Link to home
Create AccountLog in
Avatar of iNetBlazer
iNetBlazerFlag for United States of America

asked on

Form Authentication and Session Problem

Hello Experts,

I have a form login with password change I've been working on for days and I can't get it right.  My job is on the line for this solution.  Here the problem:

First time users are to login and be forced to change their password.  The user is then taken to a confirmation page.  On the confirmation page is a button that will take them to their profile page where they are to update their profile.

My problem appears to be the form is not authenticating the user, the sessions are not passing, and once they click button on the confirmation page the app take the user back to the login vs going to the profile page.  Below are my codes.  Your help is greatly appreciated.  Thank you.


LOGIN ASPX.CS PAGE

protected void LoginOnAuthenticate(object sender, AuthenticateEventArgs e)
        {
            TextBox userName = (TextBox)LoginUser.FindControl("UserName");
            TextBox userPassword = (TextBox)LoginUser.FindControl("Password");

           
            string username = userName.Text;
            string password = FormsAuthentication.HashPasswordForStoringInConfigFile(userPassword.Text, "SHA1");            

            if (Membership.ValidateUser(username, password))
            {
               
                Session["UserName"] = username;
               
                FirstTimeLoginChecker userInfo = new FirstTimeLoginChecker(username);
                int userId = userInfo.UserId;
                int daysSincePwdChange = Convert.ToInt32(DateTime.Now.Subtract(userInfo.LastPasswordChangedDate).TotalDays);
                if (daysSincePwdChange > SecurityUtility.DefaultPasswordExpiryInDays || userInfo.CreationDate == userInfo.LastPasswordChangedDate || userInfo.CreationDate == DateTime.Now)                
                {
                   
                    FormsAuthentication.RedirectFromLoginPage(username, false);
                    Response.Redirect("~/Account/ChangePassword.aspx");
                                       
                }

                else
                {                  
                    e.Authenticated = true;                    

                }




CHANGE PASSWORD ASPX.CS PAGE

 protected void SubmitButton_Click(object sender, ImageClickEventArgs e)
    {

        if (Request.QueryString["uid"] == null || Session["UserName"] != null && Session["UserId"] != null)
        {


            string userName = Session["UserName"].ToString();
            UserPasswordChanger userPswrdChanger = new UserPasswordChanger();            
            userPswrdChanger.CurrentPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(CurrentPasswordTextBox.Text, "SHA1");
            userPswrdChanger.UserName = userName;
            //userPswrdChanger.NewPassword = NewPasswordTextBox.Text;
            userPswrdChanger.NewPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(NewPasswordTextBox.Text, "SHA1");

            userPswrdChanger.UserChangePassword();

            string username = userName;

            FirstTimeLoginChecker userInfo = new FirstTimeLoginChecker(username);
            int userId = userInfo.UserId;

            if (userPswrdChanger.ErrorMessage == "")
            {

                UserRoleRetreiver userRole = new UserRoleRetreiver();
                userRole.UserName = userName;
                userRole.Administrator = false;

                userRole.GetUserRole();

                Session["UserId"] = userRole.UserId;

                if (userRole.Administrator == false)
                {
                    string whdUser = "WhdUser";
                    Session["WhdUser"] = whdUser;
                }

                else
                {
                    string admin = "Admin";
                    Session["Admin"] = admin;
                }

                FormsAuthentication.RedirectFromLoginPage(userName, false);
                Response.Redirect("ChangePasswordConfirmation.aspx");
               
            }
}
       
       
    }



CONFIRMATION ASPX.CS PAGE

 protected void Page_Load(object sender, EventArgs e)
    {

        if (Session["WhdUser"] != null && Session["UserId"] != null || Session["Admin"] != null && Session["UserId"] != null)
        {
            string username = Session["UserName"].ToString();
            FirstTimeLoginChecker userInfo = new FirstTimeLoginChecker(username);
            int userId = userInfo.UserId;
            ProfileUpdateChecker checkUserLoginProfile = new ProfileUpdateChecker(userId, username);
            if (checkUserLoginProfile.UpdateProfile == true)
            {                
               
                ProfileMsgLabel.Visible = true;
                GoToProfileButton.Visible = true;
               

                UserRoleRetreiver userRole = new UserRoleRetreiver();
                userRole.UserName = username;
                userRole.Administrator = false;

                userRole.GetUserRole();

                Session["UserId"] = userRole.UserId;

                if (userRole.Administrator == false)
                {
                    string whdUser = "WhdUser";
                    Session["WhdUser"] = whdUser;
                }

                else
                {
                    string admin = "Admin";
                    Session["Admin"] = admin;
                }

                FormsAuthentication.RedirectFromLoginPage(username, false);
               
            }

            else
            {
                ////Session.Abandon();
                string redirectToLogin = "Login.aspx";
                //redirectToLogin = "../Presentation/AdminDefault.aspx";
                Response.AppendHeader("REFRESH", "5; URL=" + redirectToLogin);
            }
       
        }

       
       
    }
       
    protected void GoToProfileButton_Click(object sender, EventArgs e)
    {

        Response.Redirect("~/Presentation/ModifyUser.aspx");
    }
Avatar of iNetBlazer
iNetBlazer
Flag of United States of America image

ASKER

Experts,

In regards to my earlier post I also tried the below and the page continue to send back to the login page.  see below.

protected void GoToProfileButton_Click(object sender, EventArgs e)
    {
        string username = Session["UserName"].ToString();
        string whdUser = "WhdUser";
        Session["WhdUser"] = whdUser;
        string admin = "Admin";
        Session["Admin"] = admin;
        FirstTimeLoginChecker userInfo = new FirstTimeLoginChecker(username);
        int userId = userInfo.UserId;
        Session["UserId"] = userId;  
     
        FormsAuthentication.RedirectFromLoginPage(username, false);
        Response.Redirect("~/Presentation/ModifyUser.aspx");
    }

I also set the web config to below;

 <location path="Presentation/ModifyUser.aspx">
    <system.web>
      <authorization>
        <allow users ="*" />
      </authorization>
    </system.web>
  </location>

Need help, please.
ASKER CERTIFIED SOLUTION
Avatar of guru_sami
guru_sami
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
My web config is set as follows;


 <system.web>
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login.aspx" timeout ="15" defaultUrl="~/Presentation/AdminDefault.aspx"  slidingExpiration="true" path="/"/>
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
You will have to make changes as suggested in #2 of my last comment.
ok, I'll make the change and test.  Give me a little time to get back to you because the PM put me on another part of the project for a quick fix.
guru_sami,

I apologize for the delay in getting back to you.  The project is in testing and my PM pulled me away to correct testing errors.  All is well.  Now back to this problem.  Your solution works.  I appreciate your help.  Again, sorry about the delayed response.
Thank You.