.UserName), but I need to bounce it against the domain group to see if they're in it. Or, better yet, get a list of users within a given domain so I can check myself. Something like...
Dim UserName as String
UserName = System.Environment.UserName
If User(UserName).IsInRole("MyDomain\MyGroup") Then
MyFunction = "Success"
End If
-OR -
Dim GroupUsers as String()
GroupUsers = GetDomainUserNames("MyDomain\MyGroup")
Anybody have any ideas?
You can call IsUserInRole from the Roles static class. Here is a sample and some reference materials.
Roles.IsUserInRole(username, rolename);
link: http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.isuserinrole.aspx