Scenario: I have the membership provider setup and its currently pointing to a SQL database on my machine. The role based access works and I have a menu that is security trimmed. The user can only get to pages that they have access to.
Problem: When an anonymous user tries to get to a page that they dont have access to it brings them to a login page so that they can login. That is fine. But when a logged in user tries to get to a page they dont have access to(Usually by typing in a URL) it brings them to the login page again asking them to login(except there already logged in. I'd like to either take them to a different page or somehow tell them they don't have access. Any ideas/suggestions?
Thanks in advance
This is what I use. They point out that using <customErrors> won't work because of the way the 401 status gets changed and provide a solution.
Related
I have a SharePoint server 2013. And i have added site-pages in that, now i want the home page (www.xyz.com) to be accessible to all users regardless they have been added to the groups/authenticated users.
Except the home page the only the registered users should have access to content/other pages. Otherwise SharePoint should give a message you don't have access or this page hasn't shared with you when an unauthorized user tries to access the rest of the site-pages.
I already tried NTAuthority command to define setting on Home page but for that the user needs to have the exact path of the webpage (www.xyz.com/main.aspx) otherwise it's not working with just (www.xyz.com).
Either the user is getting all the access or none.
Kindly refer this link for more info. It is somewhat similar to what i need.
Sharepoint-Add permission to to all authenticated users
In my app, when a user tries to access a route behind a firewall and gets redirected to login, they are given the opportunity to create an account. After creating the account and successfully logging in, I'd like to redirect them to the initially requested page.
However, I've not been able to work out how to get access to the route they initially requested before the security kicked in. Any help?
I'm not using FOSUserBundle, and I'd like to avoid it if possible, as I'm quite far into development.
By default user redirected to the requested page. This behavior defined in DefaultAuthenticationSuccessHandler.
I am using ASP.NET forms authentication, is it possible to detect that two of the same login logged in?
I want this to prevent a situation that two users on the same account modify the same thing. so i want to notify the user that another user of the same login name is already inside the system.
I am also using MemberShip model of .net to authenticate if this helps.
Check out this resource. This approach uses the cache to see if the user has made a login request on another machine. I've seen the database also used as well. The main goal is check to see if the user has gone through the login process, and if they have, block the second attempt to login.
Im building an ASP website with user login. Does any one knows what is the best and must secure way to make login page and make pages restricted access? I know some ways and used them for some website but sometimes they were not that secure. There is couple access level for this website. Admin, User, Sales Team, and couple more. Thanks.
you can use session variables to store user level and then on asp code define what user can or can not see.
Or in database, I assume, you have field where level of access is defined as well.
Basically make your security level part of SQL query and show only data user should be able to see.
Basically you should have level of access in database, login page verify credentials and then store user level in session variable.
On any given page, while header loads, ASP retrives session variable and compare it to database.
If user have clearance to see that data he will if not-- display message that he is not authorized or redirect somewhere else where he can be.
Add an include file at the top of your ASP pages which is executed before any of the page's code. This way you can write your security code once, and apply it to all of your pages.
Assuming you are using IIS as your web server, you can let it handle your website security by using the different available authentication methods.
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/9b619620-4f88-488b-8243-e6bc7caf61ad.mspx?mfr=true
http://www.authenticationtutorial.com/tutorial/
Perhaps the best authentication method for you would be Windows Integrated Authentication since it allows you to create groups (or maybe use the existing ones) to give access to certain directories or pages.
I have as ASP.Net 2.0 website with SQL Server as database and C# 2005 as the programming language. The website is almost complete and all the links are working fine. But I want to prevent normal users from opening a couple of pages. When any user clicks on those specific links, another page opens which contains a ASP Login control. The user has to supply a valid userid and password to display the links pointing to the restrictive pages. But being a newbie, I don't know how to leverage the full power of the ASP Login control. Because, if a user gets to know the exact url of the restricted pages, then he/she can bypass the login control and directly access those pages by typing the url into the address bar. I want to prevent this. If the user types the url directly in the address bar, I want that the page itself should check, whether the user has been validated through the Login control and either display the page or point the user to the Login page.
How do I implement this feature??
Thank You.
Lalit Kumar Barik
You'll want to take a look at the location secton of the web config.
In that section, you can define down to the page level the access rights, so it wouldn't matter if the users knew the URL of the secured pages, ASP.NET wouldn't let them in.
So you would add something like:
<location path="SecuredPage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
The "deny users="?"" bit says "Deny all anonymous users".
You can also set it up to only allow certain roles, if you are using those.
More information on the Authorization section can be found here:
authorization Element
This is food for the ASP.Net Membership services. Take a look at this article and also the great series over at 4GuysFromRolla.
Membership allows you to store user/password information which is used, among others, by the Login control. Coupled with the authorization configuration you will be able to directly narrow access to specific pages down to specific users or roles.
You will need a way to manage login sessions for each user. The following are some tutorials that could help you:
http://www.codeproject.com/KB/session/NoCookieSessionLogin.aspx
http://www.dotnetspider.com/resources/5597-Handling-Session-for-Login-Logout.aspx
You should verify the user's logged in state at every Page_Load() event on pages that must control permissions, or simply put the authentication code in a CS file that will be included in all other files.
Depending on the authentication architecture that you choose (simply use the session variable, or create a session id with cookies), you must adapt your code accordingly.
The simplest way would be to manage log-ins through the session object. When the user logs in properly with the right credentials, you can set Session["logged_in"] = true. And on every Page_Load() event of the pages you want to protect, you'd need to do the following check.
Add this code at the beginning of your Page_Load() function:
if (Session["logged_in"] != null && (bool)Session["logged_in"] == true){
Response.Write("I'm logged in!");
}else{
Response.Write("I'm not logged in.");
}
Please keep in mind that this is okay for simple intranet applications, but if you want to get into more secure login architectures, read up more about the subject, as reloying solely on session variables isn't safe because sessions can be highjacked.
I would make a role table for users. Everyone who logs in gets the 'normal' role. Special uses whom you designate by their credentials get assigned roles to access a page or section of your website. Certain users (like yourself) would get an administrator role that automatically allows them access to everything.
Fire off a function called CheckIsInRoles('Admin', 'Normal', 'WhateverRoleYouChoose') which returns a boolean. If true, load the page; if not, don't.
Even better don't display a link if not in the correct role.
This has the added benefit of everyone logging on once and then accessing all the pages they need to without having to log on each time.