All geek questions in one place

Invalid login. asp.net

I have a default page that has an input control, this page is in the main directory. Then I have a bunch of pages that I only need for people who are in the MemberPages directory. My problem is that when I click the login button on the default page using a username and password that is not in the database, it still transfers me to all my member pages

I went through the asp.net configuration and set the "MemberPages" directory to refuse all non-authors. But it still has a faded one, which is inherited from the main one, which resolves everything and cannot be changed (maybe this is a problem "But I can’t delete it) What else? Thanks

Here is my web.config from MemberPages directory.

<?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration>

Here is my main web.config.

 <configuration> <connectionStrings> <add name="LoginSQL" providerName="System.Data.SqlClient" connectionString="Data Source=xx.xx.xx.xx;Initial Catalog=xxxx;UID=xxxxxxx ;pwd=xxxxx;"/> </connectionStrings> <system.web> <compilation debug="true" targetFramework="4.0"/> <authentication mode="Forms"> <forms name="Login" loginUrl="Default.aspx" timeout="20" /> </authentication> <membership> <providers> <add connectionStringName="LoginSQL" applicationName="Login" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="3" passwordAttemptWindow="30" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" name="MySqlLoginProvider" type="System.Web.Security.SqlMembershipProvider" /> </providers> </membership> <profile> <providers> <clear/> <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/> </providers> </profile> <roleManager cacheRolesInCookie="true" cookieName=".ASPRoles" cookieTimeout="60"> <providers> <add connectionStringName="LoginSQL" applicationName="Login" name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager> </system.web> <system.webServer> <modules runAllManagedModulesForAllRequests="true"/> </system.webServer> </configuration>
+4
source share
2 answers

"My problem is that when I click on the login button on the default page using a username and password that is not in the database, it still transfers me to all my member pages."

From your statement above it is clear that you are not validating user logins . If the user / password does not exist, your code should not redirect the user separately from the login page.

Check your code around the login event handler. You should have something like this:

 protected void btnLogin_Click(object sender, EventArgs e) { if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text)) { FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true); } else { txtLoginFailedMsg.Text = "Login failed. Please check your user name and password and try again."; } }
+1
source

I'm not sure if this works, but the way I have in my code is as follows:

 <location path="~path\LoginPage"> <system.web> <authorization> <allow roles="*"/> </authorization> </system.web> </location> <location path="~\path\MemberPages"> <system.web> <authorization> <allow roles="auth user"/> <deny users="*"/> </authorization> </system.web> </location>

Thus, it allows any user to access loginPage, but only to users with the roles "auth users" to access pages in MemberPages
I installed user roles in the Roles.vb file in the App_code folder.

Hope this helps.

0
source

Source: https://habr.com/ru/post/1340066/

More articles:


All Articles