Help with Login Page in vb.net - asp.net

Im new to .NET and have been searching on this issue but no luck. I have created a login page, with a user Id and password. In my webconfig, I put the following code in to deny users who are not authenicated.
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="10" protection="All" />
</authentication>
<authorization>
<deny users="?"></deny>
</authorization>
What im trying to accomplish is that when a user enters the correct information, I would like to store information small information about the user in a cookie, say for example if there an admin, manager, user, etc...Here is the code that occurs when the user click the submit button. The problem is that the page doesnt redirect to the page after user enter correct information. Any help would be very much appreciated.
If txtPassword.Text.ToLower = "test" Then
'Create a cookie
Dim cookie As New HttpCookie("UserInfo")
'Cookie variables
cookie("User") = txtUser.Text
cookie("UserGroup") = "Admin"
'Add Cookies to current web responses
Response.Cookies.Add(cookie)
Response.Redirect("login_successful.aspx")
'FormsAuthentication.RedirectToLoginPage("login_successful.aspx")
Else
lblResult.Text = "Incorrect Password"
End If

I wouldn't recommend using cookies to store role information. Use one of the built in providers to accomplish this task. For example, try this.
Open Visual Studio or Visual Studio Express and create a new "ASP.NET Web Application." You will notice that it includes an "Account" directory with examples of how to use the built in providers. You have to set up the database with the correct tables, roles, sprocs, etc to use the built in providers but it's easy. If you have .NET 4.0 installed the program that sets up the database to use the built in providers it called aspnet_regsql.exe and it's typically located here:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
Then to solve your login problem you can use the Login control and use the Login.DestinationPageUrl attribute to redirect the user to which ever page you desire after it logs in.
Even if you don't use the built in providers this will give you a much better idea of how to go about implementing roles into your webpage.

I guess before redirecting you have to set authentication cookie first by calling FormsAuthentication.SetAuthCookie method.
And yes do consider the comment regarding cookies of joel coehoorn about saving information.

Rather than using a cookie to store that information (which can be hacked), you should store Roles in the ASPNetRoles table and associate roles to users when they are created. You can check a role with the following code:
If (Roles.IsUserInRole("rolename")) Then
'Do something useful
End If
As for the redirect, in what event handler is it included?

Can you try these two?
1) The webconfig may need refrence to the cookie name
<forms name="UserInfo" ...
2) Webconfig could also require being told who to allow
<authorzation>
<allow user="Admin" />
<deny...

Related

Getting the UserName in MVC3 "internet" application using User.Identity.Name

I've been getting an empty string whenever I try to retrieve the logged in username in my controller. When I first created the app, I selected 'Internet application' template. I also deleted the default account controller, account models and _logon views as I didn't need them. I'm using my own styling, so I removed site.css from the project as well.
After playing around with the web.config for a while, I figured out that "User.Identity.Name" actually works if I change the authentication mode in web.config to windows. If I leave it on 'forms' authentication mode, I only get an empty string whenever I try to get the username.
Recently, I changed the authentication mode to Windows and used User.Identity.Name in one of my controllers to get the user name, but whenever I run the app, I get an error on the browser, stating "localhost/Account/LogOn/..." is not found. (not directing to my usual view) ( I didn't make any changes in Global.asax either.)
If I change the authentication mode back to forms, my view works fine, but I don't get to see the user name (just an empty string). Is there anyway I can find a way around this problem. Is there anything wrong with routing or something ? I can't afford to start over again using "intranet Application" template.
I'm a beginner in MVC, so any help would be greatly appreciated.
Thanks
If you are using asp.net mvc, try System.Environment.UserName
inside your web.config, use
<authentication mode="Windows" />
<identity impersonate="true" />
The error you are getting is because you removed a logon view it still must be refered to somewhere within your application, so if you don't need the logon view, make sure you remove all refences to it from you code.
Internet applications works per default with forms authentication. The purpose of Windows authentication is for intranets, where the web application runs under a windows user. Then the authentication works "automatically".
If you want to have an internet application with registered users, you should put the following configuration in web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
Then you need an AccountController (was there in the default template and you have probably deleted) and a Logon action within the controller. You also need all the views of the account controller (logon, register, change password etc.). The best would be you create a new internet application and check everything that's there. Just copy the stuff you need into your application.
You also need a user database. The default uses an express database with standard tables and stored procedures. If needed, you can use your own tables, then you have to rewrite the methods in the account controller or write your own membership provider.
The reason why you don't see a user name is because you have no login.
EDIT: If you want to display the Windows user name, you should set the authentication mode to windows (or just delete the authentication section, as it is the default). Then you can access the user name. But you will have to delete the tag.
<authentication mode="Windows" />
Sounds like you aren't even authenticating first, so there is no username:
#if (Request.IsAuthenticated) {
<span>#User.Identity.Name</span>
}
else {
<span>You aren't authenticated</span>
}

query with login name and login status control

I am using loginview control for displaying logedIn user in asp.net ,in this control i have used loginname and loginstatus control.the problem is that,when i press f5 it directely displayes system loged username ie. my default system account username.i am getting confused what to do ! Is anyone having solution please share.
I am not sure if I understand you correct... you get display "yourdomain/youraccount" ?
If so ... and you do not want to use windows authentication you should switch to forms authentication otherwise it uses the windows credentials...
one point to start looking is the webconfig...
<configuration>
<system.web>
<authentication mode= "[Windows/Forms/Passport/None]">
</authentication>
</system.web>
EDIT:
LoginName Control to Display Full Name instead of username
http://weblogs.asp.net/gurusarkar/archive/2009/06/16/loginname-control-to-display-full-name-instead-of-username.aspx
you should also make sure that you hooked up membership database...
HTH

ASP.NET 4.0 Single sign on betwen parent website and child web-application fails

I've got the following structure
www.website.com --> ASP.NET 4.0 Web-site
www.website.com/blog --> NET 4.0, Web-Application
Both do form-authentication against the same SQL database and use the framework ASP.NET memberships and roles. I can log into each portion just fine (same user/password) but the authentication doesn't carry over i.e. if I log into / and then click a link to /blog/, /blog/ thinks I'm Anonymous and prompts for login again. I've done the basics
i.e.
Identical <authentication mode="Forms"> in both the site as well as app web.configs
Identical <machineKey> section (yes, identical validationKey and decryptionKey)
So I then inspected the cookies generated and noticed that website and the web application seem to be working on different cookies.
Cookies created by website.com/blog
.ASPXFORMSAUTH-27604f05-86ad-47ef-9e05-950bb762570c
.ASPXROLES
Cookies created by website.com
.ASPXFORMSAUTH
I think this is the problem, although I see it despite having identical <authentication> sections which looks like
<authentication mode="Forms">
<forms timeout="30" slidingExpiration="true" name=".ASPXFORMSAUTH" enableCrossAppRedirects="true" protection="All" cookieless="UseCookies"/>
</authentication>
I did read several other posts like
Single Sign On with Forms Authentication
as well as
http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
There were also a few other posts I can't recall now. I've gone through them (all?) but am still stuck. I can gladly supply more debug data if needed.
Would really appreciate any tips someone might have! I think I'm hitting a wall on this one!
Ok, so I was able to answer my own question after beating around it for longer.
Basically, BlogEngine.NET 2.5 (my web-app) seems to be overriding the .NET 4.0 framework way of doing things. There are a couple of things you need to fix, all within BlogEngine.Core\Security\Security.cs (download the BlogEngine.NET source code)
Part 1: Fix cookie name
In there is a method FormsAuthCookieName which I changed as follows:
File: BlogEngine.Core\Security\Security.cs
Method: FormsAuthCookieName()
// return FormsAuthentication.FormsCookieName + "-" + Blog.CurrentInstance.Id.ToString();
return FormsAuthentication.FormsCookieName;
This ensures that the cookie names are the same. One hurdle down ...
Part 2: Avoid web-app/BlogEngine.NET's login page/controls/code
Instead of directing users log into the BlogEngine.Net's login.aspx (www.website.com\blog\account\login.aspx), I pointed all login links to my main website's login.aspx page (www.website.com\login.aspx). In case you're wondering how to implement you own site-wide authentication, this is a super-quick guide
msdn.microsoft.com/en-us/library/ff184050.aspx.
I also had to add something like this to both the website web.config as well as the web-app web.config, so anytime a protected resource is accessed (from website or web app) my own global /login/aspx is used.
<authentication mode="Forms">
<forms timeout="30" loginUrl="/login.aspx" blah blah />
</authentication>
Now, my own generic, site-wide user login controls will be creating the (.NET framework standard) authentication cookies and the (user) role cookies. By avoiding the BlogEngine.NET's login.aspx we're cleaner plus we avoid calling this code which is problematic.
File: BlogEngine.Core\Security\Security.cs
Method: AuthenticateUser(string username, string password, bool rememberMe)
Details:That code adds a "blog instance" into the cookie, so so if you have multiple blogs on the same domain, this prevents user1 authenticated on blog instance 1 from NOT being automatically authenticated on blog instance 2. I'm guessing most will only have one blog per domain (www.domain.com\blog!), so this is unnecessary. More importantly, that check breaks our single sign-on.
Two hurdles down ...
Part 3: Fix Per-access authorization check
Now, our site wide, standardized login.aspx doesn't add the specific BlogEngine.NET instance ID (see above). This would have been ok, except that there is still some BlogEngine.NET code that specifically looks for that. We don't need that check either, so lets remove that offending check...
File: BlogEngine.Core\Security\Security.cs
Method: void Init(HttpApplication context)
// Comment line below to revert to only-framework/default processing
//context.AuthenticateRequest += ContextAuthenticateRequest;
So at this point you should have
All logins handled by a single, site wide login.aspx
All authentication cookies and user role cookies created by the above site wide login.aspx
All such cookies encrypted and protected per of both the website & web-app web.configs (which should match!)
Which in turn allows single sign on :) !! Hooray !
In addition: in both web.configs you must insert machinekey with the same validationKey and the same decryptionKey.

ASP.NET Membership user login error cookie problems

We recently updated a site from Classic ASP to ASP.Net 3.5.
The old site used a login system based on cookies.
It would remember the users login information if a checkbox was selected when they first logged in. This would of course be done in a cookie.
We then upgraded the site Using ASP.net.
We transferred the old users to the built in ASP.net Membership Authentication.
It works great except for a really strange occurrence.
When a user logs in to the site, but had the old cookie for the site which stored the login information, the ASP.net Authentication seems to crash.
There is no error message, no information of any kind.
The user tries to login, gets no error message, just gets transfered back to the login page.
It seems to be looking at the old cookie and just doesn't know what to do.
The domain names of the old site and the new site are the same.
This does not occur for new users who have never been to the old site.
If an old site user clears out his cookies in his browser he can log in fine and the error never happens again.
But we have 5000 users, we can't tell all of them to clear out their cookies.
I tried changing the setting in the following line of code in my web.config.
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~\User\Login.aspx" defaultUrl="~\Default.aspx" timeout="26280000" />
</authentication>
But I'm not sure if it helped or not.
Any assistance would be greatly appreciated.
Thanks
With forms authentication, your login is controlled by forms authentication cookie. So I don't understand how is your old cookie interfering with FAC?
In case you are storing some value in your custom cookie, one way would be change the name of the cookie in your new code. i.e. if the code is creating "CookieA", the same name as old application, change it to "CookieB" and same while reading.
Specify cookies token name:
<forms name=".ASPXFORMSAUTH" ... />

ASP.NET Forms Authentication via Querystring

I currently have an ASP.NET 3.5 SP1 running on IIS 7. I have enabled forms authentication using .NET Membership and setup some folders that are restricted according to roles I have created. For instance, if an anonymous visitor tries to access the file http://www.example.com/restricted/foo.txt, he/she will be redirected to a login page, as expected. So far so good.
What I would like to do is provide access to protected files by allowing visitors to specify their login credentials in a query string, something alone the lines of:
http://www.example.com/foo.txt?user=username&pass=pwd
Is this possible at all?
you should be able to write an http module that intercepts the request and authenticates the user based on the querystring. However, just for the sake of completeness, I'd like to question whether it's a good idea to provide users their username and (in particular) password in plaintext.
You could easily create a download page that would authenticate the user and then forward them to the requested file. Something like navigating to Download.aspx?user=username&pass=pwd&file=foo.txt.
This however is NOT recommended. You should never require users to pass login information via a URL.
A secondary answer based on comments you've made to other questions is that you could simply put your download page in a directory. The subfolder could have a web.config that allows unauthenticated users access to the contents within :-)
something like:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>

Resources