The issue that I have is how to replace the login feature with our own version of the login.
Here is their version of login:
'//Login.aspx.vb:
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
If Not Page.IsPostBack Then
' if the querystring contains a "Action=logout" param, logout and delete the cookie
If Request.Params("Action") = "logout" Then
FormsAuthentication.SignOut()
End If
End If
End Sub
Protected Sub LoginUser_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles LoginUser.Click
' check username and password
If FormsAuthentication.Authenticate(UserName.Text, Password.Text) Then
' if ok, save the cookie
FormsAuthentication.SetAuthCookie(UserName.Text, Persistent.Checked)
' redirect to Default.aspx
Response.Redirect("Default.aspx", True)
Else
' if wrong credentials, show the error message
InvalidLogin.Visible = True
End If
End Sub
We would love to integrate the default.aspx page with our own version of login.
With our version, we use session variable to redirect user to appropriate page:
StrSQL = "SELECT Access_Level, myEmail,UserPassword FROM tblUsers WHERE myEmail='" & StrUser & "' AND UserPassword = '" & StrPass & "'"
'Response.Write(StrSQL)
'Response.End()
Cmd = New OleDbCommand(StrSQL, Conn)
Conn.Open()
rs = Cmd.ExecuteReader()
' This acts like the (Not RecordSource.Eof) in ASP 3.0
While rs.Read()
Dim Access_Level As Integer = CInt(rs("Access_Level"))
Session.Item("Access_Level") = rs("Access_Level").ToString
If rs("Access_Level") = "1" Or rs("Access_Level") = "2" Then
'Session("Admin") = True
Response.Redirect("admin.aspx")
'Response.Write(StrPass)
'Response.End()
Dim redirectTo As String = Trim(Session("RedirectTo"))
BValid = True
Else
End If
End While
Any ideas or suggestions would be greatly appreciated.
The last code I posted is my version. As you can see once the user has been successfully authenticated, s/he is redirected to the admin.aspx page.
Then from there, I am able to allow the user to view any page s/he has access level to view.
Because of the way the blog is written, I can't use the same login to allow or restrict access to it.
So, I would like to either modify the default.aspx page that uses User.Identity.IsAuthenticated
to determine who can post, edit or delete posts.
In other words, I would like to be able to extend our login to this default.aspx page using Session("Access_Level") instead of
User.Identity.IsAuthenticated.
Hope this is clearer. Otherwise, please let me know so I can provide more info.
Thank you oned_gk but I don't think I am explaining this well at all.
Below is my login code:
StrSQL = "SELECT Access_Level, myEmail,UserPassword FROM tblUsers WHERE myEmail='" & StrUser & "' AND UserPassword = '" & StrPass & "'"
'Response.Write(StrSQL)
'Response.End()
Cmd = New OleDbCommand(StrSQL, Conn)
Conn.Open()
rs = Cmd.ExecuteReader()
' This acts like the (Not RecordSource.Eof) in ASP 3.0
While rs.Read()
Dim Access_Level As Integer = CInt(rs("Access_Level"))
Session.Item("Access_Level") = rs("Access_Level").ToString
If rs("Access_Level") = "1" Or rs("Access_Level") = "2" Then
'Session("Admin") = True
Response.Redirect("admin.aspx")
'Response.Write(StrPass)
'Response.End()
Dim redirectTo As String = Trim(Session("RedirectTo"))
BValid = True
Else
End If
End While
As you can see, this code is grabbing username, password and access_level form tblUsers table on the database.
So, this line:
If rs("Access_Level") = "1" Or rs("Access_Level") = "2" Then --- --- end if
work with all the pages on my website with the exception the blog code I posted above.
I believe the reason it doesn't work for the blog code is because of this line
The code above Visible='<%# User.Identity.IsAuthenticated %>'/>
to determine who can edit, delete, or create a blog.
I already have a login that works similar to the links you provided.
My question is how do I use my own login to replace Visible='<%# User.Identity.IsAuthenticated %>?????
I understand the need to avoid sql injection attack. However, my bigger issue is how to replace this -->
Visible='<%# User.Identity.IsAuthenticated %> with something like session("Access_Level") that I am selecting from Access database?
I truly believe that one of you experts will be able to help me with this issue once you understand my question.
I understand your questions, but know it's up to you to understand how forms authentication works....
simflex
I understand the need to avoid sql injection attack. However, my bigger issue is
I think your priority's are wrong! What could be more imprtant than solving a security risk? With your code, anybody can enter valid credentials!
simflex
how to replace this --> Visible='<%# User.Identity.IsAuthenticated %>
with something like session("Access_Level") that I am selecting from Access database?
When using forms authentication, authorization is set by using web.config files
simflex
Member
80 Points
281 Posts
Can you please help modify this login?
Dec 21, 2012 04:20 PM|LINK
Greetings Experts,
I was looking for a very simple blog to integrate into our website.
I found it in this link: http://msdn.microsoft.com/en-us/magazine/cc164071.aspx
The issue that I have is how to replace the login feature with our own version of the login.
Here is their version of login:
'//Login.aspx.vb:
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load If Not Page.IsPostBack Then ' if the querystring contains a "Action=logout" param, logout and delete the cookie If Request.Params("Action") = "logout" Then FormsAuthentication.SignOut() End If End If End Sub Protected Sub LoginUser_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles LoginUser.Click ' check username and password If FormsAuthentication.Authenticate(UserName.Text, Password.Text) Then ' if ok, save the cookie FormsAuthentication.SetAuthCookie(UserName.Text, Persistent.Checked) ' redirect to Default.aspx Response.Redirect("Default.aspx", True) Else ' if wrong credentials, show the error message InvalidLogin.Visible = True End If End SubThe credentials are set in web.config file:
<authentication mode="Forms"> <forms name="WebLogger" loginUrl="Login.aspx" protection="All" timeout="60"> <credentials passwordFormat="Clear" > <user name="Admin" password="AdminOK"/> </credentials> </forms> </authentication>Finally, if user is authenticated successfully, s/he is redirected to default.aspx page.
Here is code snip for default.aspx:
<ItemTemplate> <p align="justify"> <u>Posted by <a class="comment" href='<%# "mailto:" & Container.DataItem("Email") %>'><%# Container.DataItem("Author") %></a></b> @ <%# CType(Container.DataItem("AddedDate"), Date).ToString("hh:mm tt, MMMM dd") %> </u> <asp:LinkButton CausesValidation="False" runat="server" Text="Edit" CommandName="Edit" CommandArgument='<%# Container.DataItem("CommentID") %>' Visible='<%# User.Identity.IsAuthenticated %>'/> <asp:LinkButton CausesValidation="False" runat="server" CommandName="Delete" ID="DeleteComment" Text="Delete" CommandArgument='<%# Container.DataItem("CommentID") %>' Visible='<%# User.Identity.IsAuthenticated %>'/> <br> <%# Container.DataItem("Comment") %> </p> </ItemTemplate>We would love to integrate the default.aspx page with our own version of login.
With our version, we use session variable to redirect user to appropriate page:
StrSQL = "SELECT Access_Level, myEmail,UserPassword FROM tblUsers WHERE myEmail='" & StrUser & "' AND UserPassword = '" & StrPass & "'" 'Response.Write(StrSQL) 'Response.End() Cmd = New OleDbCommand(StrSQL, Conn) Conn.Open() rs = Cmd.ExecuteReader() ' This acts like the (Not RecordSource.Eof) in ASP 3.0 While rs.Read() Dim Access_Level As Integer = CInt(rs("Access_Level")) Session.Item("Access_Level") = rs("Access_Level").ToString If rs("Access_Level") = "1" Or rs("Access_Level") = "2" Then 'Session("Admin") = True Response.Redirect("admin.aspx") 'Response.Write(StrPass) 'Response.End() Dim redirectTo As String = Trim(Session("RedirectTo")) BValid = True Else End If End WhileAny ideas or suggestions would be greatly appreciated.
Please forgive me for too much code.
ketthos
Member
243 Points
98 Posts
Re: Can you please help modify this login?
Dec 21, 2012 04:47 PM|LINK
what do you mean by using your own version? you want to create a design? or create another login controller?
simflex
Member
80 Points
281 Posts
Re: Can you please help modify this login?
Dec 21, 2012 05:02 PM|LINK
First, Thanks for your response Ketthos.
The last code I posted is my version. As you can see once the user has been successfully authenticated, s/he is redirected to the admin.aspx page.
Then from there, I am able to allow the user to view any page s/he has access level to view.
Because of the way the blog is written, I can't use the same login to allow or restrict access to it.
So, I would like to either modify the default.aspx page that uses User.Identity.IsAuthenticated to determine who can post, edit or delete posts.
In other words, I would like to be able to extend our login to this default.aspx page using Session("Access_Level") instead of User.Identity.IsAuthenticated.
Hope this is clearer. Otherwise, please let me know so I can provide more info.
Thanks again for your help.
oned_gk
All-Star
36084 Points
7366 Posts
Re: Can you please help modify this login?
Dec 21, 2012 11:51 PM|LINK
To give access level you can use role
if (User.IsInRole("spesialuser")) { }Suwandi - Non Graduate Programmer
simflex
Member
80 Points
281 Posts
Re: Can you please help modify this login?
Dec 22, 2012 02:58 AM|LINK
Thank you oned_gk but I don't think I am explaining this well at all.
Below is my login code:
StrSQL = "SELECT Access_Level, myEmail,UserPassword FROM tblUsers WHERE myEmail='" & StrUser & "' AND UserPassword = '" & StrPass & "'" 'Response.Write(StrSQL) 'Response.End() Cmd = New OleDbCommand(StrSQL, Conn) Conn.Open() rs = Cmd.ExecuteReader() ' This acts like the (Not RecordSource.Eof) in ASP 3.0 While rs.Read() Dim Access_Level As Integer = CInt(rs("Access_Level")) Session.Item("Access_Level") = rs("Access_Level").ToString If rs("Access_Level") = "1" Or rs("Access_Level") = "2" Then 'Session("Admin") = True Response.Redirect("admin.aspx") 'Response.Write(StrPass) 'Response.End() Dim redirectTo As String = Trim(Session("RedirectTo")) BValid = True Else End If End WhileAs you can see, this code is grabbing username, password and access_level form tblUsers table on the database.
So, this line:
If rs("Access_Level") = "1" Or rs("Access_Level") = "2" Then
---
---
end if
work with all the pages on my website with the exception the blog code I posted above.
I believe the reason it doesn't work for the blog code is because of this line
<asp:LinkButton CausesValidation="False" runat="server" CommandName="Delete"
ID="DeleteComment" Text="Delete" CommandArgument='<%# Container.DataItem("CommentID")>'
Visible='<%# User.Identity.IsAuthenticated %>'/>
How do I fix this so I can use my login code to authenticate who can have access to it or not?
hans_v
All-Star
35998 Points
6551 Posts
Re: Can you please help modify this login?
Dec 23, 2012 11:08 AM|LINK
Your code is vulnarable to SQL injections:
http://www.mikesdotnetting.com/Article/26/Parameter-Queries-in-ASP.NET-with-MS-Access
A simple login system using Access can be found here:
http://www.mikesdotnetting.com/Article/75/Simple-Login-and-Redirect-for-ASP.NET-and-Access
Or you can use a membership provider:
http://imar.spaanjaars.com/404/using-the-microsoft-access-providers-to-replace-the-built-in-sql-server-providers
http://imar.spaanjaars.com/560/using-the-microsoft-access-providers-for-membership-roles-and-profile-under-aspnet-4
simflex
Member
80 Points
281 Posts
Re: Can you please help modify this login?
Dec 23, 2012 05:52 PM|LINK
I truly believe that one of you experts will be able to help me with this issue once you understand my question.
Please take a look a this markup in ItemTemplate below:
<ItemTemplate> <asp:Literal Runat="server" ID="DayBox"> </td></tr></table><div align="right"><a href="#TopPage">Top</a></div><br> <table width="100%" border="1" cellpadding="0" cellspacing="0"><tr><td> </asp:Literal> <asp:Panel Runat="server" ID="DayTitle"> <h3><%# DataBinder.Eval(Container.DataItem, "AddedDate", "{0:dddd, MMMM dd}") %></h3> </asp:Panel> <p align="justify"> <b><%# Container.DataItem("Title") %></b> @ <%# DataBinder.Eval(Container.DataItem, "AddedDate", "{0:hh:mm tt}") %> <asp:LinkButton CausesValidation="False" runat="server" Text="Edit" CommandName="Edit" CommandArgument='<%# Container.DataItem("MessageID") %>' Visible='<%# User.Identity.IsAuthenticated %>'/> <asp:LinkButton CausesValidation="False" runat="server" ID="DeleteMessage" Text="Delete" CommandName="Delete" CommandArgument='<%# Container.DataItem("MessageID") %>' Visible='<%# User.Identity.IsAuthenticated %>'/> <br> <%# Container.DataItem("Message") %> <br> -- <%# Container.DataItem("CommentsCount") %> comments: <asp:HyperLink Runat="server" Visible='<%# Container.DataItem("CommentsCount") > 0 %>' NavigateUrl='<%# "javascript:ToggleDivState(div" & Container.DataItem("MessageID") & ");" %>'>View</asp:HyperLink> - <a href='<%# "javascript:ShowCommentBox(" & Container.DataItem("MessageID") & ");" %>'> Post your own comment</a> <div style="display:'none'; margin-left:2.0em; margin-top:.8em; " ID='<%# "div" & Container.DataItem("MessageID") %>'> <asp:DataList Runat="server" Width="500px" ItemStyle-BackColor="whitesmoke" AlternatingItemStyle-BackColor="white" DataSource='<%# Container.DataItem.Row.GetChildRows("MsgComments") %>' OnDeleteCommand="Comments_DeleteCommand" OnItemCreated="Comments_ItemCreated" OnEditCommand="Comments_EditCommand"> <ItemTemplate> <p align="justify"> <u>Posted by <a class="comment" href='<%# "mailto:" & Container.DataItem("Email") %>'><%# Container.DataItem("Author") %></a></b> @ <%# CType(Container.DataItem("AddedDate"), Date).ToString("hh:mm tt, MMMM dd") %> </u> <asp:LinkButton CausesValidation="False" runat="server" Text="Edit" CommandName="Edit" CommandArgument='<%# Container.DataItem("CommentID") %>' Visible='<%# User.Identity.IsAuthenticated %>'/> <asp:LinkButton CausesValidation="False" runat="server" CommandName="Delete" ID="DeleteComment" Text="Delete" CommandArgument='<%# Container.DataItem("CommentID") %>' Visible='<%# User.Identity.IsAuthenticated %>'/> <br> <%# Container.DataItem("Comment") %> </p> </ItemTemplate> <SeparatorTemplate><br></SeparatorTemplate> </asp:DataList> </div> </p> </ItemTemplate>The code above Visible='<%# User.Identity.IsAuthenticated %>'/> to determine who can edit, delete, or create a blog.
I already have a login that works similar to the links you provided.
My question is how do I use my own login to replace Visible='<%# User.Identity.IsAuthenticated %>?????
I understand the need to avoid sql injection attack. However, my bigger issue is how to replace this --> Visible='<%# User.Identity.IsAuthenticated %> with something like session("Access_Level") that I am selecting from Access database?
hans_v
All-Star
35998 Points
6551 Posts
Re: Can you please help modify this login?
Dec 23, 2012 08:17 PM|LINK
I understand your questions, but know it's up to you to understand how forms authentication works....
I think your priority's are wrong! What could be more imprtant than solving a security risk? With your code, anybody can enter valid credentials!
When using forms authentication, authorization is set by using web.config files
http://msdn.microsoft.com/en-us/library/wce3kxhd(v=vs.100).aspx
To hide/show controls dependaing on which user is visiting a page, you can use a LoginView Control
http://msdn.microsoft.com/en-us/library/cc295194.aspx
simflex
Member
80 Points
281 Posts
Re: Can you please help modify this login?
Dec 23, 2012 08:51 PM|LINK
Thank you very much for your response has_v.
I do understand how forms work.
My issue is that I have 2 different logins.
I created the first login from database. We use a fieldname called Access_Level to send users to pages they are allowed to view/edit/delete.
This is the login we have been using for our site.
Recently, the management decided to add a blog to the site.
This blog comes with its own login. This one uses forms authentication.
We can either use the forms authentication for the blog as well as the site or we use my custom login.
That's where I am stuck.
You might be right that I don't quite understand how to use forms authentication to direct users to their own page.
When I attempted to use forms autentication, I got confused with roles using Access database.
For now, if possible, I will like to avoid it or even better, if there is a simpler approach, I would love to try it.
I will spend more time reading the links you posted and hope they make more sense to me.