I search to protect the Administration area of my website with a login/pasword.
- I can't use cookies (by boss say that sessions are more secured but if cookies are needed or more protected, i'll use them))
- Can't use database (only one login/pasword will be use so we don't ant to create a table to store only one entry)
- And can't use webhelpers like WebSecurity or SimpleMembership (because we use MySQL and in a precedent post, MS say that MySQL is not supported by the WebSecurity Helper)
My website have a directory named "Administration". In this directory I have an index page "AdmIndex.cshtml" and a lot of others page for administrate all sections of my website.
I want to protect all the "Administration" directory with only one login/pass stored in _AppStart or other. When an administrator come on "Administration" folder, he need to put in a form the login/pass in the Default.cshtml page. That's ok but how/where
to store/use the login/pass informations and protect the pages in the directory ? Where and how store the login/pass requirement ?
Thanks for helping. I will tryto learn the basicsofsessionswhile waiting for yourhelp.
If you are hosting this in house, you could use Windows Authentication since I'm suspecting your administration area would be in a folder although NT permissions can apply to files. However, I would
STRONGLY advise you to use SSL if you plan to push this into the internet. That would be the cleanest and easiest way to do it within your requirements without any fancy coding.
Saesee, I found an article that might help you do this by using a Users XML file that contains username/password that is deployable to any production site. Take a peek and let us know if you need help with it.
I think my bad English not permitted all to understand me in my first post.
I need to protect my Admin area with sessions (it's the only one method i have ear with cookies). I have a login name and a password but we don't want to store them in a database because we have just one couple of login/pass to use.
My real question is more "How session work ?" if you prefer. I don't understand the MSDN article and on forums, on forumsandblogseveryone
is talking aboutthe sessionsas it wasso basicthat theexplanations are useless...
I haven't innate knowledge :)
Offc ourse, you can use any value you want. Next we create a Login page in the root of your website, called login.aspx. Drag a Textbox and button to the page, and change their names to PasswordTextBox and LoginButton. Then in your code behind enter:
Protected Sub LoginButton_Click(sender As Object, e As System.EventArgs) Handles LoginButton.Click
Login(PasswordTextBox.Text)
End Sub
Private Sub Login(ByVal Password As String)
If Password = ConfigurationManager.AppSettings("Password") Then
FormsAuthentication.RedirectFromLoginPage("Admin", False)
End If
End Sub
Then add a folder called Admin into the root of your website, and in this folder you add a new webpage called default.aspx. All other pages you want to be accessed only by the admin you also put them into this folder. When you want a logoutbutton on those pages, you simple add a LoginStatus control to that page. Also, in this same folder, add a web.config file with the follwoing content:
The result of this all would be that when someone is trying to enter a page in the Admin folder, they wiill be redirected to the login page, because in the web.config you deny access to anybody, excepte when you're logged in as the user Admin.
In the login pages, you need to enter the password, which is checked against the value in the web.config file. If they match, you're logged in as the user Admin, which will create an authentication cookie on the client which enables you to enter the pages
in the Admin folder....
When i launch my "login" page, this error was show :
Erreur du serveur dans l'application '/'.
Erreur de compilation
Description : Une erreur s'est produite lors de la compilation d'une ressource requise pour répondre à cette demande. Veuillez consulter ci-dessous les détails relatifs à l'erreur en question, puis modifier votre code source de manière appropriée.
Message d'erreur du compilateur: CS0103: Le nom 'ConfigurationManager' n'existe pas dans le contexte actuel
Erreur source:
Ligne 7 : var pwd = Request["Password"];
Ligne 8 :
Ligne 9 : if(lgn == ConfigurationManager.AppSettings("Login") && pwd == ConfigurationManager.AppSettings("Password")){
Ligne 10 : FormsAuthentication.RedirectFromLoginPage("Administration", False);
Ligne 11 : }
Saesee
Member
33 Points
26 Posts
Protect Administration area without Helpers or cookies
Feb 21, 2012 12:11 PM|LINK
Hi,
I search to protect the Administration area of my website with a login/pasword.
- I can't use cookies (by boss say that sessions are more secured but if cookies are needed or more protected, i'll use them))
- Can't use database (only one login/pasword will be use so we don't ant to create a table to store only one entry)
- And can't use webhelpers like WebSecurity or SimpleMembership (because we use MySQL and in a precedent post, MS say that MySQL is not supported by the WebSecurity Helper)
I have read : http://msdn.microsoft.com/en-us/library/ms178581.aspx but don't understand how it work. I have read http://forums.asp.net/t/1662631.aspx/1?Authentication+Problem but i don't understand how sessions work :(
My website have a directory named "Administration". In this directory I have an index page "AdmIndex.cshtml" and a lot of others page for administrate all sections of my website.
I want to protect all the "Administration" directory with only one login/pass stored in _AppStart or other. When an administrator come on "Administration" folder, he need to put in a form the login/pass in the Default.cshtml page. That's ok but how/where to store/use the login/pass informations and protect the pages in the directory ? Where and how store the login/pass requirement ?
Thanks for helping. I will try to learn the basics of sessions while waiting for your help.
bbcompent1
All-Star
33097 Points
8529 Posts
Moderator
Re: Protect Administration area without Helpers or cookies
Feb 21, 2012 05:13 PM|LINK
If you are hosting this in house, you could use Windows Authentication since I'm suspecting your administration area would be in a folder although NT permissions can apply to files. However, I would STRONGLY advise you to use SSL if you plan to push this into the internet. That would be the cleanest and easiest way to do it within your requirements without any fancy coding.
Saesee
Member
33 Points
26 Posts
Re: Protect Administration area without Helpers or cookies
Feb 22, 2012 08:52 AM|LINK
Thanks for answer but I don't know if we have SSL activated on our host.
Ok, SSL is secure but my problem is How to secure my Admin area ?
I think just link in https don't secure any website right ? So how to secure my Admin area without WebHelpers?
I'll search solutions in PHP to convert them in C# if i find a solution.
Thanks,
bbcompent1
All-Star
33097 Points
8529 Posts
Moderator
Re: Protect Administration area without Helpers or cookies
Feb 22, 2012 10:53 AM|LINK
To clarify, SSL keeps the connection from being compromised but it doesn't actually issue a username/password challenge.
Saesee
Member
33 Points
26 Posts
Re: Protect Administration area without Helpers or cookies
Feb 22, 2012 01:35 PM|LINK
Hum Ok, thanks. I'll continue to search how to protect my admin area.
bbcompent1
All-Star
33097 Points
8529 Posts
Moderator
Re: Protect Administration area without Helpers or cookies
Feb 22, 2012 02:39 PM|LINK
Saesee, I found an article that might help you do this by using a Users XML file that contains username/password that is deployable to any production site. Take a peek and let us know if you need help with it.
http://msdn.microsoft.com/en-us/library/1b1y85bh(v=vs.71).aspx
Saesee
Member
33 Points
26 Posts
Re: Protect Administration area without Helpers or cookies
Feb 22, 2012 03:47 PM|LINK
Thanks, i go to see that.
I think my bad English not permitted all to understand me in my first post.
I need to protect my Admin area with sessions (it's the only one method i have ear with cookies). I have a login name and a password but we don't want to store them in a database because we have just one couple of login/pass to use.
My real question is more "How session work ?" if you prefer. I don't understand the MSDN article and on forums, on forums and blogs everyone is talking about the sessions as it was so basic that the explanations are useless ... I haven't innate knowledge :)
hans_v
All-Star
35986 Points
6550 Posts
Re: Protect Administration area without Helpers or cookies
Feb 23, 2012 08:33 AM|LINK
The easiest way is to use FormsAuthentication.
First alter your web.config, to enable FormsAuthentication. In the System.Web section, add this
<authentication mode="Forms"> <forms loginUrl="Login.aspx" defaultUrl="~/Admin/Default.aspx" /> </authentication>Next, we put the Password in the AppSettings Section:
<appSettings> <add key="Password" value="admin" /> </appSettings>Offc ourse, you can use any value you want. Next we create a Login page in the root of your website, called login.aspx. Drag a Textbox and button to the page, and change their names to PasswordTextBox and LoginButton. Then in your code behind enter:
Protected Sub LoginButton_Click(sender As Object, e As System.EventArgs) Handles LoginButton.Click Login(PasswordTextBox.Text) End Sub Private Sub Login(ByVal Password As String) If Password = ConfigurationManager.AppSettings("Password") Then FormsAuthentication.RedirectFromLoginPage("Admin", False) End If End SubThen add a folder called Admin into the root of your website, and in this folder you add a new webpage called default.aspx. All other pages you want to be accessed only by the admin you also put them into this folder. When you want a logoutbutton on those pages, you simple add a LoginStatus control to that page. Also, in this same folder, add a web.config file with the follwoing content:
<?xml version="1.0"?> <configuration> <system.web> <authorization> <allow users="Admin"/> <deny users="*"/> </authorization> </system.web> </configuration>The result of this all would be that when someone is trying to enter a page in the Admin folder, they wiill be redirected to the login page, because in the web.config you deny access to anybody, excepte when you're logged in as the user Admin.
In the login pages, you need to enter the password, which is checked against the value in the web.config file. If they match, you're logged in as the user Admin, which will create an authentication cookie on the client which enables you to enter the pages in the Admin folder....
Saesee
Member
33 Points
26 Posts
Re: Protect Administration area without Helpers or cookies
Feb 23, 2012 10:17 AM|LINK
Thanks a lot hans_v,
I think this solution is good for me.
I go to try it now (just i need to convert aspx to cshtml because I use Webmatrix in C#) and come back after to say where am I.
EDIT :
I have try and...
My "login" page in the root folder :
@{ Layout = "~/_SiteLayout.cshtml"; Page.Title = "Connexion"; if(IsPost){ var lgn = Request["Login"]; var pwd = Request["Password"]; if(lgn == ConfigurationManager.AppSettings("Login") && pwd == ConfigurationManager.AppSettings("Password")){ FormsAuthentication.RedirectFromLoginPage("Administration", False); } } } <div class="corps"> <p> <br/> Pour continuer, merci de vous identifier.<br/> </p> <form action="@Href("~/Login")" method="post"> <table class="loginTable" cellpadding="0" cellspacing="0" border="0"> <tr height="26"> <td style="text-align: right; padding-right: 4px"><label for="Login">Login</label></td> <td><input type="text" name="Login" id="Login" style="width: 250px;" value="" maxlength="50" autocomplete="off" /></td> </tr> <tr height="26"> <td style="text-align: right; padding-right: 4px"><label for="Password">Password</label></td> <td><input type="password" name="Password" id="Password" style="width: 250px;" value="" autocomplete="off" /></td> </tr> <tr> <td></td> <td><span class="boutonPerso envoyer"><button type="submit"><img src="/Images/boutons/accept.png"/><span>Valider</span></button></span></td> </tr> </table> </form> </div>My web.config in root folder :
</system.web> <authentication mode="Forms"> <forms loginUrl="/Login" defaultUrl="~/Administration/AdmAccueil" /> </authentication> </system.web> <appSettings> <add key="Login" value="AdminLoginOfWarrior" /> <add key="Password" value="PassOfTheDeadDeath" /> </appSettings>My web.config in /Administration folder
<?xml version="1.0"?> <configuration> <system.web> <authorization> <allow users="Administration"/> <deny users="*"/> </authorization> </system.web> </configuration>When i launch my "login" page, this error was show :
Erreur du serveur dans l'application '/'. Erreur de compilation Description : Une erreur s'est produite lors de la compilation d'une ressource requise pour répondre à cette demande. Veuillez consulter ci-dessous les détails relatifs à l'erreur en question, puis modifier votre code source de manière appropriée. Message d'erreur du compilateur: CS0103: Le nom 'ConfigurationManager' n'existe pas dans le contexte actuel Erreur source: Ligne 7 : var pwd = Request["Password"]; Ligne 8 : Ligne 9 : if(lgn == ConfigurationManager.AppSettings("Login") && pwd == ConfigurationManager.AppSettings("Password")){ Ligne 10 : FormsAuthentication.RedirectFromLoginPage("Administration", False); Ligne 11 : }It say that the "ConfigurationManager" doesn't exist but when I look the MSDN, it exist. Maybe I don't call it correctly. http://msdn.microsoft.com/fr-fr/library/system.configuration.configurationmanager(v=vs.100).aspx
An idea of my problem ? Thanks by advance
Edit 2 : I have see that : http://msdn.microsoft.com/fr-fr/library/system.web.configuration.webconfigurationmanager.aspx It's more that I need or not ? And if yes how to use it ?
hans_v
All-Star
35986 Points
6550 Posts
Re: Protect Administration area without Helpers or cookies
Feb 23, 2012 02:04 PM|LINK
I think you need to include the namespace:
System.Configuration.ConfigurationManager.AppSettings("Login")