• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 346
  • Last Modified:

SU login

I have some webpages I only want certain users to view.
Currently when people login they get directed to webpages they can visit but I have persistent cookies set. So someone can can be still logged in and type the desired webapge on the address bar and bypass security so they can access restricted webpages.

this only checks if user has been logged in but not what user,
can i check Page.User.Identity.Name? but this means checking again the user against a database.
i log in using
   sqlStmt = "Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

 If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If


 
0
jagguy
Asked:
jagguy
  • 4
  • 3
1 Solution
 
jagguyAuthor Commented:
PS
and then on every webapge I write

If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If
0
 
jagguyAuthor Commented:
anyone?
0
 
Ted BouskillSenior Software DeveloperCommented:
Are you using 'Forms Authentication'?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
jagguyAuthor Commented:
yes but did you read my post ?

from my post you can gather this information.

is there an easy way to determine who has logged in so not everyone can use restricted sites in conditions I have stated.
0
 
Ted BouskillSenior Software DeveloperCommented:
I just wanted to be sure.  I've seen people use functionality for 'Forms Authentication' without actually setting it up correctly.

By the way, in your txtLog control have you protected yourself against the following:
a' OR 1 = 1; --

Do you see what that will do?

"Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

will become

"Select 1 from login where su=1 and login='a' OR 1 = 1;--' and password='" + sHashedPassword + "'"

Which will resolve to true and bypass the password protection.

Back to the question.  The problem is that each page you need to add extra protection will need to use the Request.LoginUserIdentity to determine if they can see it.  Ultimately you either have to use values hard coded into the web.config to manage your roles or the SQL database.  There is no getting around it.
0
 
jagguyAuthor Commented:
q1)what does this do?
Request.LoginUserIdentity

q2)I actually quesrued the DB again with this which is long way to do things i think?
  sqlStmt = "Select 1 from login where  su=1 and login='" & Page.User.Identity.Name & "'"

            command = New SqlCommand(sqlStmt, Myconn)
            command.Connection.Open()

            RetValue = Convert.ToBoolean(command.ExecuteScalar())
            command.Connection.Close()
            If RetValue = False Then
                Response.Redirect("home.aspx", True)
            End If
q3)i didnt protect again 1=1 so do i just look for the string in the textbox and do i need to check for every passed parameter?
0
 
Ted BouskillSenior Software DeveloperCommented:
Q1) The Request.LoginUserIdentity is the credentials of the user who has already logged in.  You can use it to compare who can see specific pages after they are signed in.  Another strategy you can consider is moving the pages with extra security into a subfolder with another web.config that only has a forms authentication section with a second authentication page to ensure only specific users can see them.

Q2 & Q3) What I was demonstrating is a common hacking technique called "SQL Injection" and based on your answer it seems your site could be hacked easily using that technique.

You should be using stored procedures and ASP.NET validation controls to protect your site.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now