• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

Login / Logout - best practices, redirection and multiple forms submit.

Hi there.

A simple scenario.
There is web user control on each page of my applicatin with two divs runat server: (1) first div with login info (username and password textboxes and submit buttonlink) and (2) second div with logout info (login name info and logout link). Based on the session("username") in webusercontrol_load one of those two divs is shown. So far OK. Or is this already a bad idea? I can not use the built in form authentication as it is used in this application already for administration interface.
So I have my own web user control querying a database and making the authentication for me (setting session("username").

Now I have two little problems:

1) Once a user clicks on the submit (providing username and password) and is successfully authenticated against the database, the session("username") is set and based on this session some other queries fetch data from different sources (for anonymous and registered users). The issue is that when the user views a page which has different content for registered and anonymous users, the databinding (=getting different data) happens BEFORE the web user control sets the session = too early. So in a real life, when I click on the submit button (login user), the page is reloaded, but still with old data (and vice versa during logout the first page refresh shows still the registered user data). I have to reload the page again to get the new data. This is because of the order of events, first the databinding of the SQLDataSet is done and then the Submit_OnClick  event is handled.

I assume there must be a way of doing this (except redirecting to some dummy login page and then redirecting back to the actual page). I was thinking about using sqldataset_01.databind() but I do not know how to accomplish this when I am working inside the web user control and this dataset is inside the page hosting the web user control. I can not access the hosting page controls and this would not be a good idea though as there are many different datasources on different pages. Right? Please advice your best practices.

2) The second issue I am facing now is also related to the login web user control. I have this web user control with username and password and submit buttonlink on a page together with another form - for example registration form, shoppingcart form etc. When I click on the registration form submit buttonlink the login web user control also attempts to submit and vice versa. Although I have set a different validationsets parameters for both submitbuttonlinks this mishmatch happens. How to avoid this?

Thanks for your advices, experts!
Pedro Keson
Pedro Keson
  • 6
  • 5
1 Solution
Bob LearnedCommented:
Not quite sure what you mean.

Pedro KesonIT specialistAuthor Commented:
Well to be quick I mean this:

1) when a web user control doing authorization for me against a database authorizes a valid user and sets a proper session variable session("username") to something, the page which hosts this web user control needs to be refreshed again after the user clicks on "login" button as the button_onclick event is processed after the page proceeds databinding to some database which is based on user login.

Page shows data for anonymous user and my web user control with username, password and submit button. Now user inserts his login name and password and clicks submit. Now the login control shows you are loged in as xxxx, logout... but the page shows still data for anonymous user. But when you refresh the same page then the data shows are already for registered user. Because the order of events is:

blabla, gridview_load, blabla, submit_onclick, blabla...
But I can not access the gridview and nothing else from the web user control as it is independent on the page on which it is hosted.

How can I do login so that the login affects the page on which it happens?

2) the second thing is more or less comesric issue. When I have this web user control on a page together with another submit button, submiting either of them (login or for example add to shopping cart) will triger form submition of BOTH of them. I guess it is because there is ONE MAIN FORM on each asp.net page so all submit buttons believe that they belong to tis form, right?

I can not be more specific about my problem. Hope it is enough to give some advice.

Bob LearnedCommented:
Are you logging in on one page, and transferring to another page?

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Pedro KesonIT specialistAuthor Commented:
No. Th elogin field is on EVERY page and I am not transfering nywhere. It would be an easy job - to do the login logic somewhere and to transfer back to the originating page. I will do it this way in the meantime, but I am sure the even driven access must allow me to do better.
Bob LearnedCommented:
1) You have to login to every page that you access?

2) Or, are you just storing login information on each page?

3) What type of authentication are you using?  Windows, Forms, etc?

Pedro KesonIT specialistAuthor Commented:
Hi Bob.

1) Nope, this is a GENERIC login for the whole user interface. The admin interface (which is not what I have problems with uses built in forms authentication).

2) Nope, I guess. I am not storing login information on every page, I am just showing the login web user control (the mini form) on EACH page.

3) for the user interface it is my own authentication (as the forms authentication was used for admin interface (ADMIN folder inside the root folder) and it is not possible to use twice forms authentication in one project - this is what I figured out here on experts -exchange.

I was dreaming about the whole issue tonight and figured out, that it would be probably good to create some LOGGEDIN event to my web user control which I would test on gridview_load and would do databind then... But it still does not solve the issue with ORDER in which the events are evaluated: 1) the whole page events, then the gridview databinding and then first the button click, which is too late and which is causing me the problem.

Bob LearnedCommented:
Usually what I find with logins, is to create a single login page, and when a user is authenticated transfer to another page where you can assume that the user is authenticated.  If they are not authenticated, they can't just navigate to the same URL for the start page.  You can accomplish this by storing a flag to indicate authentication, and check for each page.  If the user didn't go through the normal login process, then the flag would be set, and they wouldn't be allowed access to each of the pages for the web site.

Pedro KesonIT specialistAuthor Commented:
Hi Bob,
your suggested attitude is fine and OK for pages where you simply do not want anonymous users to see. But What I do is an e-shop so everyone (registered and anonymous users) can access all pages, the only difference is that registered users will see different prices in the price list. And once the user is viewing the price list and logs in through the mini-form on the side of the price list, he is taken back to the same page but prices (gridview) does not get refreshed with new prices as the event binding the gridview to the database is fired BEFORE the event OnCLick which fires the authentication.

So what I need to find out is how to change the order of the events or how accomplish above described scenario without redirecting to another page which redirects back to the pricelist (which is what I do now and it works fine, but I find it rather unprofessional in event driven language).

Bob LearnedCommented:
I think that I understand what you are describing--the button click event happens after the Page.Load event.  In the Page.Load event you can determine if the button was clicked by examing the __EVENTTARGET from the Request.Form.

Pedro KesonIT specialistAuthor Commented:
What a good news! This might be what I am looking for. Can you be more specific?
Does it actually help me to evaluate the user credentials against the database before the rest of the page will be rendered?

Bob, as I wrote, I managed my situation with the double redirect so if it is too exhausting tor you, just forget it. But if you can give me an easy example for the usage of EVENTTARGET thing I will be very happy!

Bob LearnedCommented:
Here are some resources:

Default Button Submissions in ASP.NET Pages

  // *** Must handle case where user is 'auto-submitting'
  //     without clicking the button.

  if ( Request.Form["btnSubmit"] == null )

How to know which HTML-object was clicked

Protected Sub EnsurePostBack()
    Dim Frm As Control = Me.FindControl("Form1")
    Dim HPB As Boolean = HasPostBacks(Frm)
    If Not HPB Then
        Dim EventTarget As HtmlInputHidden = New HtmlInputHidden()
        Dim EventArguments As HtmlInputHidden = New HtmlInputHidden()
        EventTarget.ID = "__EVENTTARGET"
        EventTarget.Name = "__EVENTTARGET"
        EventArguments.ID = "__EVENTARGUMENT"
        EventArguments.Name = "__EVENTARGUMENT"
    End If
End Sub

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now