|
 |
aspx_beginners thread: aspx forms authentication
Message #1 by "Tim Farrell" <timothy.farrell@c...> on Wed, 22 May 2002 18:29:02
|
|
I find it odd that I do not see many posts concerning forms
authentication. I am new to aspx (.net) and am currently involved in
developing a script for site authentication. I am working with the forms
authenticatin script provided in the QuickStart tutorial in VS.net.
My problem with the example (as with many M.S. examples) is that it does
not reflect real world incoporation. As you will see the script bases its
authentication on credentials contained within the login page. Please see
below:
<script language="VB" runat="server">
Sub Login_Click(Src As Object, E As EventArgs)
If UserEmail.Value = "jdoe@s..." And UserPass.Value
= "password"
FormsAuthentication.RedirectFromLoginPage(UserEmail.Value,
PersistCookie.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
End Sub
</script>
What I want to do is have the info. submitted in the login form to be
compared to existing records contained in a user db. In addition I want
to incorporate a third field (security_level) that will determine what
menus they will see or information they will have access to.
Can anyone help me with doing this. I am also assuming that I will need
some form of If/Else statement to handle the redirect.
Thanks alot!
Sincerely,
Tim
Message #2 by "Curtner, Lynn" <lynn.curtner@p...> on Wed, 22 May 2002 12:26:19 -0500
|
|
substitute any test you want in place of the conditional:
If UserEmail.Value = "jdoe@s..." And UserPass.Value = "password"
for example (pseudocode):
if (user exists in database and has authorization for this task)...
the example is just to simplify the demonstration of the use of the RedirectFromLoginPage() call...
HTH,
Lynn Curtner
> ----------
> From: Tim Farrell[SMTP:timothy.farrell@c...]
> Reply To: aspx_beginners
> Sent: Wednesday, May 22, 2002 1:29 PM
> To: aspx_beginners
> Subject: [aspx_beginners] aspx forms authentication
>
> I find it odd that I do not see many posts concerning forms
> authentication. I am new to aspx (.net) and am currently involved in
> developing a script for site authentication. I am working with the forms
> authenticatin script provided in the QuickStart tutorial in VS.net.
>
> My problem with the example (as with many M.S. examples) is that it does
> not reflect real world incoporation. As you will see the script bases its
> authentication on credentials contained within the login page. Please see
> below:
>
> <Xcript language="VB" runat="server">
> Sub Login_Click(Src As Object, E As EventArgs)
> If UserEmail.Value = "jdoe@s..." And UserPass.Value
> = "password"
> FormsAuthentication.RedirectFromLoginPage(UserEmail.Value,
> PersistCookie.Checked)
> Else
> Msg.Text = "Invalid Credentials: Please try again"
> End If
> End Sub
> </Xcript>
>
> What I want to do is have the info. submitted in the login form to be
> compared to existing records contained in a user db. In addition I want
> to incorporate a third field (security_level) that will determine what
> menus they will see or information they will have access to.
>
> Can anyone help me with doing this. I am also assuming that I will need
> some form of If/Else statement to handle the redirect.
>
>
> Thanks alot!
>
> Sincerely,
>
> Tim
>
Message #3 by "John Tyson" <jtyson@t...> on Wed, 22 May 2002 10:27:03 -0700
|
|
Hi Tim,
What I do is store user information in a table in SQL Server. On my
login page I send the user's login ID and password to a stored procedure
that compares against the user table. I return an ouput parameter of
the count of users with that combination of login/password. If it finds
one unique match, I use forms authentication to create a cookie and
redirect the authenticated user to a menu. I my web.config I restrict
all anonymous users.
I intend to use this structure to build an enterprise application with
different levels of security based on department rights stored in my SQL
Server database.
Hope that gives you some ideas.
John
-----Original Message-----
From: Tim Farrell [mailto:timothy.farrell@c...]
Sent: Wednesday, May 22, 2002 11:29 AM
To: aspx_beginners
Subject: [aspx_beginners] aspx forms authentication
I find it odd that I do not see many posts concerning forms
authentication. I am new to aspx (.net) and am currently involved in
developing a script for site authentication. I am working with the
forms
authenticatin script provided in the QuickStart tutorial in VS.net.
My problem with the example (as with many M.S. examples) is that it does
not reflect real world incoporation. As you will see the script bases
its
authentication on credentials contained within the login page. Please
see
below:
<script language=3D"VB" runat=3D"server">
Sub Login_Click(Src As Object, E As EventArgs)
If UserEmail.Value =3D "jdoe@s..." And UserPass.Value
=3D "password"
FormsAuthentication.RedirectFromLoginPage(UserEmail.Value,
PersistCookie.Checked)
Else
Msg.Text =3D "Invalid Credentials: Please try again"
End If
End Sub
</script>
What I want to do is have the info. submitted in the login form to be
compared to existing records contained in a user db. In addition I want
to incorporate a third field (security_level) that will determine what
menus they will see or information they will have access to.
Can anyone help me with doing this. I am also assuming that I will need
some form of If/Else statement to handle the redirect.
Thanks alot!
Sincerely,
Tim
Message #4 by Imar Spaanjaars <Imar@S...> on Wed, 22 May 2002 19:38:19 +0200
|
|
Hi Tim,
IMO, the MS example can quite easily be modified to suit your needs. All
the presented code does, is redirect if you allow it (that is, if the
e-mail address and password match). It's easy to change this and use a
database.
You can code any custom solution, and then redirect if the user has been
validated.
So, I think you could do something like this:
Sub Login_Click(Src As Object, E As EventArgs)
' Create an ADO.NET connection, command etc. Use a sproc if you have
access to SQL Server
' Execute the sproc and have it return either true, false, 1, -1 or
some custom outcome.
Then, if you are happy with the results (user is validated)
If WeHappy Then
' Set a cookie, session variable or whatever other way you need to
define the level of access and then redirect
FormsAuthentication.RedirectFromLoginPage(UserEmail.Value,
PersistCookie.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
End Sub
Not sure if this is what you wanted. Let me know if you need some more
concrete examples.
Imar
At 06:29 PM 5/22/2002 +0000, you wrote:
>I find it odd that I do not see many posts concerning forms
>authentication. I am new to aspx (.net) and am currently involved in
>developing a script for site authentication. I am working with the forms
>authenticatin script provided in the QuickStart tutorial in VS.net.
>
>My problem with the example (as with many M.S. examples) is that it does
>not reflect real world incoporation. As you will see the script bases its
>authentication on credentials contained within the login page. Please see
>below:
>
><script language="VB" runat="server">
> Sub Login_Click(Src As Object, E As EventArgs)
> If UserEmail.Value = "jdoe@s..." And UserPass.Value
>= "password"
> FormsAuthentication.RedirectFromLoginPage(UserEmail.Value,
>PersistCookie.Checked)
> Else
> Msg.Text = "Invalid Credentials: Please try again"
> End If
> End Sub
> </script>
>
>What I want to do is have the info. submitted in the login form to be
>compared to existing records contained in a user db. In addition I want
>to incorporate a third field (security_level) that will determine what
>menus they will see or information they will have access to.
>
>Can anyone help me with doing this. I am also assuming that I will need
>some form of If/Else statement to handle the redirect.
>
>
>Thanks alot!
>
>Sincerely,
>
>Tim
Message #5 by "Tim Farrell" <timothy.farrell@c...> on Wed, 22 May 2002 19:57:49
|
|
Imar,
I appreciate your thoughts and time. I am new to this however, I am eager
to learn if you'll give me just a few more posts. I have added to my
script your thoughts (I think...) and have posted them below.
<script language="VB" runat="server">
Sub Login_Click(Src As Object, E As EventArgs)
Dim sqlConn As New SqlConnection
Dim sqlCmd As New SqlCommand
Dim sdrData As SqlDataReader
Dim sb As New StringBuilder
DIM strColor As String
sqlConn.Connectionstring = _
"server=SQLServer;database=plan;uid=sa;pwd=;"
sqlConn.Open()
If Not Page.IsPostBack Then
FUsername = Request.Form("Username")
rs.source = Select Username, Password FROM Employee WHERE
Username = FUsername
sqlCmd.CommandType = CommandType.Text
sqlCmd.Connection = sqlConn
' Set a cookie, session variable or whatever other way
you need to
define the level of access and then redirect
FormsAuthentication.RedirectFromLoginPage
(UserEmail.Value,
PersistCookie.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
End Sub
sqlConn.Close()
</script>
One (if not many) of the things I know I left out was the ability to
filter menus and content based on a security int contained in the db for
each user.
Can you let me know your thoughts when you get a moment?
Thank you so much!
Sincerely,
Tim
Message #6 by Imar Spaanjaars <Imar@S...> on Wed, 22 May 2002 21:24:33 +0200
|
|
Hi Tim,
Here is in short what I would do:
Create a sproc called sprocLogin in SQL Server:
CREATE PROCEDURE sprocLogin
@sUserName varchar(20),
@sUserPassword varchar(20)
AS
SELECT SecurityID FROM Users WHERE UserName = @sUserName and
UserPassword = @sUserPassword
Now, use this sproc to retrieve the SecurityID (or whatever you called it).
I am returning a result set, which isn't the most efficient way to do
things, but it shows you how to go about this.
Another option is to let SQL return the SecurityID through the Return
statement, or an OUTPUT param.
Depending on the methods you choose, you'll have different VB.NET code.
I'll show you a way that uses a DataReader. Again, not as efficient as
other methods like ExecuteScalar, but I guess right now performance isn't
your biggest issue ;-)
Then, use Pat's handy Code builder for sprocs which you can find at:
http://p2p.wrox.com/view.asp?list=aspx_professional&id=176998
This roughly generates the following code. I changed some stuff as his code
uses ExecuteNonQuery(), but other than that, it's more or less the same.
(Thanks, Pat ;-))
Dim sUserName As String = "UserName"
Dim sUserPassword As String = "UserPassword"
Dim conn As New
System.Data.SqlClient.SqlConnection(sYourConnectionStringHere)
Dim cmd As New SqlCommand("sprocLogin", conn)
Dim dr As SqlDataReader
Dim iSecurityID As Integer
cmd.CommandType = cmd.CommandType.StoredProcedure
Dim param As System.Data.SqlClient.SqlParameter
param = cmd.Parameters.Add("@sUserName", SqlDbType.VarChar, 20)
param.Direction = ParameterDirection.Input
param.Value = sUserName
param = cmd.Parameters.Add("@sUserPassword",
SqlDbType.VarChar, 20)
param.Direction = ParameterDirection.Input
param.Value = sUserPassword
Try
'open the connection and execute the command
conn.Open()
dr = cmd.ExecuteReader
If dr.Read Then
Label1.Text = "SecurityID: " & dr(0)
Else
Label1.Text = "Sorry, can't find you"
End If
conn.Close()
param = Nothing
cmd = Nothing
conn = Nothing
Catch objError As Exception
'Do some error trapping
param = Nothing
cmd = Nothing
conn = Nothing
End Try
Voila, custom validation. Right now, the line with dr.Read() is where it
all happens. If the DataReader can read, it means there is a record. Right
now, I just print out the SecurityID to a label, but you could of course do
that what you want. You could set the SecurityID as an (encrypted) cookie,
and then use the RedirectFromLoginPage method to redirect.
I also hard coded the UserName and UserPassword, but you should of course
retrieve these from the form the user submitted.
Don't forget to import System.Data.SqlClient in your code behind or ASPX page.
HtH
Imar
At 07:57 PM 5/22/2002 +0000, you wrote:
>Imar,
>
>I appreciate your thoughts and time. I am new to this however, I am eager
>to learn if you'll give me just a few more posts. I have added to my
>script your thoughts (I think...) and have posted them below.
>
><script language="VB" runat="server">
> Sub Login_Click(Src As Object, E As EventArgs)
> Dim sqlConn As New SqlConnection
> Dim sqlCmd As New SqlCommand
> Dim sdrData As SqlDataReader
> Dim sb As New StringBuilder
> DIM strColor As String
>
> sqlConn.Connectionstring = _
> "server=SQLServer;database=plan;uid=sa;pwd=;"
> sqlConn.Open()
>
>
> If Not Page.IsPostBack Then
> FUsername = Request.Form("Username")
> rs.source = Select Username, Password FROM Employee WHERE
>Username = FUsername
> sqlCmd.CommandType = CommandType.Text
> sqlCmd.Connection = sqlConn
> ' Set a cookie, session variable or whatever other way
>you need to
> define the level of access and then redirect
> FormsAuthentication.RedirectFromLoginPage
>(UserEmail.Value,
> PersistCookie.Checked)
> Else
> Msg.Text = "Invalid Credentials: Please try again"
> End If
> End Sub
> sqlConn.Close()
> </script>
>
>One (if not many) of the things I know I left out was the ability to
>filter menus and content based on a security int contained in the db for
>each user.
>
>Can you let me know your thoughts when you get a moment?
>
>Thank you so much!
>
>Sincerely,
>
>Tim
Message #7 by "Tim Farrell" <timothy.farrell@c...> on Wed, 22 May 2002 20:44:03
|
|
John,
You are doing exactly what I want to do but have yet to figure out the
scripts. The only real difference between our vision is that my security
is based on an integer field stored in security column of the table. Each
user has an assigned security integer to their record. In this way I can
filter menus and content for all pages down to the user level.
If you would like to share any of your scripts I would be greatful. I am
new to this but I am finding that I learn much faster with a point of
reference in front of me. However, I will respect your privacy if you do
not wish to share the scripts. You did do a lot of work to produce them
I'm sure.
Kind Regards,
Tim
> Hi Tim,
What I do is store user information in a table in SQL Server. On my
login page I send the user's login ID and password to a stored procedure
that compares against the user table. I return an ouput parameter of
the count of users with that combination of login/password. If it finds
one unique match, I use forms authentication to create a cookie and
redirect the authenticated user to a menu. I my web.config I restrict
all anonymous users.
I intend to use this structure to build an enterprise application with
different levels of security based on department rights stored in my SQL
Server database.
Hope that gives you some ideas.
John
Message #8 by "Tim Farrell" <timothy.farrell@c...> on Wed, 22 May 2002 20:51:04
|
|
Imar,
WOW!!!!!!!!!!
I can't tell you how appreciative I am. You have certainly given me a lot
to digest here, so in an effort not to overwhelm you with questions I
could most likely answer with some thought, I will work on this for
today. I will followup with you tomorrow on this if that's ok.
Thanks again Imar!
Regards,
Tim
Message #9 by Imar Spaanjaars <Imar@S...> on Wed, 22 May 2002 21:55:42 +0200
|
|
Yeah, sure. No problem. Please do so through this list, so other people are
able to respond to your questions as well.
Imar
At 08:51 PM 5/22/2002 +0000, you wrote:
>Imar,
>
>WOW!!!!!!!!!!
>
>I can't tell you how appreciative I am. You have certainly given me a lot
>to digest here, so in an effort not to overwhelm you with questions I
>could most likely answer with some thought, I will work on this for
>today. I will followup with you tomorrow on this if that's ok.
>
>Thanks again Imar!
>
>Regards,
>
>Tim
Message #10 by "Sri Vidya" <svsvidya@i...> on Thu, 23 May 2002 09:34:15 +0530
|
|
Hi Imar,
That is definitely very thoughtful of you. I have learnt a lot from
these Forms Authentication sessions you have been posting. Thanks a
ton.
Cheers,
Vidiya.
On Wed, 22 May 2002 21:55:42 +0200
Imar Spaanjaars <Imar@S...> wrote:
>Yeah, sure. No problem. Please do so through this list, so other
>people are able to respond to your questions as well.
>
>Imar
>
>
>At 08:51 PM 5/22/2002 +0000, you wrote:
>>Imar,
>>
>>WOW!!!!!!!!!!
>>
>>I can't tell you how appreciative I am. You have certainly given me
>>a lot
>>to digest here, so in an effort not to overwhelm you with questions I
>>could most likely answer with some thought, I will work on this for
>>today. I will followup with you tomorrow on this if that's ok.
>>
>>Thanks again Imar!
>>
>>Regards,
>>
>>Tim
>
>
>
>---
>Change your mail options at http://p2p.wrox.com/manager.asp or to
>unsubscribe send a blank email to
---------------------------------------------
http://mail.indiainfo.com
India's first ISO certified portal
Check world time at http://time.indiainfo.com
|
|
|
View Cart
