Is this a security issue or by design?
string UID = "randomusername" // does not exists in aspnet_Users table
FormsAuthentication.RedirectFromLoginPage(UID, false);
Authenticates users, redirects to login page.
Profile Page is set to chech User.Identity.IsAuthenticated etc...
when they update the profile, it ads the user to the aspnet_users table automatically, which is not what I want.
FormsAuthentication.RedirectFromLoginPage doesn't perform any valid user check; it just redirects the user as they are a valid user. It assumes that you have done the validation check first before you called this.
HTH.
Related
How can I display username after user login, I use temp date, but username did not show, this is my code.
If the login is successful, you can set a cookie (if not exists of course). Checkout here
I am making a project. In that project first page is Login page.
In Login page, user'll enter user Id and Password, if match, page will redirect to second page.
In second page there is a hyperlink to go to third page.
In third page I want to show user's all the details like- firstName, lastName, emailId, mobileNumber, password etc.
My doubt is how to carry userId and Password from first page to third Page.
Please Help me.
Thanks in advance.
Save the user name and ID not the password, you don't need to save the password because it's not a good for security.
Go through this, it'll help you.
http://msdn.microsoft.com/en-us/library/system.security.principal.windowsprincipal(v=vs.110).aspx
You can use the WindowsPrincipal class to save the user credential it's save the user name and ID not the password, you don't need to save the password because it's not a good for security.
http://msdn.microsoft.com/en-us/library/system.security.principal.windowsprincipal(v=vs.110).aspx
Use cookies or session , will help you for both authentication and for what u mentioned here
http://www.w3schools.com/ASp/asp_cookies.asp
http://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net
You can store userId in Session or cookie on login success and get it on required page.
Do not store password in session or cookie as it may harmful from security point of view.
I suggest you to refer asp.net state management.
http://www.codeproject.com/Articles/492397/State-Management-in-ASP-NET-Introduction
http://www.codeproject.com/Articles/331962/A-Beginner-s-Tutorial-on-ASP-NET-State-Management
The way you are redirecting to Second Page from Login Page, just redirect directly from Login to Third Page.
Also, while checking login details, if user is an authenticated one, keep User ID in Session, so that you can easily retrieve logged in user's all details using that User ID.
In your login page check username and password is valid or not
if valid then create a session of userid for e.g Session["userid"]=userid
now in your third page you can get users firstname,lastname etc from userid
E.g:
int userid =Convert.ToInt(Session["userid"]);
var userDetails = GetUserInfomationfromid (userid) // here you can get user infomation from userid
if you want to read more about StateManagement in ASP.net
http://www.codeproject.com/Articles/492397/State-Management-in-ASP-NET-Introduction
I'm new in ASP.NET and already got a lot of answers here searching on google (THX!).
My task is now to build a website, where authentication is required, so I choosed form based authetication, which is working well.
I need to add functionality, when user can click on link and after redirecting to that website he will get automatically authorized based on GET parameters.
For example:
http://www.mysite.com/login.aspx?username=xxx&password=yyy
So after clicking on such link he will skip login page and continue to page behind.
Could you please help me with that question?
P.S. I'm aware, that it is not secure and username with password will be visible as clear text, but here we are talking about generated username and password which will be available just for one day and it is required to identify user to do one request.
You could do something like.
Make sure the username and password are in the querystring, and then assign them to a username and password varaible.
c#
if (FormsAuthentication.Authenticate(username, password))
{
FormsAuthentication.SetAuthCookie(username, true);
FormsAuthentication.RedirectFromLoginPage(username, true);
}
else { // not authenticated. do something }
vb.net
If FormsAuthentication.Authenticate(username, password) Then
FormsAuthentication.SetAuthCookie(username, true)
FormsAuthentication.RedirectFromLoginPage(username, true)
Else
' not authenticated. do something.
End If
For this to work you will need to import/using System.Web.Security. The true value tells your authentication to set a persistent cookie value.
If you are using SQL Server as the database, the easiest way is to use ASP.NET membership provider. By using that you will be able to authenticate user in an effective way. Here you can use Aspnet_regsql.exe to create required batabase tables. There is a good explanation about Creating a Web Site with Membership and User Login
Hope this will help
I want to redirect people according to their role in the asp.net membership provider. I have some code in 'OnLoggedIn' event on the login page. Here is what I tried so far, and nothing doesn't work:
The code below returns false on the .IsAuthenticated step, it says the user is not authenticated. On which step at the login page the user is authenticated, I thought the 'OnLoggedIn' event is the right place to do this.
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
}
}
}
2nd thing I tried was to get all the roles for the user, but it doesn't return anything, returns empty array of strings, and I checked the database that the role is assigned to that specific user. Here is how I am trying:
string[] userRole = Roles.GetRolesForUser(LoginUser.UserName);
So, my question is how I can get the role on the login page, do I need to check that in some other event or on some other way.
Thanks for your help in advance, Laziale
The first situation won't work because it returns the value of the Request as it came in. Logging in with FormsAuthentication basically just sets a cookie in the Response so that the next Request gets the right User.
The second situation should work though, assuming that LoginUser is the name of your login control.
if you have some predefined set of rules like (SuperAdmin,Admin,User,....) than
you can use a switch case
and according to the authentication level
you can classify/redirect the user accordingly with respective URL
Greg is totally correct. So the question is why the roles are not returned? There could be several reasons depending on how you created the roles on your rolesprovider settings in web.config.
So make sure you roles provider is pointing to the same database you are see the roles.
Also check you are not using different role provider to create roles but accessing it via different one. This can happen if you have more than one roles provider in web.config.
Also check if it isn't the applicationName issue.
If that doesn't help post your web.config roles setting as well as info on how you are creating roles.
Using Forms Authentication, I am storing a cookie for each user if they mark Remember Me during login, using the following piece of code in the Login1_LoggedIn event.
if (rememberMe.Checked) FormsAuthentication.SetAuthCookie(Login1.UserName, true);
When the user arrives on my page with a cookie, I need to get his/her user name so I can check their roles. Does the Forms Authentication cookie store this information, and how can I retrieve it?
The string you parse to SetAuthCookie (Login1.UserName in your case) will be stored in the IPrincipal when the user accesses a page. You can access it using:
Page.User.Identity.Name
Try
Page.User.Identity.Name
or
HttpContext.Current.User.Identity.Name