Solved

Login / Logout - best practices, redirection and multiple forms submit.

Posted on 2006-11-01
11
454 Views
Last Modified: 2012-06-27
Hi there.

A simple scenario.
There is web user control on each page of my applicatin with two divs runat server: (1) first div with login info (username and password textboxes and submit buttonlink) and (2) second div with logout info (login name info and logout link). Based on the session("username") in webusercontrol_load one of those two divs is shown. So far OK. Or is this already a bad idea? I can not use the built in form authentication as it is used in this application already for administration interface.
So I have my own web user control querying a database and making the authentication for me (setting session("username").

Now I have two little problems:

1) Once a user clicks on the submit (providing username and password) and is successfully authenticated against the database, the session("username") is set and based on this session some other queries fetch data from different sources (for anonymous and registered users). The issue is that when the user views a page which has different content for registered and anonymous users, the databinding (=getting different data) happens BEFORE the web user control sets the session = too early. So in a real life, when I click on the submit button (login user), the page is reloaded, but still with old data (and vice versa during logout the first page refresh shows still the registered user data). I have to reload the page again to get the new data. This is because of the order of events, first the databinding of the SQLDataSet is done and then the Submit_OnClick  event is handled.

I assume there must be a way of doing this (except redirecting to some dummy login page and then redirecting back to the actual page). I was thinking about using sqldataset_01.databind() but I do not know how to accomplish this when I am working inside the web user control and this dataset is inside the page hosting the web user control. I can not access the hosting page controls and this would not be a good idea though as there are many different datasources on different pages. Right? Please advice your best practices.

2) The second issue I am facing now is also related to the login web user control. I have this web user control with username and password and submit buttonlink on a page together with another form - for example registration form, shoppingcart form etc. When I click on the registration form submit buttonlink the login web user control also attempts to submit and vice versa. Although I have set a different validationsets parameters for both submitbuttonlinks this mishmatch happens. How to avoid this?

Thanks for your advices, experts!
0
Comment
Question by:keson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17848933
Not quite sure what you mean.

Bob
0
 

Author Comment

by:keson
ID: 17851342
Well to be quick I mean this:

1) when a web user control doing authorization for me against a database authorizes a valid user and sets a proper session variable session("username") to something, the page which hosts this web user control needs to be refreshed again after the user clicks on "login" button as the button_onclick event is processed after the page proceeds databinding to some database which is based on user login.

Example:
Page shows data for anonymous user and my web user control with username, password and submit button. Now user inserts his login name and password and clicks submit. Now the login control shows you are loged in as xxxx, logout... but the page shows still data for anonymous user. But when you refresh the same page then the data shows are already for registered user. Because the order of events is:

blabla, gridview_load, blabla, submit_onclick, blabla...
But I can not access the gridview and nothing else from the web user control as it is independent on the page on which it is hosted.

How can I do login so that the login affects the page on which it happens?

2) the second thing is more or less comesric issue. When I have this web user control on a page together with another submit button, submiting either of them (login or for example add to shopping cart) will triger form submition of BOTH of them. I guess it is because there is ONE MAIN FORM on each asp.net page so all submit buttons believe that they belong to tis form, right?

I can not be more specific about my problem. Hope it is enough to give some advice.

Thanks
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17851352
Are you logging in on one page, and transferring to another page?

Bob
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:keson
ID: 17852743
No. Th elogin field is on EVERY page and I am not transfering nywhere. It would be an easy job - to do the login logic somewhere and to transfer back to the originating page. I will do it this way in the meantime, but I am sure the even driven access must allow me to do better.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17854912
1) You have to login to every page that you access?

2) Or, are you just storing login information on each page?

3) What type of authentication are you using?  Windows, Forms, etc?

Bob
0
 

Author Comment

by:keson
ID: 17855898
Hi Bob.

1) Nope, this is a GENERIC login for the whole user interface. The admin interface (which is not what I have problems with uses built in forms authentication).

2) Nope, I guess. I am not storing login information on every page, I am just showing the login web user control (the mini form) on EACH page.

3) for the user interface it is my own authentication (as the forms authentication was used for admin interface (ADMIN folder inside the root folder) and it is not possible to use twice forms authentication in one project - this is what I figured out here on experts -exchange.

Update.
I was dreaming about the whole issue tonight and figured out, that it would be probably good to create some LOGGEDIN event to my web user control which I would test on gridview_load and would do databind then... But it still does not solve the issue with ORDER in which the events are evaluated: 1) the whole page events, then the gridview databinding and then first the button click, which is too late and which is causing me the problem.

Howgh.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17857860
Usually what I find with logins, is to create a single login page, and when a user is authenticated transfer to another page where you can assume that the user is authenticated.  If they are not authenticated, they can't just navigate to the same URL for the start page.  You can accomplish this by storing a flag to indicate authentication, and check for each page.  If the user didn't go through the normal login process, then the flag would be set, and they wouldn't be allowed access to each of the pages for the web site.

Bob
0
 

Author Comment

by:keson
ID: 17858014
Hi Bob,
your suggested attitude is fine and OK for pages where you simply do not want anonymous users to see. But What I do is an e-shop so everyone (registered and anonymous users) can access all pages, the only difference is that registered users will see different prices in the price list. And once the user is viewing the price list and logs in through the mini-form on the side of the price list, he is taken back to the same page but prices (gridview) does not get refreshed with new prices as the event binding the gridview to the database is fired BEFORE the event OnCLick which fires the authentication.

So what I need to find out is how to change the order of the events or how accomplish above described scenario without redirecting to another page which redirects back to the pricelist (which is what I do now and it works fine, but I find it rather unprofessional in event driven language).

So.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17858403
I think that I understand what you are describing--the button click event happens after the Page.Load event.  In the Page.Load event you can determine if the button was clicked by examing the __EVENTTARGET from the Request.Form.

Bob
0
 

Author Comment

by:keson
ID: 17858618
Bob!
What a good news! This might be what I am looking for. Can you be more specific?
Does it actually help me to evaluate the user credentials against the database before the rest of the page will be rendered?

Bob, as I wrote, I managed my situation with the double redirect so if it is too exhausting tor you, just forget it. But if you can give me an easy example for the usage of EVENTTARGET thing I will be very happy!

Thanks.
0
 
LVL 96

Accepted Solution

by:
Bob Learned earned 100 total points
ID: 17859863
Here are some resources:

Default Button Submissions in ASP.NET Pages
http://west-wind.com/WebLog/posts/1225.aspx

  // *** Must handle case where user is 'auto-submitting'
  //     without clicking the button.

  if ( Request.Form["btnSubmit"] == null )
     this.btnSubmit_Click(this,EventArgs.Empty);

How to know which HTML-object was clicked
http://www.codeproject.com/useritems/htmlelementclick.asp

Protected Sub EnsurePostBack()
    Dim Frm As Control = Me.FindControl("Form1")
    Dim HPB As Boolean = HasPostBacks(Frm)
    If Not HPB Then
        Dim EventTarget As HtmlInputHidden = New HtmlInputHidden()
        Dim EventArguments As HtmlInputHidden = New HtmlInputHidden()
        EventTarget.ID = "__EVENTTARGET"
        EventTarget.Name = "__EVENTTARGET"
        EventArguments.ID = "__EVENTARGUMENT"
        EventArguments.Name = "__EVENTARGUMENT"
        Frm.Controls.Add(EventTarget)
        Frm.Controls.Add(EventArguments)
    End If
End Sub

Bob
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question