Yet Another Security/Validation Question...

[rhnewfie]

As I have posted previously when a user logs into the site I do the following

protected void submit_Click(object sender, EventArgs e)
    {
        s_Username = this.username.Text.Trim();
        s_Password = this.password.Text.Trim();
        this.lblMessage.Text = "";

        try
        {
            i_UserID = m_DAL.ValidateLogin(s_Username, s_Password);
            if (i_UserID != -1)
            {
                m_User = new User(i_UserID);
                m_Pub.Usr = m_User;
                if (m_User.UserID != 0)
                {
                    //all is well
                    FormsAuthentication.SetAuthCookie(m_User.UserID.ToString(), true);
                }
                else
                {
                    //there was a problem getting the user
                    this.lblMessage.Text = "Your Login Attempt Was Unsuccessful";
                    FormsAuthentication.SignOut();
                }
            }
            else
            {
                //something wrong
                this.lblMessage.Text = "Your Login Attempt Was Unsuccessful";
                FormsAuthentication.SignOut();
            }
        }
        catch
        {
            FormsAuthentication.SignOut();
        }

    }

At this point a link to the admin page is shown

When the user clicks the link I do the following in the page load

        m_Pub = new Pub();
        m_User = m_Pub.Usr;
        if (m_User != null)
        {
            //Process page
        }
        else
        {
            FormsAuthentication.SignOut();
            Response.Redirect("default.aspx");
        }

This works fine if the user clicks the link but if they type the direct address into their browser it does not.

Is there another event that fires when the address is typed in directly? Any other ways to handle this?

Oh, I also found that when I used the HttpContext.Current.User.Identity.IsAuthenticated on the admin page it always evaluates to true no matter what.

 

[adamroof]

1. Check your web.config
should have something like this

<authentication mode="Forms">
    <forms name="appNameAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30">
    </forms>
</authentication>
<authorization>
    <deny users="?" />
</authorization>

2. Not 100% certain, but you are setting the auth cookie, but what about the redirect?

FormsAuthentication.RedirectFromLoginPage(userName, true);

or are you keeping them on the same page? Not a pro at forms auth, so just a couple snips from my experience.

 

[rhnewfie]

I am keeping them on the same page.

I don't have the authorization code that you describe (I used to) but I found that I had to have users log in before they could navigate the site. There is only one URL that is protected and gets exposed when a privelaged user logs in. Otherwise I want the general public to be able to surf the site without having to login.

Thanks for the input though!

 

[adamroof]

are you into 2.0 yet? Have you tried the new login control?

without the web.config protecting upstream documents, users will be able to type in the url directly. IME

i will be heading where you are heading soon, having one page, just show/hide more depending if logged in. sry couldnt help more.

 

[rhnewfie]

Yes, I am doing this in 2.0 now. I started using the login control but didn't like it. Thought it was a bit restricting but given my newness to 2.0 and ASP.NET in general I probably just need more time with it.

I really like to have a lot of control over my data and user authentication. Hence I like to code a lot of it myself.

Anyone have any ideas about what methods run when a page loads when the URL is typed directly into the browser address bar?

 

[jbenson001]

The Page_Load event will always fire no matter how the page is accessed.