Solved

SU login

Posted on 2008-10-20
7
342 Views
Last Modified: 2012-05-05
I have some webpages I only want certain users to view.
Currently when people login they get directed to webpages they can visit but I have persistent cookies set. So someone can can be still logged in and type the desired webapge on the address bar and bypass security so they can access restricted webpages.

this only checks if user has been logged in but not what user,
can i check Page.User.Identity.Name? but this means checking again the user against a database.
i log in using
   sqlStmt = "Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

 If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If


 
0
Comment
Question by:jagguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 

Author Comment

by:jagguy
ID: 22756360
PS
and then on every webapge I write

If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If
0
 

Author Comment

by:jagguy
ID: 22763767
anyone?
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22764856
Are you using 'Forms Authentication'?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jagguy
ID: 22765221
yes but did you read my post ?

from my post you can gather this information.

is there an easy way to determine who has logged in so not everyone can use restricted sites in conditions I have stated.
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 22773575
I just wanted to be sure.  I've seen people use functionality for 'Forms Authentication' without actually setting it up correctly.

By the way, in your txtLog control have you protected yourself against the following:
a' OR 1 = 1; --

Do you see what that will do?

"Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

will become

"Select 1 from login where su=1 and login='a' OR 1 = 1;--' and password='" + sHashedPassword + "'"

Which will resolve to true and bypass the password protection.

Back to the question.  The problem is that each page you need to add extra protection will need to use the Request.LoginUserIdentity to determine if they can see it.  Ultimately you either have to use values hard coded into the web.config to manage your roles or the SQL database.  There is no getting around it.
0
 

Author Comment

by:jagguy
ID: 22774464
q1)what does this do?
Request.LoginUserIdentity

q2)I actually quesrued the DB again with this which is long way to do things i think?
  sqlStmt = "Select 1 from login where  su=1 and login='" & Page.User.Identity.Name & "'"

            command = New SqlCommand(sqlStmt, Myconn)
            command.Connection.Open()

            RetValue = Convert.ToBoolean(command.ExecuteScalar())
            command.Connection.Close()
            If RetValue = False Then
                Response.Redirect("home.aspx", True)
            End If
q3)i didnt protect again 1=1 so do i just look for the string in the textbox and do i need to check for every passed parameter?
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22793545
Q1) The Request.LoginUserIdentity is the credentials of the user who has already logged in.  You can use it to compare who can see specific pages after they are signed in.  Another strategy you can consider is moving the pages with extra security into a subfolder with another web.config that only has a forms authentication section with a second authentication page to ensure only specific users can see them.

Q2 & Q3) What I was demonstrating is a common hacking technique called "SQL Injection" and based on your answer it seems your site could be hacked easily using that technique.

You should be using stored procedures and ASP.NET validation controls to protect your site.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Code works but breaks when I add one section 4 35
Aspx calendar pop up control 3 35
ASP.net Moving Visual Studio 2015 project to 2017 2 59
CSS for Popup in ASP.NET 4 39
In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall‚Ķ
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po‚Ķ
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

731 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question