I'm attempting to convert a home-grown login system to the standard asp.net login control included in .net. I want all communication on the website for a user not logged in to be in clear text, but lock everything in SSL once the user logs in - including the transmission of the username and password.
I had this working before by loading a second page - "loginaction.aspx" - with a https: prefix, then pulling out the username and password by looking for the proper textbox controls in Request.Form.Keys. Is there a way to do something similar using the .net login controls? I dont want to have a seperate login page, but rather include this control (within a loginview) on every page on the site.
You're not going to be able to do what you're talking about simply, because the postback (which is what the login control uses) is going to be whatever the page's security is (SSL or non-SSL).
Your best bet in this scenario is to use an IFRAME which contains an HTTPS (SSL) page that just contains thelogin control. You might have to redirect to another page after login that lets you jump out of the IFRAME.
Plan B would be to have a separate form on the page (outside your main FORM) which has the ACTION property point to another page where you handle the login. You will have to roll your your own login code to handle the forms authentication.
I was able to accomplish this by adding an OnClientClick event to the login button control and set it to the following javascript function.
`
function forceSSLSubmit()
{
var strAction = document.forms[0].action.toString();
if (strAction.toLowerCase().indexOf("http:") == 0) {
strAction = "https" + strAction.substring(4);
document.forms[0].action = strAction;
}
}
`
You aren't going to be able to have your site as non-SSL, with a login box on every page, and then submit the username and password via SSL.
The only way to really accomplish this is to use frames of some sort. This way your entire page could be non-SSL, but the login frame would have to be SSL.
The usual ways of doing this is to either lock down the entire site with SSL, don't worry about having the username and password SSL encrypted and go to SSL after they log in, or go the frame route I mentioned above.
Related
I am developing a site and in this site i m building a functionality to capture a screen shot of a page. In my site i am using forms authentication.now first of all.
So when user login to the website he/she has to enter the credentials and then go to their profile page.
So now i am just creating a thumbnail of the user profile page using WebBrowser Control but the problem is , i m using forms authentication and it's always capture the login forms page because of forms authentication.
So Please help me ASAP.
In that case you will need to perform login programtically for forms authentication. Here is the piece of code which will be required.
FormsAuthentication.SetAuthCookie(UserName, false);
And here is more info
http://weblogs.asp.net/joseguay/archive/2009/03/23/the-asp-net-capsule-2-login-programmatically-with-forms-authentication.aspx.
However, be aware that the code you are using for creation of screenshot might not go well with it. So take care of this. These posts might help you in that case Send credentials to WebBrowser
You have to simulate forms authentication via WebBrowser control - essentially, use document object model (Document property) to locate user name/password input boxes, set their values and trigger submit (either inject java-script to do form submit OR use DOM to simulate login button click).
IMO, better way would be to use WebRequest (HttpWebRequest) to simulate the POST to login page to do authentication and then issue request to user profile page. Get the page html(from response) and load it in Web Browser control using DocumentText property.
In case, you have control over the server site, you may modify user profile page to allow un-authenticated access over certain requests (for example, from local machine or specified IP etc).
Hi I am using IE7 and IE8 browser for running web appliction. I have login in the web application go on the next page. if have copy the url of the next page, and open new browser and paste url, then open directly next page. I mean my form authentication is not working. please help how to handle this issue.
I don't know enough about asp.net to give exact code, but your login page should create a new session if it isn't already created.
When the logic behind the authentication form verifies the username/password, it should set a session variable to mark the user as logged in.
Pages which require login should then check for that session variable, and redirect to the login page if not set.
Hope that helps!
My UI prototype requires me to show the sites login info all the time. Either I should show the usual username and password textbox or "you are logged in as". The last bit don't have to be secure, as it's only info to the user, nothing I will use server side. But the first part should send secure to the server.
It seems that I would have to use https for all pages on the site then. I would like to only use ssl for the things that are required to be secure.
One way is putting the login information into a https://../login.aspx and show it on my mainpage as an IFrame.
One disadvantage I can see is that the user won't know that https is being used, unless they read the IFrame src in the source code.
What do you think?
Are you using the built-in asp.net login controls or do you just use two textbox controls?
You could use your own form tag (not runat="server") with the action attribute set to "https://..." and just use two html input tags and a button to log on.
Again this wouldn't show the user that there credentials are secure when logging in.
Because of some recently discovered SSL attacks, it is always preferable to also put the logon form on a https:// page. Otherwise a hacked can intercept the http stream and change your form action from "https://..." to "http://..." and then sniff the credentials.
Another option would be to take advantage of the PostBackUrl property of the Button control.
You would need to create your own login LayoutTemplate to take advantage of this though. You would then be able to add the secure scheme to the current page URL, and set the PostBackUrl property of the submit button to that.
This would have a similar issues to your iFrame solution (the user wouldn't see the padlock symbols), however you would have the advantage that you wouldn't be using iFrames.
Another issue using an iFrame is the affects that they can have on the page:
They are a separate request, but can cause a block on the JavaScript PageLoad event firing.
The login form would only postback within the iFrame, so you'd need to refresh the parent page when the user is successfully logged in to remove it.
Additionally to that, errors would be returned in the iFrame, probably not leaving you much space for displaying the form as well, etc.
You've hit the major problems. You want the login, which needs to be on every page to use SSL, but you don't want the entire page to be SSL.
This is more of a business decision at this point than anything else. Would you rather your customers feel more secure about visiting your site, or do you want the login information present on every screen?
If you need to have both, you may need to also look at making your entire site SSL.
Currently building a site in ASP.NET MVC and have to integrate another site within it, in an IFrame. It is the wish of the client to have one login for both systems, so the user logs in in the parent site, and then are automatically authenticated on the IFramed site. Of course, if this were possible then it could be assumed that both sets of login credentials were the same. So, it there anyway this can be done easily?
Its worth noting that we don't have any real control over the IFramed site. Its basically a site that our client provide their customers for processing payments.
Thanks in advance!
(I suppose OpenID or WS*-Federation is out of the question?)
If the credentials are the same, couldn't you simply submit the credentials to the iframe before you submit your own login form?
Or if you want to check credentials first, then send them to your server, check return them back to the client as a javascript snippet that then does the iframe authentication. (But be aware you would be sending credentials back to the client as javascript.)
An example that might work for you:
Say your login Url is http://yourdomain/login and you also need to login to http://thirdparty/login
yourdomain/login wants two post variables "username" and "pwd" whereas thirdparty/login wants "uname" and "password".
Try to include jQuery in your project (there are ways to do it in javascript by itself, but you'll have to check what jQuery does in the background - but I strongly suggest not reinventing the wheel if you don't have to).
// this is the jQuery startup function, called once the page is loaded
$(function()
{
// register an event for the form submit
$("form[#action*='login']").submit(function(event){
// get username and pwd from the form
var _user = $("#username").val();
var _password = $("#pwd").val();
// and submit to the second login page
$.post("http://thirdparty/login", { user: _user, password: _password } );
// once the method returns and you don't do return false then the login form will be submitted as usual.
});
});
There may be one issue here that is that you are posting to a different url than the server that served the page. This may not be allowed, but you could bypass it by sending the post action of the original login page to the thirdparty page and login to your own system using the code above.
Reference:
JQuery Post: http://docs.jquery.com/Ajax/jQuery.post
JQuery Intercept Form Submit: http://blog.james-carr.org/2008/01/17/jquery-binding-submit-on-a-forms-action-attribute/
I am trying to manually implement a login system in ASP.NET 3.5. Basically, on load, I would like the site to check and see if user object is active, if not, than I want the login page to appear.
After user has logged in successfully, I would like the user to be able to access the same page he has requested originally.
for example:
user request to: MyPage.aspx - not logged in
login page appears instead of MyPage.aspx
user logs in successfully
MyPage.aspx appears instead of Default.aspx for example
Peering at the System.Net namespace, I see that there is an "HttpWebRequest Class" which has a "HttpWebRequest.AllowAutoRedirect Property" but am unsure how that would get me back from the login page.
NOTE: I know there are automatic authentication systems setup in ASP.NET, but I would like to have manual control over the database.
-- Tomek
What you could do, if you don't want to actually use the built in Forms Authentcation is:
Check if the user is authenticated on each page you want to hide from anonymous users. If they are not authenticated, redirect them to your login page with the URL in the query string.
if(!HttpContext.Current.User.Identity.IsAuthenticated) {
Response.Redirect(~/login.aspx?redirect=this_page.aspx");
}
Then on your login page, after a user logs in. Check the query string to see if there is a redirect parameter.
if(!String.IsNullorEmpty(Request.QueryString["redirect"]) {
string url = ResolveClientURL(redirect);
Response.Redirect(url);
}
Of course this is all built into .NET using Authentication, where you can deny anonymous access to certain directories, and when you do that, .NET will redirect to your login page (which is set in the web.config) and will include a "ReturnURL=blahblah" on your login page.
Just an FYI.
Just save the originally requested url in Session or a hidden field on the login page
After successful login, use Server.Transfer or Response.Redirect to jump to that page.
It looks like another method is described here. It seems that you can use the following object to return from the login page:
FormsAuthentication.RedirectFromLoginPage
Yet, according to the article, the better method is to use what JackM described, but with an overload:
Response.Redirect("~/default.aspx", false);
In doing so, you prevent the Session from ending when the page is redirected.