I am making an asp.net web site in C# and I have a database in slq server with a table Users(id, username, password, isAdmin). The column isAdmin is int with default value 0, so if the user is admin, isAdmin = 1 else isAdmin = 0.
I have a login form in the website and when the user logs in, it creates a Session("admin") or Session("user"), depending on the isAdmin value.
So, how can I restrict access on Session("user") to admin.aspx page and to the upload folder on the site?
I don't want to add roles management in IIS, because the admin can make other users into admins (updating the isAdmin to 1)
Thanks.
Don't keep standard user & admin in separate session variables. Rather create a class that maps to your User table and store user info in it in generic way. One property of that class would be .isAdmin (integer or even boolean). Then you could simple check something like in "admin.aspx"
UserInfo objUserInfo = (UserInfo)Session("user");
if (objUserInfo.isAdmin == 0) {
Response.Redirect("User.aspx");
}
something in this logic:
after logging in, save user role in session var first.
and then in the page_load of the restricted page, check user's role and if he is not admin, redirect him to relogin with an admin account.
protected void Page_Load(object sender, EventArgs e)
{
if(session["role"].ToString().compareTo("admin")==0)
{
//load page stuff
}
else
{
Response.Redirect(your login page);
}
}
Turn off directory browsing in IIS. Add this in your web.config to prevent users from browsing folders. This is will work in IIS 7+
<configuration>
<location path="Secured">
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
</location>
</configuration>
Related
I'm creating a simple website for multiple users. Now i'm trying to make the profile of each one so when they login they can see their data. The problem is that once logged in with one user and i login with another one my session gets "overwritten" and the new user become the old one. So i think i'm messing up with the session part.
I'm telling you what i've done.
Inside the login controller i call a the Login function, passing username and password.
Then i validate the user credentials to the database and if the user has been authenticated i do:
new_session = new UserSession();
new_session.SessionSet(obj);
Inside the "SessionSet" i just initialize some variables i need:
this.id_account = obj.id_account;
this.id_user = obj.id_user;
this.username = obj.username;
At this point i return the new_session to the Controller and if it is not null i just add it to the session:
Session.Add("user", new_session);
The problem now is how can i get this specific object form : views, classes and controllers?
If i write in a view:
(((UserSession)Session["user"]).username)
I get only the "user" object so when 2 users log in at the same time, the session refer always to the "user" one.
I googled it but i can't find an answer that fits to my needs.
get database UserSession data
see user with this useID Is logged in
if user logged in {not allaw login} else {allow login}
or write data in session with timeout
if(Session["users"] != null)
{
List<UserSession> users = (List<UserSession>)Session["users"];
var finduser = users.Where(a=> a.id_user == newUser.id_user).FirstOrDefault();
if(findUser == null)
{
//add user into session
}
}
else
{
Session.Add("users",newUser);
}
and web.config file set timeout logout and session equal
<sessionState mode="InProc" timeout="20"></sessionState>
<authentication mode="Forms">
<forms loginUrl="/Pages/Default" timeout="20" slidingExpiration="true" />
</authentication>
This question already has an answer here:
Windows Authentication and add Authorization Roles through database - MVC asp.net
(1 answer)
Closed 5 years ago.
I am trying to add a configurable user permission module in my ASP.NET Webforms application (NOT Using MVC) which can be configured by an admin user. My user database schema looks something like below
I want admin users to create Roles (UserGroup), assign rights to a group and create users with group it belongs to. Up to this point is okay I can do it myself but my question is what is best approach to implement the permissions once users are created. To be more specific say I have menu on my master page which contains EntityName and it has View,Add,Edit,Delete sub menus. For example *Customer
View
Add
Edit
Delete
I want the menu/sub-menu to be enabled/disabled based on the permission of the user who is logged in. I also want it to be restricted for a user who attempts to navigate by directly typing in the url of a page on which he has no permission.
I would like to point that the users(admin) should be able to create a role so no hard-coded role name etc in the web config file.
Edit : - There is an existing question but this does not answer how to restrict an user trying to navigate to a page by typing url on which he has no access.
protected void Page_Load(object sender, EventArgs e)
{
// Perform The UI Logic
// Assuming That You Are Tracking The User For Each Reqeust In Session["UserID"]
ShowHideMenuOrSubMenu_Role_Your_RoleName(Session["UserID"].ToString());
}
public static void ShowHideMenuOrSubMenu_Role_Your_CRUD_RoleName(string UserID)
{
if (CheckUserRole("Your_CRUD_Role", UserID))
{
//1. Set Your Front End WebForm Control To Disable
//2. Set Your Front End WebForm Control CSS
// Whichever you prefer .
}
}
public static bool CheckUserRole(string Role_CRUD , string UserID)
{
// Go Into DB/Repository/EF Where Your Role/User Setting Is Set .
// Perform Checking
// Assuming The Result Is A Bool Checking Result That You Checked
return Result;
}
I am building an intranet site where users will be on the corporate domain and have different permission levels. I'm currently using <authentication mode="Windows"/> to control site access, but it seems like I should be using ASP.NET Identity.
For example, say my application is a dashboard for each department in the organization. I want to create a single AD group called DashboardUsers and put everyone that can touch the site in this group.
I also want to restrict the views in the dashboard. For example, I only want the IT group to see their view, and the Finance folks see theirs, etc.
Question -- should I be using Windows Authentication to control access to the site, and then use ASP.NET Identity for user level permissions?
I have done something similar to this using only WindowsAuthentication. You can tag your actions with the Authorize Attribute:
[Authorize(Roles = #"DashboardUsers")]
As long is this user is a member of the DashboardUsers AD group they will get access to this action. It seems like MVC magic, but it really is that simple.
Unfortunately this approach will not allow you to overload an action for different Roles as the Authorize Attribute is not part of the method's signature. In your views, you would have to show different anchor tags based on the current users role.
ie:
[Authorize(Roles = #"DashboardUsers\Manager")]
public ActionResult IndexManagers()
{
..
}
or
[Authorize(Roles = #"DashboardUsers\Finance")]
public ActionResult IndexFinance()
{
..
}
EDIT AFTER COMMENT:
Since your Identity is coming from AD, you could use logic in your controller like:
if(User.IsInRole("Finance"))
{
..
}
else if(User.IsInRole("IT"))
{
..
}
And this will check which AD Group they belong too. I know it's not very elegant, but I can't imagine mixing Windows Auth with a custom identity and managing permissions in your own db would be elegant either.
I have run into this dilemma before and wound up creating a custom role provider that i used in conjunction with windows authentication. I'm not sure you need the OWIN middleware when authenticating against AD.
public class MyAwesomeRoleProvider : RoleProvider
{
public override void AddUsersToRoles(string[] usernames, string[] roleNames)
{
// i talk to my database via entityframework in here to add a user to a role.
}
// override all the methods for your own role provider
}
config file
<system.web>
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="MyAwesomeRoleManager">
<providers>
<clear />
<add name="MyAwesomeRoleManager" type="MyAwesomeNamespace.MyAwesomeRoleProvider" connectionStringName="MyAwesomeContext" applicationName="MyAwesomeApplication" />
</providers>
</roleManager>
</system.web>
I had define a username in and I added it to a role.
Now, I use this code to check if user valid:
if (Membership.ValidateUser(txtUsername.Text, txtPassword.Text)) {
FormsAuthentication.SetAuthCookie(txtUsername.Text, false);
if (Roles.GetRolesForUser(txtUsername.Text).Any(role => role == "Admin")) {
Page.Response.Redirect(ResolveUrl("~/Admin/Products.aspx"));
}
txtUsername.Text = "";
}
After that, I want to check in Products.aspx page if user is in a role or not. I wrote this code but it returns my local Windows username :
Context.User.Identity.Name
I thinks it should returns logged on user.
After that I will check with this code :
if (!Context.User.IsInRole("Admin"))
{
Response.Redirect(ResolveUrl("~/Default.aspx"));
}
What's wrong with my code? How can I check for that if logged on user is in specific role?
Do you set the authentication-mode to Forms?
Web.config:
<authentication mode="Forms">
</authentication>
Also you should use Page.User.Identity.Name instead of Context.User.Identity.Name.
I believe you just need to use Page.User.Identity.Name, instead of Context.
Let me know if that does it, I've made that mix-up before =)
I have a relatively simple ASP.Net application that I have built some simplistic security into. The user logs in with a username and password and I check it against the DB. If it is successful I store a User object for them on a session variable called "UserID" and redirect them to the same page, only this time they dont see the login panel. (Mmm could just hide it dynamically but I think that would cause a page reload anyway)
On my Default.aspx page I have the following code:
protected void Page_Load(object sender, EventArgs e)
{
if (Session["UserID"] == null)
{
LoginPanel.Visible = true;
}
}
protected void btnLogin_Click(object sender, EventArgs e)
{
Security security = new Security();
Session["UserID"] = security.LoginUser(txtUsername.Text, txt2Password.Value);
if (Session["UserID"] != null)
{
Response.Redirect("~/default.aspx");
}
}
Right, so far so good. Also worth mentioning at this point is the master page:
protected void Page_Load(object sender, EventArgs e)
{
if (Session["UserID"] == null)
{
//Check that we are not already on the default.aspx page.
//Don't want to cause infinite redirect here
if (!Request.Path.ToLower().Contains("default.aspx"))
{
Page.Response.Redirect("~/Default.aspx");
}
}
else
{
//Otherwise we get the UserObject from the session and display menu items //based on the role. Nothing fancy.
}
}
//Bad naming. This a logout link on the master...
protected void Unnamed1_Click(object sender, EventArgs e)
{
Session["UserID"] = null;
Page.Response.Redirect("~/Default.aspx");
}
Now all of this works perfectly on my local instance of IIS. As soon as I deploy this to our production server and I click on one of my menu items and navigate say to Search.aspx it chucks me back to my Default.aspx page with the LoginPanel visible??? Also that is in Firefox. With IE I can click on the Search.aspx menu link and it takes me to the page, but clicking on an edit link in my GridView also chucks me back to the Default.aspx page with the LoginPanel showing.
I'm no ASP.net expert at all and I'm at wits end. So please word Answers with as little as possible jargon and so forth and post links to msdn for docs and such so that I don't just resolve this, but actually understand why this has been giving me nightmares.
TIA
Don't store user identifiers or other sensitive information in the session, implement IIdentity and IPrincipal with Forms authentication instead (though this doesn't completely rule out information exposure altogether).
This enables easy access to certain elements in the nature of what you need:
//to sign-in:
FormsAuthentication.SignIn("username", createPersistentLogin);
//to sign-out:
FormsAuthentication.SignOut();
//user data access:
Page.User.IsInRole("requiredRole");
Page.User.Identity.IsAuthenticated;
Page.User.Name;
A couple of snippets from MSDN to explain the meaning of this:
The .NET Framework provides a
role-based security implementation in
the System.Security.Principal
namespace, which you can use for
authorizing and authenticating users
in your application.
An IIdentity encapsulates an
authenticated user. An IPrincipal is a
combination of the identity of the
user and any roles he or she has. You
can use the predefined identity and
principal classes in the
System.Security.Principal namespace or
you can add custom authentication by
creating classes that implement the
interfaces.
Care should be used when granting
permissions to work with IIdentity
objects, because these objects make
sensitive user-related information
available. You should protect the
application's current IPrincipal
object from changes because the
application's authorization capability
is based on its current principal.
You can get information on doing this from MSDN.
maybe a bit off topic but I would recommend to use built in login functionality, that means Login Controls, Membership and Authentication. Then you don't have to mess with Session
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
then you can do Membership.GetUser().ProviderUserKey for example to get the key
Verify if in your production server the Web.Config file of your site contains this line, or something like this :
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
It must be inside element.
It is to verify wich sessionState are you using.
See the link :
Asp.NET Session State