I have an ASP.NET page called admin.aspx that needs to be protected from direct access.
I want it to be accessed only when the user enter his name & password in another page called login.aspx.
I'm working in ASP.NET with Visual Basic .NET 2008, and I have no idea how to do it.
How can I do it?
The correct term for this behavior is Authorization
Some things I need to know beforehand:
Do you have your own Login / Logout Logic?
Are you using a custom User database / table?
If both of the above were answered with a yes: Have you read / heard something about Membership- and RoleProviders?
.NET has great built in mechanisms for solving this problem. It doesn't just offer great configuration possibilities, it is also very easy to implement!
Here is a very very detailed walk trough on the ASP.NET Membership Provider:
ASP.NET 2.0 Membership and Roles Tutorial Series
Even though it is using ASP.NET 2.0 and C#, it shouldn't really be that different on .NET3.5/4.0 and VB.NET
I found it :
In the login page ("login.aspx") do this :
Session("Name") = "Yes"
Response.Redirect("admin.aspx")
In the admin page ("admin.aspx") this :
If Session("Name") = "Yes" Then
'You can here display anything you want, or just leave it blank
Else
Response.Redirect("ErrorPage.aspx")
End If
You should check the user session first before loading your page:
protected void Page_Load(object sender, EventArgs e)
{
if (session == null)
{
// Just redirect to login page or no access page warning.**
}
if (!Page.IsPostBack)
{
//If your were logged in then you will access this page
}
}
You can handle it via Forms authentication. In your case you want to make sure that you restrict the access of admin.aspx so you can do so by giving that entry in web .config by specifying the location tag. Check out this site:
http://www.dnzone.com/go?60
HTH
Related
I created a new asp.net web application using the template that visual studio has. That type of project create a login out-of-the-box which I configured with the aspnet_regsql command to work with my database.
Now, when someone logs into the application, I need to know whether or not the login was sucessful, so I can save in Session[''] the user name among other things.
I was expecting to find a method that returns true or false but instead in the Login.aspx.cs is just the Page_Load method and I don't understand how it works.
I tried associated a onclick method that get the value of the UserName control, but obviously, that only works when the user log in for the first time, if the user check "Remember me next time" it won't work.
The AuthenticateRequest event is raised when the user has been authenticated, however in this event you do not have access to the SessionState yet. Therefore, to save the Session you should consider the PostAcquireRequestState application event.
ASP.NET Application Life Cycle Overview for IIS 7.0
ASP.NET Application Life Cycle Overview for IIS 5.0 and 6.0
For additional info:
AuthenticateRequest event
Example:
In global.asax
void Application_PostAcquireRequestState(object sender, EventArgs e)
{
if (Context.Session != null)
{
Application.Lock();
Session["user"] = User.Identity.Name;
Application.UnLock();
}
}
Additionally, if you are using the LoginControl, you can handle the LoggedIn event:
ASPX
<asp:Login runat="server" ID="login" DestinationPageUrl="~/Default.aspx"
FailureAction="RedirectToLoginPage"
onloggedin="login_LoggedIn" ...>
....
ASPX code behind
protected void login_LoggedIn(object sender, EventArgs e)
{
// set the Session here
}
The aspx web project template makes use of the asp:Login control, which does the authentication for you.
If you need to customize the login, you can roll your own username / password inputs, and then call the membership API directly, e.g.
if (Membership.ValidateUser(username, password))
{
FormsAuthentication.SetAuthCookie(username, rememberMe);
// Do your custom stuff here
...
You can also check to see whether the user is authenticated by using
UserPrincipal.Identity.IsAuthenticated
See MSDN for more details
I'm looking for a solution to this, but cannot find one on the web. I've done this before in other languages, but I'm not sure how to go about this in ASP.Net. I'm using Visual Studio 2010 Express.
I'm currently thinking that I should put the Whitelist commands in the CreatingUser event in the RegisterUser control. To this, I get the user's supplied e-mail address, check to make sure the domain is in a separate table of whitelisted e-mail addresses. Continue registering the user if it's in the whitelist, fail if not.
Basically, the user MUST belong to a whitelisted e-mail address to join the website.
Could anyone guide me on how to do this specifically with ASP.Net? I'm building off of the basic project template created from ASP.Net, so this is all stock Microsoft code I'm working with. Code is great, but I'd like to actually learn what I'm doing too!
EDIT:
I did create the following table in my ASPNETDB.mdf
whitelistTable:
whitelistID, bigint autoincrement
whitelistDomain, nvarchar(256)
If you are referring to the CreateUserWizard.CreatingUser event, the CreateUserWizard control supports the Email field and should automatically add it if you set it up that way in the membership provider. (Disclaimer: I haven't actually used this myself).
<asp:CreateUserWizard ID="RegisterUser" runat="server" OnCreatingUser="RegisterUser_CreatingUser" ... >
...
</asp:CreateUserWizard>
In the RegisterUser_CreatingUser handler:
protected void RegisterUser_CreatingUser(object sender, LoginCancelEventArgs e)
{
if (!EmailIsInWhiteList(RegisterUser.Email))
{
// Optional: display validation message.
e.Cancel = true;
return;
}
e.Cancel = false;
}
I am new to ASP.NET and web application developing. What I'm trying to implement is, I am storing a file on the web server and is supposed to give the link of the file to the user for them to download the file. The link and the "downloading" process is easy but I wanted to make it more secure like having the link go through the login page, then the user will enter his/her credentials, if success, then the file will be automatically downloaded.
Does anyone know how where should I start or what is the name of this kind of method/processing for me to be able to start my research.
Thanks.
In the download page's Page_Load method check Session["IsLoggedIn"] or Session["LoggedInUserId"] where these session variables is set at your login page's BttnLogin_Click method.
Login.aspx
<asp:TextBox ID="TxtBxUserName" runat="server"></asp:TextBox>
<asp:Button ID="BttnLogin" runat="server" Text="Login" OnClick="BttnLogin_Click"/>
Login.aspx.cs
protected void BttLogin_Click(object sender, EventArgs e)
{
// guarantee that a user with the given username(TxtBxUserName.Text) exist
// find the id of the user
Session["LoggedInUserId"] = userId;
//or just do
Session["IsLoggedIn"] = 1;// I use 0 and 1 for this kind of job
}
Don't forget you need to set 0 to Session["IsLoggedIn"] and set -1(for an invalid id) to Session["LoggedInUserId"].
Now when you download page loads, just check one of these session variables.If the login condition is met then let the user download that file if not redirect to login page like below;
if(Session["IsLoggedIn"].ToString() == "1")
{
// download
}
else
{
Response.Redirect("Login.aspx");
}
donot put the link to that file directly. call an asp page which will read and write the file contents
to it's output stream. All this is done on page_load (sender, event); but before reading or writing the file contents, just check if there is a username or password or user id or whatever in the session variables. if there is nothing such, redirect to login.aspx.
You can use ASP.NET forms authentication to authenticate the user and after authetication process you can redirect the user to the download page.
You can employ forms based authentication. This is the standard way of handling a user login in asp.net. There are some easy to follow tutorials on the official Asp.net website: http://www.asp.net/web-forms/tutorials/security
we are running into an issue with our ASP server.
If you try to access a password protected page it does a security check and redirects you if you are not logged in, retaining the URL (ie. Members/MemberLogin.aspx?doc=/PodCast/Default.aspx)
The vb script places the "/PodCast/Default.aspx" in a variable and holds it until the login process is complete.
Once the user types in their username and password it is suppose to do a Response.Redirect(strRedirectURL) and go to the "/PodCast/Default.aspx" but instead it goes to the default.aspx page for logging in successfully.
The kicker is, I know the code is 100% correct becuase it was working on our previous server, but when we pushed all the data onto this server, everything works BUT that piece.
Any suggestions, would be great!
Thanks everyone!
Do you use custom redirection code? The default querystring parameter ASP.NET uses for redirection after login is ReturnUrl.
You gave the example: Members/MemberLogin.aspx?doc=/PodCast/Default.aspx.
Based on this, I would assume once logged in, the .net framework checks the value of Request.QueryString["ReturnUrl"] and finding it empty, so the site redirects to the base url.
If for some reason you are constructing a non-standard url using doc as your querystring parameter, you could hook into your Login control's OnLogin event, such as:
markup:
<asp:Login id="Login1" runat="server" OnLoggedIn="Login1_LoggedIn" />
code:
protected void Login1_LoggedIn(object sender, EventArgs e)
{
string url = Request.QueryString["doc"];
if(!string.IsNullOrEmpty(url))
{
Response.Redirect(url);
}
}
If your postback mechanism (like a button) exists inside an updatepanel, you need to set the trigger
asp:PostBackTrigger ControlID="XXXX" /
We have an ASP.Net web application running on IIS6 that manages its own database of users.
The site itself just allows anonymous access and all authentication/security is managed using our application itself.
We have a page that contains an HTML table of data that we import into Excel and is then used for Reporting purposes. The page currently has no security implemented.
We need to add security to this page so that should these spreadsheets fall into the wrong hands then the data cannot be "Refreshed" without supplying a username / password.
If I set this page to not allow Anonymouse access then I can use Basic/Windows authentication with Windows Users in order to secure this page. Then when Excel refreshes the data the password dialog box pops up.
The problem is that I need to be able to secure this page based on the Users within our database and they will not be Windows users. I also need to do it in such a way that allows Excel to manage the authentication which excludes any Form based authentication.
Anyone got any ideas? Is it possible to get IIS to look elsewhere for it's Basic Authentication?
Ok, so I've found two solutions to this problem. One thanks to Zhaph - Ben Duguid's answer which is an HttpModule that allows ASP.Net to fully manage the authentication.
The second solution, and the one that I am going with, is thanks to this question/answer.
HTTP Authentication (Basic or Digest) in ASP Classic via IIS
I've stripped this down and have a simple test harness that seems to be working well. In this example, instead of a database call, it merely checks that the username and password match and considers that authenticated.
using System;
using System.Text;
namespace AuthenticationTests
{
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
string authorisationHeader = Request.ServerVariables["HTTP_AUTHORIZATION"];
if (authorisationHeader != null && authorisationHeader.StartsWith("Basic ", StringComparison.InvariantCultureIgnoreCase))
{
string authorizationParameters = Encoding.Default.GetString(Convert.FromBase64String(authorisationHeader.Substring("Basic ".Length)));
string userName = authorizationParameters.Split(':')[0];
string password = authorizationParameters.Split(':')[1];
if (userName == password) //Perform your actual "login" check here.
{
//Authorised!
//Page loads as normal.
}
else
{
Unauthorised();
}
}
else
{
Unauthorised();
}
}
private void Unauthorised()
{
Response.AddHeader("WWW-Authenticate", "Basic");
Response.Status = "401 Unauthorized";
Response.End();
}
}
}
As you've got a custom database of users, I'd recommend looking at building a quick membership provider that talks to your database schema.
MSDN has a good example on "How to: Sample Membership Provider".
You can then use the standard access control mechanisms of ASP.NET to lock down the page, require authentication, etc, along with controls like Login, LoginStatus and others to provide much of the UI you need.
Edit to add
A quick search found the following, which might help:
Web Service Security - Basic HTTP Authentication without Active Directory
Where Greg Reinacker presents "a fully working sample in 100% managed code demonstrating the use of HTTP Basic authentication, using a separate credential store (in this case, a XML file, although this would be easy to change to a database or LDAP store)."
I'm not an expert but I thought that the point of Basic was that it was Windows Authentication. Can you run a script to synchronise your DB users with your Active Directory?
If it's a corporate AD, you could consider having a second AD just for your app and synchronising users from both your corporate AD and your DB. If you don't need to synchronise passwords (e.g. build a pwd-mgmt page in your site) you could just use scripts or C# or something. If you want something more sophisticated with built-in password synchronisation, you could look at ILM 2007 (soon to be FIM 2010).
Is the page an .html file or an .aspx file?
If it's an .aspx, you should keep this page under anonymous access and check for authentication in the page logic itself
I've written a library named FSCAuth that may help with this. It trivially can be set up for just basic authentication without Active Directory. It will instead read your user data out of a database/file/wherever(there is even a memory-only UserStore)
It is BSD licensed at Binpress