SU login

Posted on 2008-10-20
Last Modified: 2012-05-05
I have some webpages I only want certain users to view.
Currently when people login they get directed to webpages they can visit but I have persistent cookies set. So someone can can be still logged in and type the desired webapge on the address bar and bypass security so they can access restricted webpages.

this only checks if user has been logged in but not what user,
can i check Page.User.Identity.Name? but this means checking again the user against a database.
i log in using
   sqlStmt = "Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

 If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If

Question by:jagguy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3

Author Comment

ID: 22756360
and then on every webapge I write

If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If

Author Comment

ID: 22763767
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22764856
Are you using 'Forms Authentication'?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22765221
yes but did you read my post ?

from my post you can gather this information.

is there an easy way to determine who has logged in so not everyone can use restricted sites in conditions I have stated.
LVL 51

Accepted Solution

Ted Bouskill earned 500 total points
ID: 22773575
I just wanted to be sure.  I've seen people use functionality for 'Forms Authentication' without actually setting it up correctly.

By the way, in your txtLog control have you protected yourself against the following:
a' OR 1 = 1; --

Do you see what that will do?

"Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

will become

"Select 1 from login where su=1 and login='a' OR 1 = 1;--' and password='" + sHashedPassword + "'"

Which will resolve to true and bypass the password protection.

Back to the question.  The problem is that each page you need to add extra protection will need to use the Request.LoginUserIdentity to determine if they can see it.  Ultimately you either have to use values hard coded into the web.config to manage your roles or the SQL database.  There is no getting around it.

Author Comment

ID: 22774464
q1)what does this do?

q2)I actually quesrued the DB again with this which is long way to do things i think?
  sqlStmt = "Select 1 from login where  su=1 and login='" & Page.User.Identity.Name & "'"

            command = New SqlCommand(sqlStmt, Myconn)

            RetValue = Convert.ToBoolean(command.ExecuteScalar())
            If RetValue = False Then
                Response.Redirect("home.aspx", True)
            End If
q3)i didnt protect again 1=1 so do i just look for the string in the textbox and do i need to check for every passed parameter?
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22793545
Q1) The Request.LoginUserIdentity is the credentials of the user who has already logged in.  You can use it to compare who can see specific pages after they are signed in.  Another strategy you can consider is moving the pages with extra security into a subfolder with another web.config that only has a forms authentication section with a second authentication page to ensure only specific users can see them.

Q2 & Q3) What I was demonstrating is a common hacking technique called "SQL Injection" and based on your answer it seems your site could be hacked easily using that technique.

You should be using stored procedures and ASP.NET validation controls to protect your site.

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question