Solved

SU login

Posted on 2008-10-20
7
338 Views
Last Modified: 2012-05-05
I have some webpages I only want certain users to view.
Currently when people login they get directed to webpages they can visit but I have persistent cookies set. So someone can can be still logged in and type the desired webapge on the address bar and bypass security so they can access restricted webpages.

this only checks if user has been logged in but not what user,
can i check Page.User.Identity.Name? but this means checking again the user against a database.
i log in using
   sqlStmt = "Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

 If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If


 
0
Comment
Question by:jagguy
  • 4
  • 3
7 Comments
 

Author Comment

by:jagguy
Comment Utility
PS
and then on every webapge I write

If Not Request.IsAuthenticated Then
                Response.Redirect("login.aspx", True)
            End If
0
 

Author Comment

by:jagguy
Comment Utility
anyone?
0
 
LVL 51

Expert Comment

by:tedbilly
Comment Utility
Are you using 'Forms Authentication'?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:jagguy
Comment Utility
yes but did you read my post ?

from my post you can gather this information.

is there an easy way to determine who has logged in so not everyone can use restricted sites in conditions I have stated.
0
 
LVL 51

Accepted Solution

by:
tedbilly earned 500 total points
Comment Utility
I just wanted to be sure.  I've seen people use functionality for 'Forms Authentication' without actually setting it up correctly.

By the way, in your txtLog control have you protected yourself against the following:
a' OR 1 = 1; --

Do you see what that will do?

"Select 1 from login where su=1 and login='" + txtLog.Text + "' and password='" + sHashedPassword + "'"

will become

"Select 1 from login where su=1 and login='a' OR 1 = 1;--' and password='" + sHashedPassword + "'"

Which will resolve to true and bypass the password protection.

Back to the question.  The problem is that each page you need to add extra protection will need to use the Request.LoginUserIdentity to determine if they can see it.  Ultimately you either have to use values hard coded into the web.config to manage your roles or the SQL database.  There is no getting around it.
0
 

Author Comment

by:jagguy
Comment Utility
q1)what does this do?
Request.LoginUserIdentity

q2)I actually quesrued the DB again with this which is long way to do things i think?
  sqlStmt = "Select 1 from login where  su=1 and login='" & Page.User.Identity.Name & "'"

            command = New SqlCommand(sqlStmt, Myconn)
            command.Connection.Open()

            RetValue = Convert.ToBoolean(command.ExecuteScalar())
            command.Connection.Close()
            If RetValue = False Then
                Response.Redirect("home.aspx", True)
            End If
q3)i didnt protect again 1=1 so do i just look for the string in the textbox and do i need to check for every passed parameter?
0
 
LVL 51

Expert Comment

by:tedbilly
Comment Utility
Q1) The Request.LoginUserIdentity is the credentials of the user who has already logged in.  You can use it to compare who can see specific pages after they are signed in.  Another strategy you can consider is moving the pages with extra security into a subfolder with another web.config that only has a forms authentication section with a second authentication page to ensure only specific users can see them.

Q2 & Q3) What I was demonstrating is a common hacking technique called "SQL Injection" and based on your answer it seems your site could be hacked easily using that technique.

You should be using stored procedures and ASP.NET validation controls to protect your site.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now