I am making a website tool isch with ASP.NET Framework, that lets a user/customer preview their website.
I have a simple database that gathers a SESSION["username"] and creates a with the source to the customer project file.
But if I have multiple users how am I supposed to prevent users from accessing each other's files using the URL? like if the directory for the customer projects is ? "~/Customer/SESSION["username"]/Default.aspx and user1 enters user2 in the directory instead. I will post some content of the page here to make it easier to understand.
Directory of my project
In the Default.aspx page I direct everyone that is not the user "admin". And inside the Default.aspx i have an IFrame that looks like this <iframe id="contentPanel1" runat="server" /> and it gets its src attribute from my Default.aspx.cs that looks like this:
using System;
using System.Web.UI;
namespace MyFeedbackWebsite
{
public partial class _Default : Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (Session["username"] == null)
{
Response.Redirect("~/login");
}
if ((string)Session["username"] == "admin")
{
Response.Redirect("~/admin");
}
this.contentPanel1.Attributes["src"] = "https://localhost:44350/Customer/" + Session["username"].ToString();
}
}
}
In my Admin.aspx.cs I check if the username = admin and if the user is logged in:
using System;
namespace MyFeedbackWebsite
{
public partial class admin : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if ((string)Session["username"] == null)
{
Response.Redirect("~/Login");
}
if ((string)Session["username"] != "admin")
{
Response.Redirect("~/Default");
}
}
}
}
And in the /Customer/ Directory I want the customers project to be located. But as I mentioned, if the directory is /Customer/user1/Default.aspxI want the user1 value to match the current session. Thanks beforehand!
Best regards Max
A few observations
Now, I don't know the background of this project you're working on, but it seems you are relatively new to some of the concepts, so I'll just list a few things for you to think about:
If this is a new project I would highly recommend you to stop and instead look at ASP.NET Core or similar. .NET Framework is slowly being replaced by .NET Core, so a new project based on .NET Framework (such as ASP.NET Web Forms) will quickly become outdated (if it isn't already from the start).
If this is just a spare time/personal little project, all good (except for above point) - playing around with it is a good way to learn. If it's a commercial or otherwise serious project, however, I would recommend you to read up on security best practices in web applications. Restricting access to a page using a construct like Session["username"] != "admin" is bad business and very error prone. Take a look here for an example of configuring which users or roles can access which pages.
The problem in question
It's still a little unclear to me what part of your code handles/is run when accessing /Customer/user1/Default.aspx. But I would recommend you, that instead of having the username be part of the URL, you are getting the username from the session in the backend instead, and then serving the proper page matching that username:
User accesses the URL /Customer/Default.aspx
Backend verifies that user is logged in. If not, user is redirected to login page
Backend gets the username from the session and returns the page <username>/Default.aspx (note: this is not a URL, but a file path or something similar that points to the page you are serving - the user never sees this)
Now, the user will not be able to see another user's page because /Customer/user1/Default.aspx is not a valid URL - /Customer/Default.aspx is.
Related
I am trying to move the content of a textbox on the from StudentRegistration to the form MyProfile by following a tutorial on YouTube. However when I try to reference the StudentRegitration Page in my code, I get the error that the type or namespace cannot be found.
In the tutorial I can see that in their code they have a namespace, however my website does not. Could anyone tell me what to do in order to be able to reference StudentRegistration without getting an error?
I should have stated that I have a website not a web app. I have found that websites do not have a default namespace. How would I go about accessing the StudentRegistration without referencing a namespace?
public partial class MyProfile : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (PreviousPage != null)
{
StudentRegistration LastPage = (StudentRegistration)Context.Handler;
lblEmail.Text = StudentRegistration.STextBoxEm;
}
}
}
Rather than answer your question directly, I'd like to point out another issue with your code that will probably prevent it from working. You should refer to the documentation on the PreviousPage property at: http://msdn.microsoft.com/en-us/library/system.web.ui.page.previouspage%28v=vs.110%29.aspx
It does NOT work like this:
user visits /StudentRegistration.aspx
user does stuff
user submits the form on /StudentRegistration.aspx
server redirects the user to /MyProfile.aspx
MyProfile class knows that PreviousPage = the class from /StudentRegistration.aspx
Instead, the description from the msdn reference page linked above stipulates that the PreviousPage property only works on this scenario:
user visits /StudentRegistration.aspx
user does some stuff
user submits form on /StudentRegistration.aspx
server transfers request to the MyProfile class
this does not mean that the url has changed to /MyProfile.aspx for the user, this means that the server is going to treat the current request to /StudentRegistration.aspx as if it were actually a request to /MyProfile.aspx
the user ends up seeing the result of what would normally be /MyProfile.aspx on /StudentRegistration.aspx
Now, your code may actually want that, but the fact that you have:
if (PreviousPage != null)
{
StudentRegistration LastPage = (StudentRegistration)Context.Handler;
// this should be
// StudentRegistration LastPage = (StudentRegistration)PreviousPage;
}
makes me think that you have misinterpreted the somewhat misleadingly named PreviousPage property. For a sample of how to persist state across multiple page loads in .NET, I would recommend reading up on SessionState. It has a somewhat complicated name, but does more of what you would want in this scenario:
http://msdn.microsoft.com/en-us/library/ms178581%28v=vs.100%29.aspx
An added bonus is that you do not need to reference one class from another, so you fix your current bug later on. Additionally, even if you did resolve your potential namespace error, the issue that I outlined earlier will cause the value of the text field to be blank if your code is working as I suspect.
You are sending data from a source to a target - e.g. StudentRegistration -> MyProfile
You have options because at the end of the day, it is HTTP. Aside from "persistence" (Session), and the tutorial you are following, a "simpler" way is to use ButtonPostBackUrl.
All it means is that you are POSTing data to the target page. The target page (MyProfile) will have to validate and parse the posted data (Request.Form). This way you don't have to manage things like Session state.
I have one url (/settings) that needs to point to two different pages depending on the users security on login. One page is the existing webforms page the other is a new MVC page. Is this even possible?
Additional Info:
When the user is on either page the url needs to say website.com/settings
Solution:
Convinced the PM to change the requirements.
The short answer, yes. You can do this several ways.
Javascript
Model View Controller (Controller)
ASP.NET Web-Forms (Method)
It is often poor practice to do such an event, as it can expose data. It is indeed possible:
Javascript:
$(document).ready(function () {
if($("#Account").val() != '') {
$(".Url").attr('href', 'http://www.google.com');
}
});
Pretend #Account is a hidden field that is populated from your database. If the field is not null then modify the .Url element to navigate to link. That approach for Web-Forms is the most simple.
Web-Forms:
protected void btnAccount_Click(object sender, EventArgs e)
{
if(User.IsInRole("Account"))
Response.Redirect("~/Admin.aspx");
else
Response.Redirect("~/User.aspx");
}
That would use the default Windows Authentication for the domain, you could bend and contort to use the database to pull data. An example, the Model View Controller would be similar as the Controller will simply handle that capability.
Hope this points in right direction.
This is a redirects based approach. Create a web page mapped to /settings, and have this code run on page load.
if(User.IsAdministrator()) //I take it you have some way of determining who is an Admin, so this is just example code
{
Response.Redirect("~/AdminSettings.aspx");
}
else
{
Response.Redirect("~/UserSettings.aspx");
}
Note that you'll need security on the Admin page to make sure a regular user can't just navigate directly there.
I'm trying to write a website which based on ASP.Net. When I made a login page with username and Password, and also connected to a SQL-server.
But when I type in the right username and password. It will need to click login twice to login. Once I login, when I go back to the login page. No matter what I'm trying to type in the username and password textbox. The system will always log me in. I heard that the session can help, but I don't have any idea how to use it.
Is there anyone could help me? Or show me some usable code samples please?
Thank you
Jimmy
I second #GojiraDeMonstah's suggestion and would also recommend that you try to use Microsoft's out of the box (OOTB) functionality for handling website security (i.e. authentication, authorization, user management, password reset etc.) as much as possible. There's no reason to go reinventing the wheel when it's all there for you. You can even extend the existing functionality to create your own custom authentication provider but you really want to avoid trying to write one from scratch especially if you're new to this stuff.
Microsoft provides an infinite number of tools and tutorials to allow you to setup all this stuff so easily. Don't try creating your own database unless you really, really have to. Just use the one they provide you and work from that as a starting point.
Here is another great resource that provides a more visual tutorial to show you how easy it is.
Good luck!
The process of supplying a username and password (credentials) and then using the supplied name & password to verify a user is called Authentication. If you google asp.net authentication you will get a zillion results. Here's a good start --> http://support.microsoft.com/kb/301240
Write code like this
FirstPage.aspx(On your first page Login button click)
protected void Login_Click(object sender, EventArgs e)
{
Session["UserName"] = txtUserName.Text;//Store username in session
}
SecondPage.aspx(after login on next page)
protected void Page_Load(object sender, EventArgs e)
{
LabelUserName.Text = Session["UserName"].ToString();//Show username on a label
}
Hope it helps ....
The easiest way I have found is to download the sample pages provided in this example here.
Use the Global.asac file so you don't have to add login code to each and every page in your application.
In the file "Global.asax", define your session in the function "Session_Start()"
protected void Session_Start(Object sender, EventArgs e)
{
//The first Session "Logged" which is an indicator to the
//status of the user
Session["Logged"]="No";
//The second Session "User" stores the name of the current user
Session["User"]="";
//The third Session "URL" stores the URL of the
//requested WebForm before Logging In
Session["URL"]="Default.aspx";
}
In each of the pages you want only authenticated access to check if the user is Logged or not like this:
private void Page_Load(object sender, System.EventArgs e)
{
if(Session["Logged"].Equals("No"))
{
....
}
else
{
....
}
}
In your Login.aspx page check the user name and password from your database with a function like:
if(CheckUser(UserNametxt.Text.Trim()) && CheckPassword(Passwordtxt.Text.Trim())
{
....
}
else
{
....
}
In your codebehind define the functions CheckUser() and CheckPassword() by connecting to your database and passing the variable from the login page.
Download sample files here.
I'm using Visual Studio 2010 ASP.NET with C# on the back framework 4
It comes with user register/login/logout mechanism.
on load of the default.aspx page I would like to redirect the users: user1 and user2 to default2.aspx and the rest of the users to default3.asp
I would not like to use cookies, but using a session is acceptable.
something like:
if (username == "user1" || username == "user2")
{
Response.Redirect("defualt2.aspx");
}
else
{
Response.Redirect("default3.aspx");
}
void Page_Load(object sender, EventArgs e)
{
switch (User.Identity.Name)
{
case "user2":
case "user1":
Response.Redirect("defualt2.aspx");
break;
default:
Response.Redirect("default3.aspx");
break;
}
}
However you might want to use Server.Transfer instead of Response.Redirect, if you don't want the address to change in the address bar.
User.Identity.Name from System.Web
if (Page.User.Identity.Name == "user1" || Page.User.Identity.Name == "user2")
{
Response.Redirect("defualt2.aspx");
}
else
{
Response.Redirect("default3.aspx");
}
That should do it as long as you're within an aspx code behind.
Wow! There are tons of ways to do this. When the user logs in you could set a session variable identifying the user and then use your code above but instead check for username == Session["user1"].ToString() but that code is not recommended because now you are locking yourself into hardcoding the username into the code. Next would be to put the username into the web.config so it could be changed easily but again, not acceptable.
It sounds like you are probably doing this for security reasons. If that is the case, you should look into the Role Provider that is already part of the Framework. This provides you with a mechanism to place users in specific roles and then based on that role allow or disallow users on certain pages based on a decorator above the class.
I would not use the code you have posted in any circumstance. It is not good practice to hard-code usernames into code.
I have a relatively simple ASP.Net application that I have built some simplistic security into. The user logs in with a username and password and I check it against the DB. If it is successful I store a User object for them on a session variable called "UserID" and redirect them to the same page, only this time they dont see the login panel. (Mmm could just hide it dynamically but I think that would cause a page reload anyway)
On my Default.aspx page I have the following code:
protected void Page_Load(object sender, EventArgs e)
{
if (Session["UserID"] == null)
{
LoginPanel.Visible = true;
}
}
protected void btnLogin_Click(object sender, EventArgs e)
{
Security security = new Security();
Session["UserID"] = security.LoginUser(txtUsername.Text, txt2Password.Value);
if (Session["UserID"] != null)
{
Response.Redirect("~/default.aspx");
}
}
Right, so far so good. Also worth mentioning at this point is the master page:
protected void Page_Load(object sender, EventArgs e)
{
if (Session["UserID"] == null)
{
//Check that we are not already on the default.aspx page.
//Don't want to cause infinite redirect here
if (!Request.Path.ToLower().Contains("default.aspx"))
{
Page.Response.Redirect("~/Default.aspx");
}
}
else
{
//Otherwise we get the UserObject from the session and display menu items //based on the role. Nothing fancy.
}
}
//Bad naming. This a logout link on the master...
protected void Unnamed1_Click(object sender, EventArgs e)
{
Session["UserID"] = null;
Page.Response.Redirect("~/Default.aspx");
}
Now all of this works perfectly on my local instance of IIS. As soon as I deploy this to our production server and I click on one of my menu items and navigate say to Search.aspx it chucks me back to my Default.aspx page with the LoginPanel visible??? Also that is in Firefox. With IE I can click on the Search.aspx menu link and it takes me to the page, but clicking on an edit link in my GridView also chucks me back to the Default.aspx page with the LoginPanel showing.
I'm no ASP.net expert at all and I'm at wits end. So please word Answers with as little as possible jargon and so forth and post links to msdn for docs and such so that I don't just resolve this, but actually understand why this has been giving me nightmares.
TIA
Don't store user identifiers or other sensitive information in the session, implement IIdentity and IPrincipal with Forms authentication instead (though this doesn't completely rule out information exposure altogether).
This enables easy access to certain elements in the nature of what you need:
//to sign-in:
FormsAuthentication.SignIn("username", createPersistentLogin);
//to sign-out:
FormsAuthentication.SignOut();
//user data access:
Page.User.IsInRole("requiredRole");
Page.User.Identity.IsAuthenticated;
Page.User.Name;
A couple of snippets from MSDN to explain the meaning of this:
The .NET Framework provides a
role-based security implementation in
the System.Security.Principal
namespace, which you can use for
authorizing and authenticating users
in your application.
An IIdentity encapsulates an
authenticated user. An IPrincipal is a
combination of the identity of the
user and any roles he or she has. You
can use the predefined identity and
principal classes in the
System.Security.Principal namespace or
you can add custom authentication by
creating classes that implement the
interfaces.
Care should be used when granting
permissions to work with IIdentity
objects, because these objects make
sensitive user-related information
available. You should protect the
application's current IPrincipal
object from changes because the
application's authorization capability
is based on its current principal.
You can get information on doing this from MSDN.
maybe a bit off topic but I would recommend to use built in login functionality, that means Login Controls, Membership and Authentication. Then you don't have to mess with Session
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
then you can do Membership.GetUser().ProviderUserKey for example to get the key
Verify if in your production server the Web.Config file of your site contains this line, or something like this :
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
It must be inside element.
It is to verify wich sessionState are you using.
See the link :
Asp.NET Session State