Solved

SU login

Posted on 2008-10-20
7
340 Views
Last Modified: 2012-05-05
I have some webpages I only want certain users to view.
Currently when people login they get directed to webpages they can visit but I have persistent cookies set. So someone can can be still logged in and type the desired webapge on the address bar and bypass security so they can access restricted webpages.

this only checks if user has been logged in but not what user,
can i check Page.User.Identity.Name? but this means checking again the user against a database.
i log in using
   sqlStmt = "Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

 If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If


 
0
Comment
Question by:jagguy
  • 4
  • 3
7 Comments
 

Author Comment

by:jagguy
ID: 22756360
PS
and then on every webapge I write

If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If
0
 

Author Comment

by:jagguy
ID: 22763767
anyone?
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22764856
Are you using 'Forms Authentication'?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:jagguy
ID: 22765221
yes but did you read my post ?

from my post you can gather this information.

is there an easy way to determine who has logged in so not everyone can use restricted sites in conditions I have stated.
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 22773575
I just wanted to be sure.  I've seen people use functionality for 'Forms Authentication' without actually setting it up correctly.

By the way, in your txtLog control have you protected yourself against the following:
a' OR 1 = 1; --

Do you see what that will do?

"Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

will become

"Select 1 from login where su=1 and login='a' OR 1 = 1;--' and password='" + sHashedPassword + "'"

Which will resolve to true and bypass the password protection.

Back to the question.  The problem is that each page you need to add extra protection will need to use the Request.LoginUserIdentity to determine if they can see it.  Ultimately you either have to use values hard coded into the web.config to manage your roles or the SQL database.  There is no getting around it.
0
 

Author Comment

by:jagguy
ID: 22774464
q1)what does this do?
Request.LoginUserIdentity

q2)I actually quesrued the DB again with this which is long way to do things i think?
  sqlStmt = "Select 1 from login where  su=1 and login='" & Page.User.Identity.Name & "'"

            command = New SqlCommand(sqlStmt, Myconn)
            command.Connection.Open()

            RetValue = Convert.ToBoolean(command.ExecuteScalar())
            command.Connection.Close()
            If RetValue = False Then
                Response.Redirect("home.aspx", True)
            End If
q3)i didnt protect again 1=1 so do i just look for the string in the textbox and do i need to check for every passed parameter?
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22793545
Q1) The Request.LoginUserIdentity is the credentials of the user who has already logged in.  You can use it to compare who can see specific pages after they are signed in.  Another strategy you can consider is moving the pages with extra security into a subfolder with another web.config that only has a forms authentication section with a second authentication page to ensure only specific users can see them.

Q2 & Q3) What I was demonstrating is a common hacking technique called "SQL Injection" and based on your answer it seems your site could be hacked easily using that technique.

You should be using stored procedures and ASP.NET validation controls to protect your site.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question