Solved

Login / Logout - best practices, redirection and multiple forms submit.

Posted on 2006-11-01
11
445 Views
Last Modified: 2012-06-27
Hi there.

A simple scenario.
There is web user control on each page of my applicatin with two divs runat server: (1) first div with login info (username and password textboxes and submit buttonlink) and (2) second div with logout info (login name info and logout link). Based on the session("username") in webusercontrol_load one of those two divs is shown. So far OK. Or is this already a bad idea? I can not use the built in form authentication as it is used in this application already for administration interface.
So I have my own web user control querying a database and making the authentication for me (setting session("username").

Now I have two little problems:

1) Once a user clicks on the submit (providing username and password) and is successfully authenticated against the database, the session("username") is set and based on this session some other queries fetch data from different sources (for anonymous and registered users). The issue is that when the user views a page which has different content for registered and anonymous users, the databinding (=getting different data) happens BEFORE the web user control sets the session = too early. So in a real life, when I click on the submit button (login user), the page is reloaded, but still with old data (and vice versa during logout the first page refresh shows still the registered user data). I have to reload the page again to get the new data. This is because of the order of events, first the databinding of the SQLDataSet is done and then the Submit_OnClick  event is handled.

I assume there must be a way of doing this (except redirecting to some dummy login page and then redirecting back to the actual page). I was thinking about using sqldataset_01.databind() but I do not know how to accomplish this when I am working inside the web user control and this dataset is inside the page hosting the web user control. I can not access the hosting page controls and this would not be a good idea though as there are many different datasources on different pages. Right? Please advice your best practices.

2) The second issue I am facing now is also related to the login web user control. I have this web user control with username and password and submit buttonlink on a page together with another form - for example registration form, shoppingcart form etc. When I click on the registration form submit buttonlink the login web user control also attempts to submit and vice versa. Although I have set a different validationsets parameters for both submitbuttonlinks this mishmatch happens. How to avoid this?

Thanks for your advices, experts!
0
Comment
Question by:keson
  • 6
  • 5
11 Comments
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17848933
Not quite sure what you mean.

Bob
0
 

Author Comment

by:keson
ID: 17851342
Well to be quick I mean this:

1) when a web user control doing authorization for me against a database authorizes a valid user and sets a proper session variable session("username") to something, the page which hosts this web user control needs to be refreshed again after the user clicks on "login" button as the button_onclick event is processed after the page proceeds databinding to some database which is based on user login.

Example:
Page shows data for anonymous user and my web user control with username, password and submit button. Now user inserts his login name and password and clicks submit. Now the login control shows you are loged in as xxxx, logout... but the page shows still data for anonymous user. But when you refresh the same page then the data shows are already for registered user. Because the order of events is:

blabla, gridview_load, blabla, submit_onclick, blabla...
But I can not access the gridview and nothing else from the web user control as it is independent on the page on which it is hosted.

How can I do login so that the login affects the page on which it happens?

2) the second thing is more or less comesric issue. When I have this web user control on a page together with another submit button, submiting either of them (login or for example add to shopping cart) will triger form submition of BOTH of them. I guess it is because there is ONE MAIN FORM on each asp.net page so all submit buttons believe that they belong to tis form, right?

I can not be more specific about my problem. Hope it is enough to give some advice.

Thanks
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17851352
Are you logging in on one page, and transferring to another page?

Bob
0
 

Author Comment

by:keson
ID: 17852743
No. Th elogin field is on EVERY page and I am not transfering nywhere. It would be an easy job - to do the login logic somewhere and to transfer back to the originating page. I will do it this way in the meantime, but I am sure the even driven access must allow me to do better.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17854912
1) You have to login to every page that you access?

2) Or, are you just storing login information on each page?

3) What type of authentication are you using?  Windows, Forms, etc?

Bob
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:keson
ID: 17855898
Hi Bob.

1) Nope, this is a GENERIC login for the whole user interface. The admin interface (which is not what I have problems with uses built in forms authentication).

2) Nope, I guess. I am not storing login information on every page, I am just showing the login web user control (the mini form) on EACH page.

3) for the user interface it is my own authentication (as the forms authentication was used for admin interface (ADMIN folder inside the root folder) and it is not possible to use twice forms authentication in one project - this is what I figured out here on experts -exchange.

Update.
I was dreaming about the whole issue tonight and figured out, that it would be probably good to create some LOGGEDIN event to my web user control which I would test on gridview_load and would do databind then... But it still does not solve the issue with ORDER in which the events are evaluated: 1) the whole page events, then the gridview databinding and then first the button click, which is too late and which is causing me the problem.

Howgh.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17857860
Usually what I find with logins, is to create a single login page, and when a user is authenticated transfer to another page where you can assume that the user is authenticated.  If they are not authenticated, they can't just navigate to the same URL for the start page.  You can accomplish this by storing a flag to indicate authentication, and check for each page.  If the user didn't go through the normal login process, then the flag would be set, and they wouldn't be allowed access to each of the pages for the web site.

Bob
0
 

Author Comment

by:keson
ID: 17858014
Hi Bob,
your suggested attitude is fine and OK for pages where you simply do not want anonymous users to see. But What I do is an e-shop so everyone (registered and anonymous users) can access all pages, the only difference is that registered users will see different prices in the price list. And once the user is viewing the price list and logs in through the mini-form on the side of the price list, he is taken back to the same page but prices (gridview) does not get refreshed with new prices as the event binding the gridview to the database is fired BEFORE the event OnCLick which fires the authentication.

So what I need to find out is how to change the order of the events or how accomplish above described scenario without redirecting to another page which redirects back to the pricelist (which is what I do now and it works fine, but I find it rather unprofessional in event driven language).

So.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17858403
I think that I understand what you are describing--the button click event happens after the Page.Load event.  In the Page.Load event you can determine if the button was clicked by examing the __EVENTTARGET from the Request.Form.

Bob
0
 

Author Comment

by:keson
ID: 17858618
Bob!
What a good news! This might be what I am looking for. Can you be more specific?
Does it actually help me to evaluate the user credentials against the database before the rest of the page will be rendered?

Bob, as I wrote, I managed my situation with the double redirect so if it is too exhausting tor you, just forget it. But if you can give me an easy example for the usage of EVENTTARGET thing I will be very happy!

Thanks.
0
 
LVL 96

Accepted Solution

by:
Bob Learned earned 100 total points
ID: 17859863
Here are some resources:

Default Button Submissions in ASP.NET Pages
http://west-wind.com/WebLog/posts/1225.aspx

  // *** Must handle case where user is 'auto-submitting'
  //     without clicking the button.

  if ( Request.Form["btnSubmit"] == null )
     this.btnSubmit_Click(this,EventArgs.Empty);

How to know which HTML-object was clicked
http://www.codeproject.com/useritems/htmlelementclick.asp

Protected Sub EnsurePostBack()
    Dim Frm As Control = Me.FindControl("Form1")
    Dim HPB As Boolean = HasPostBacks(Frm)
    If Not HPB Then
        Dim EventTarget As HtmlInputHidden = New HtmlInputHidden()
        Dim EventArguments As HtmlInputHidden = New HtmlInputHidden()
        EventTarget.ID = "__EVENTTARGET"
        EventTarget.Name = "__EVENTTARGET"
        EventArguments.ID = "__EVENTARGUMENT"
        EventArguments.Name = "__EVENTARGUMENT"
        Frm.Controls.Add(EventTarget)
        Frm.Controls.Add(EventArguments)
    End If
End Sub

Bob
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

AJAX ModalPopupExtender has a required property "TargetControlID" which may seem to be very confusing to new users. It means the server control that will be extended by the ModalPopup, for instance, if when you click a button, a ModalPopup displays,…
I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now