In an imaginary situation, a user that shouldn't have access to a web page navigates to that page.
This page is a child page. The user should not have ANY functionality in this page, or even be able to see anything, but he (or she) should be able to still use the master page controls. What do you do to disable the page?
I thought perhaps making a control element .visible=false, but is this secure? Is there some other way I should be disabling a page?
Provide a nopermission.aspx page that has the desired master page you wish, then in Page_Load redirect to that page
protected void Page_Load(object sender, EventArgs e)
{
if(!HasPermission("User123")) //User does not have permission
Response.Redirect("nopermission.aspx");
//otherwise, the page continues as required
}
You can put whatever friendly information you wish in the nopermission page
Assuming I understood your question, and assuming you're referring to ASP.Net Web Forms, then look into <asp:LoginView /> controls.
It has an <AnonymousTemlate /> and a <LoggedInTemplate /> that represents the type of user respectively (anonymous or logged in, will be presented with the appropriate content).
It works with ASP.net Forms Authentication.
For detail: MSDN - ASP.Net Login Controls
Hth....
Making a control visible = false if a user doesn't have access to it should be secure because the nothing for this control is rendered by the server.
However, if a user tries to access a page they don't have access to, I usually log the activity and redirect them to a "sorry you don't have permissions to view this page" screen
Related
I am a new bee creating an asp.net web application for my application. I will have different users and i didn't use any special forms or methods to do the login. I have access db , in there i have some user role, company,username , and password.
In my login page through text box i will get company username and password inputting by the end user. then i will check for the company and username (which is primary key in the table.) if the password matches then will find the user role and redirect to the pages for each user.
that works fine now.
I have a log out button which is sitting in the sitemaster page and
<div id="logout" runat="server" visible="false" class="navbar-brand1">
<a id="lo" runat="server" href="/Default">Log Out </a>
</div>
then in the pages where i want to show the log out i will call the code
Master.FindControl("logout").Visible = true;
it was working fine in respect of login in and login out . but infact the log out button just redirects to the first page on site and if we do the back arrow in the browser i can go back to the prevs page i was on. Is there any way i can do it neatly so that after log out even though if i go back on the browser it will ask for log in .
Any help will be really appreciated. I made a mistake and created complete application now i am worried about this feature so technically i am not logging out :(
Whenever a user opens a page in the system use below code to check if the session is valid
if (!IsPostBack)
{
if (Convert.ToString(Session["UserName"]).Length <= 0)
{
Response.Redirect("Login.aspx");
}
}
When the user clicks on SignOut button, make redirection to a SignOut.aspx page. Use below code in the form load event of SignOut.aspx to clear the session.
protected void Page_Load(object sender, EventArgs e)
{
Session.Abandon();
Session.Contents.RemoveAll();
System.Web.Security.FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
}
Well, your question is how to do the
proper login
The proper way is not to reinvent the wheel, but use the framework that is built in in ASP.NET
https://msdn.microsoft.com/en-us/library/ms731049%28v=vs.110%29.aspx
It will give you a lot of extra features, like using OpenAuth etc.
Example
"https://msdn.microsoft.com/en-us/library/aa354509%28v=vs.110%29.aspx
As #Chathuranga Ranasinghe mentioned I used session varibale to store the username details and i will check if the session variable empty then go to my default page otherwise continue.
if (((string)Session["iden"]) )
{
Response.Redirect("/Default.aspx");
}
i used this on the pages comes after logged in and it works fine for me now.
I have a hosting account with GoDaddy.com, IIS 7 server running .NET 4.0, and I am in the early stages of developing a web site for our church. The content is a free CSS based template I have moved into an ASP.NET Web App with Master pages. (If critique on content is necessary please keep in mind this is a very early stage of development...but I am open to any suggestions. :) )
For some reason, when I enter the full URL to the default page, the page renders properly. However, if I only enter the folder name without the page name, I only get the content form the page itself.
See for your self:
http://www.websmithsllc.com/lpacftp/Home.aspx
http://www.websmithsllc.com/lpacftp
I don't think this is an issue with my wire-up between the content page and the masterpage as it will properly render when I use the full URL. Therefore, I assume the issue is in one of three areas:
How I am publishing: One Click to an FTP directory
The project settings: Currently Home.aspx is the start page
An issue with the settings on my host.
I really hope the issue isn't #3 because my experience so far has been that their tech support is severely lacking in the area of Visual Studio / IIS development and publishing.
Now, some additional clues. I KNOW that the Site.Master file is being rendered, at least to some extent. The menu that is being displayed is created in the Site.Master.Page_Load event handler:
protected void Page_Load(object sender, EventArgs e)
{
//Load sidebar content
Page p = HttpContext.Current.CurrentHandler as Page;
menuContent.Text = Helpers.StaticHelperMethods.GenerateMenuContent(p.Title);
}
Static method:
public static string GenerateMenuContent(String pageTitle)
{
StringBuilder menu = new StringBuilder();
if (pageTitle == "Home")
{
menu.Append("Home\n");
}
else
{
menu.Append("Home\n");
}
More similar code...
In this case, p.Title should == "Home", but the code is responding as though is does not, and I don't know how (if I can) debug live to see what's going on. Finally, if you look closely at the second link, you'll notice some stock ASP.NET advertising text- that appears to be coming from the stock "Default.aspx" file in the BodyContent asp:Content object. However, looking at the properties/Web tab I can see that the startup action is Specific Page : Home.aspx.
So- hopefully I haven't added a ton of unnecessary info here, but at least enough for someone with more experience to help me figure out what I'm doing wrong here.
Thanks in advance for whatever help you can offer me on this.
You need a default page. Create it and then in the code behind in Page_Load write:
Response.Redirect("Home.aspx");
Or change your default page in IIS. Or change your home page to Default.aspx (and rename the class and the page directive).
Of the three, creating a Default.aspx page that redirects to Home.aspx is likely the easiest.
Yes, MatthewMartin is correct. Your hosting service's IIS is not configured to pick up "Home.aspx" as a default page. You will need to either get them to add it to the IIS configuration, or rename your home page to Default.aspx, or create a "dummy" Default.aspx that redirects to your Home.aspx.
I have 2 master pages with same (href) links on top of the page. Now these links load on the same master page when clicked on (by requirement). The problem is both these master pages have same links, so basically the same page shall be loaded in the master page.
Now what i need is when the person is on Master Page 1 and clicks on the link it should load in the same page. Whereas if the user is on Master Page 2 and clicks on the same link, i should be able to change the master page from 1 to 2 and load that in Master Page 2. Something like DirectCast.
any ideas?
You can switch the master page in the Page_PreInit event. For more of an explanation check out http://msdn.microsoft.com/en-us/library/ms178472.aspx
It would look like
void _Default_PreInit(object sender, EventArgs e)
{
this.MasterPageFile = "NewMasterPage.master";
}
I don't think I fully understand your use case, but here are some ideas:
You could track which MasterPage the user is on through Session state, and use that to remember which MasterPage to show in subsequent visits.
If you can alter the hrefs slightly, you could use a query string to indicate which MasterPage should be utilized.
Depending on your application, you could store which MasterPage should be used in your database, tied to each user.
I assume you're dynamically switching MasterPages based on some logic, so it just comes down to choosing a method to store which MasterPage should be used.
I am developing an asp.net web site and I am not using inbuilt authentication controls of asp.net. I have created manually tables for users for site.
What I want is as follows
After logging in user can access the pages (that is already done)
When user press sign out (user goes to specific page - example - default.aspx)
Now when user press "back" button of browser, it must not go to previous page (that is done in Yahoo pages - I want to implement the same)
To prevent users from seeing the previous page when pressing the back button you need to instruct the browser not to cache this page:
Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
Response.Cache.SetValidUntilExpires(false);
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
You could put this code in all authenticated pages, thus preventing them from being cached on client browsers.
For a page not to be cached the browser needs to respond appropriately to caching instructions, but there is no guarantee that this will work on every browser! (An appropriately evil person could write their own browser to ignore caching information, or write a proxy to strip it out...)
So you can't get this to work 100% of the time, but you're always going to face the problem that a user can easily take a screenshot, print out a page, save a copy on their disk, etc. once you've fed a page to them anyway...
the answer for you question is:
for When user press sign out. ( user goes to specific page - example - default.aspx )
you can add a LinkButton as Signout link and in the click event handler you can write
Response.Redirect("Default.aspx");
for Now when user press "back" button of browser It must not go to previous page
//add the following code to your code behind of the page
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
string strDisAbleBackButton;
strDisAbleBackButton = "<script language="javascript">\n";
strDisAbleBackButton += "window.history.forward(1);\n";
strDisAbleBackButton += "\n</script>";
ClientScript.RegisterClientScriptBlock(this.Page.GetType(), "clientScript", strDisAbleBackButton);
}
refer to csharpdotnetfreak.blogspot.com
When I have a child .ASCX control that needs to affect something in the parent page I'm not completely sure how I am supposed to handle the event flow in the case where I need to update something in the parent page.
What I've always ended up doing is putting logic into the 'Pre_Render' event handler.
Since this is processed after any child .ascx controls are processed I can be sure to render the ASPX page correctly before it displays. I just dont think this is a good design and I've always cringed when I've had to do it. But now there is stackoverflow so i can finally ask it!
For instance lets say I have a 'login control' ascx control in a page. The containing page displays a text label in the header bar for 'current logged in user'.
Lets say I click the 'login' button, which will then trigger my authentication and log my user in. The problem is that the text label in the parent page has already been rendered as 'No user logged in'. Thats no good!
By putting the logic into 'PreRender' it will be rendered after the user has logged in. I just dont like this because thats not what PreRender is for.
What is the intended best practice here that I'm missing? I know I could put an event handler on the user control, but that seems clumsy too because there'd be too much coupling.
PS. I'm just using this as an example. I'd had this problem numerous other times so please dont reply telling me how to implement login !
In your ascx.cs:
public delegate void NavigateEventHandler(int PID); // if you want a custom handler
public event NavigateEventHandler onNavigate;
In your page.aspx.cs:
protected void Page_Init(object sender, EventArgs e) {
eSelector1.onNavigate += new PostSelector.NavigateEventHandler(eSelector1_Navigate); }
public void eSelector1_Navigate(int PID) {
eSelector1.PopulateComments(eSelector1.m_PID); }