Form Authentication

stu9820 · January 21st, 2004, 05:34 PM

That worked! Thanks for your help Peter.

stu9820 · January 21st, 2004, 05:39 PM

Quote:

quote:Originally posted by planoie

<sidenote>
Many people recommend not telling the user that the password is bad (explicitly or implicitly telling them that the username is good). This encourages attempts to guess the password for a known good users. Usually you'd display an error like "No valid login for the username and password combination you entered could not be found." This provides useful but not disclosing feedback.
</sidenote>

Peter
------------------------------------------------------
Work smarter, not harder.

even with "invalid username OR password" does that make it obvious or would "invalid credentials" be better?

planoie · January 21st, 2004, 05:43 PM

Any user would see that username and password are required for login, so tell them that both are incorrect wouldn't reveal any more than they know already. You're just telling them that they are both wrong. That way they don't know which is wrong, thereby eliminating the obvious-ness of "invalid password" (and implied "username ok").

stu9820 · January 21st, 2004, 05:52 PM

I had to modify it because a hacker could eventually put 2 + 2 together and see that when a valid username was entered but wrong password it displayed Invalid Username and Password. When an invalid username was entered it redirected to the register.

So, I changed both to display "invalid username and password".

melvik · January 22nd, 2004, 10:16 AM

I dont know if it'll help u r not! but this is the code that I use for check my users' login using SP in SQL Server 2000.

Code:

private void Buttonlogin_Click(object sender, System.EventArgs e)
{
    NewBazConn.Open();
    CommLogin.Parameters[1].Value = TextBoxUserName.Text;
    CommLogin.Parameters[2].Value = TextBoxUserPass.Text;
    CommLogin.ExecuteReader();
    NewBazConn.Close();

    switch( (int)CommLogin.Parameters[0].Value )
    {
        case 1 :
            LabelError.Text = "login failed!";
            break;
            LabelError.Text = "User is disable!";
            break;
        case 7 :
            FormsAuthentication.SetAuthCookie(CommLogin.Parameters["@UserID"].Value.ToString(), false);

            NewBazConn.Open();
            CommAccList.Parameters["@User"].Value = CommLogin.Parameters["@UserID"].Value;
            CommAccList.ExecuteReader();
            NewBazConn.Close();
            Session.Add("UserAcc", CommAccList.Parameters["@Access"].Value.ToString() );
            Session.Timeout = 30;
            Response.Redirect(Request.QueryString.Get("ReturnUrl"));
            break;
    }//switch
}

Always:),
Hovik Melkomian.

Morrislgn · April 8th, 2004, 11:31 AM

Hi folks,

I was wondering if this code could be edited to create user groups such as admin etc when the user is logging in?

Do I need to create a list of groups and users elsewhere and reference them - how would I do this? Or, if the info is held in a database, do i access this and put the user into a role when they log in. How would I do this?

As I know very little about user groups etc (or anything else for that matter!) all help is greatly recieved.

Thanks,

Morris

stu9820 · April 8th, 2004, 11:58 AM

Are you using an Intranet app or Internet? Intranet gives you the ability to use Windows Authentication and you can check for their role against the server. With Internet, you could establish a role in a DB like you said and verify from the DB.

Morrislgn · April 8th, 2004, 01:20 PM

Hi,

its an internet app.

Morris

stu9820 · April 9th, 2004, 07:10 AM

You will have to use Forms Authentication and create your own roles.

melvik · April 10th, 2004, 12:03 AM

http://p2p.wrox.com/topic.asp?TOPIC_ID=3256
http://p2p.wrox.com/topic.asp?TOPIC_ID=3275

HTH.

Always:),
Hovik Melkomian.