Forms Authentication / problem..

[talon121]

Im authenticating using an SQL DB,
and using forms authentication, trying to secure
another dir. ie. /secured

The login.aspx is located in the root of the web.. rather than the secured dir.

I get the login.aspx (I created) and when I submit, it doesnt 'authenticate'. Yet, the credentials are correct.. Anyone know how I can fix this?? OR what I might wanna try?

Anyone know how to 'force' authentication via the FormsAuthentication.RedirectFromLoginPage ...?

IT just keeps bringing me back to the login.aspx..
PLEASE HELP!

 

[LV]

What is the logic in the "Submit" button click event?

 

[talon121]

Sub LoginBtn_Click (sender as Object, e as EventArgs)

If Page.IsValid Then
If DBAuthenticate(uemailaddress.text, upassword.Text ) > 0 Then
FormsAuthentication.RedirectFromLoginPage( uemailaddress.text, False)
End If
'response.redirect(Request.Params("ReturnURL"))
End If


End Sub


The DBAuthenticate function just a stored procedure that checks user/pw and returns the ID if valid. (ie. Return intResult)

Appreciate the help ;-)

 

[talon121a]

Okay, had to remember my previous username on tek-tips. you can reply to this one .. (or the other.. both will work)

Thnx

 

[LV]

OK, I see what the problem is. If the user tries to access a page directly, without being autheticated first, he'll be redirected to the Login page - notice the ReturnUrl parameter in the query string. Then after successful authentication, the user will be riderected to the previuosly requested page - its url stored in the ReturnUrl - by using the RedirectFromLoginPage method. But if you come directly to the login page, then there is nothing to redirect to after successful authentication, and the page will continue dispaying itself, until you add a logic in your code to check for the ReturnUrl parameter: if it doesn't exist, then you need to use the SetAuthCookie method and just redirect the user to a default page in your application.

private void btnSubmit_Click(object sender, System.EventArgs e)
{  	
  if(DBAuthenticate(uemailaddress.text, upassword.Text ) > 0)
  {		
    if(Request.QueryString.Get("ReturnUrl") != null)
    {
      if(Request.QueryString.Get("ReturnUrl").Trim() != "")
      {
         // user was redirected to the Login page
         FormsAuthentication.RedirectFromLoginPage(txtUserName.Text.Trim(), false);
      }
      else
      {
        // user was redirected to the Login page, but page url is empty for some reason
        // redirect to default page
        Response.Redirect("/default.aspx");
      }
    }
    else
    {
      // user came to the Login page directly
      FormsAuthentication.SetAuthCookie(txtUserName.Text.Trim(), false);
      Response.Redirect("/default.aspx");
    }
  }			
}

 

[talon121a]

Am I correct that the FormsAuthentication.RedirectFromLoginPage function automatically redirects if the user is 'authenticated'?

i commented out that Response.Redirect I had in the previous code because it wasnt even working if I placed that in.... My problem seems to be it keeps bringing the user back to the login page, and doesnt actually 'authenticate'. I've done some trace.warn's to see where it may be failing and apparently it seems to always center on the authentication process. Any other ideas?

 

[talon121a]

Here's all the script.. I left out the HTML part.. But here's the code from presentation.
<%@ Page Language="VB" Trace="False" EnableViewStateMac="True" EnableViewState="True" Debug="True" %>

<%@ import Namespace="System.Data" %>
<%@ import Namespace="System.Data.SqlClient" %>
<%@ import Namespace="System.Web.Security" %>

<script runat="server">

Sub Page_Load(Sender as Object, E As EventArgs)




'verify authentication
If User.Identity.IsAuthenticated Then
'display Credential information
displayCredentials.InnerHtml = "Current User : <b>" & User.Identity.Name & "</b>" & _
"<br><br>Authentication Used : <b>" & User.Identity.AuthenticationType & "</b>"
Else
'Display Error Message
displayCredentials.InnerHtml = "Sorry, you have not been authenticated."
End If




End Sub


Sub LoginBtn_Click (sender as Object, e as EventArgs)

If Page.IsValid Then
If DBAuthenticate(uemailaddress.text, upassword.Text ) > 0 Then
FormsAuthentication.RedirectFromLoginPage( uemailaddress.text, False)
End If

End If


End Sub


Function DBAuthenticate( strUsername As String, strPassword As String ) As Integer

'Of course dim all variables...
Dim conMydata As SqlConnection
Dim cmdSelect As SqlCommand
Dim parmReturnValue As SqlParameter
Dim intResult As Integer

'Set SQL connection string here.
conMydata = new SqlConnection( ConfigurationSettings.AppSettings("conString") )

'Set the cmd to execute stored procedure made called 'DBAuthenticate'
cmdSelect = New SqlCommand("DBAuthenticate", conMyData)
cmdSelect.CommandType = CommandType.StoredProcedure

'get return value from SP
parmReturnValue = cmdSelect.Parameters.Add( "RETURN_VALUE", SqlDbType.Int)

parmReturnValue.Direction = ParameterDirection.ReturnValue

cmdSelect.Parameters.Add("@username", strUsername)
cmdSelect.Parameters.Add("@password", strPassword)

conMydata.Open()

cmdSelect.ExecuteNonQuery()

intResult = cmdSelect.Parameters("RETURN_VALUE").Value

conMydata.Close()

If intResult < 0 Then
If intResult = -1 Then
lblMsg.Text = "Not Registered!"
Else
lblMsg.Text = "Invalid Password!"
End If
End If

Return intResult


End Function








</script>

Im trying to protect a dir. ie. /secure

the login.aspx is in the root dir.
and the web.config is as follows:

<?xml version="1.0" encoding="UTF-8" ?>

<configuration>

<appSettings>
<!-- CONNECTION STRING HERE : CALL USING Configuration.AppSettings("conString") -->
<!-- LEFT OUT OF TEK-TIPS CODE FOR SECURITY -->

</appSettings>



<system.web>

<!-- <sessionState mode="Off" /> -->

<authorization>
<deny users="*" />
</authorization>



<authentication mode="Forms">

<forms name=".SITE_AUTH"
loginUrl="../login.aspx"
protection="Encryption"
timeout="50" />

</authentication>

<customErrors mode="Off"/>



</system.web>

</configuration>

 

[LV]

The FormsAuthentication.RedirectFromLoginPage function authenticates the user and redirects to a page, which the user tried to access without being authenticated: probably by typing page's url directly into the browser's adress window. The FormsAuthentication.SetAuthCookie authenticates the user as well, but needs to be followed by a Response.Redirect - this is useful when the user came to the login page directly.

 

[talon121a]

Hmm, my FormsAuthentication.RedirectFromLoginPage seems not to redirect internally if thats the case. Does it sound like I'll have to do an SetAuthCookie?

And, does it rely on the aspnet_client folder in the root of the web? (it wasnt there originally.. I had to copy from another ASP.net site on my server<win2k3:IIS6>)

 

[LV]

In Web.config:

<system.web>
  <authentication mode="Forms">
    <forms name=".ASPXAUTH" loginUrl="/LoginPage.aspx" protection="All" timeout="60" />
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>

loginUrl in the <forms> tag will make it work with FormsAuthentication.RedirectFromLoginPage and <deny users="?" /> will deny all anonymous users. As for the aspnet_client directory, the user will gain access to it onve authenticated so you should be OK here.