Forms Authentication

[primagic]

I have the following stored procedure to authenticate users on my website:

USE [keystrategy]
GO
/****** Object:  StoredProcedure [dbo].[DBAuthenticate]    Script Date: 03/01/2012 11:46:49 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE PROCEDURE [dbo].[DBAuthenticate]

(
@Username nvarchar(50),
@Password nvarchar (10)
)
AS

DECLARE @ID INT
DECLARE @ActualPassword nvarchar(10)

SELECT
@ID = IdentityCol,
@ActualPassword = Password
FROM dbo.Babysitters
WHERE EmailAddress = @Username

IF @ID IS NOT NULL
 IF @Password = @ActualPassword
RETURN @ID
	ELSE
RETURN - 2
	ELSE
RETURN - 1

This authenticates against the babysitters table. However, I have parents who can login as well and their details are stored in a different table. Can i authenticate against two tables. So it checks the first table, then the second.

This is my code for the login button:

Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.Click
        If IsValid Then

            If DBAuthenticate(txtUsername.Text, txtPassword.Text) > 0 Then
                FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)
                Session("User") = txtUsername.Text
                Response.Redirect("secure/home.aspx")
            End If
        End If
    End Sub

    Function DBAuthenticate(ByVal strUsername As String, ByVal strPassword As String) As Integer
        Dim conUsers As SqlConnection
        Dim strConnection As String
        Dim cmdSelect As SqlCommand
        Dim parmReturnValue As SqlParameter
        Dim intResult As Integer

        strConnection = ConfigurationManager.ConnectionStrings("KeyStrategyConnectionString").ConnectionString
        conUsers = New SqlConnection(strConnection)
        cmdSelect = New SqlCommand("DBAuthenticate", conUsers)
        cmdSelect.CommandType = CommandType.StoredProcedure
        parmReturnValue = cmdSelect.Parameters.Add("RETURN_VALUE", SqlDbType.Int)
        parmReturnValue.Direction = ParameterDirection.ReturnValue
        cmdSelect.Parameters.AddWithValue("@username", strUsername)
        cmdSelect.Parameters.AddWithValue("@password", strPassword)
        conUsers.Open()
        cmdSelect.ExecuteNonQuery()
        intResult = cmdSelect.Parameters("RETURN_VALUE").Value
        conUsers.Close()
        If intResult < 0 Then
            If intResult = -1 Then
                lblMessage.Text = "Username not found!"
            Else
                lblMessage.Text = "Invalid Password!"
            End If
        End If
        Return intResult
    End Function

 

[MarkSweetland]

I'd advise to use two separate steps to authenticate the user and then determine the user's privelidges. The user authentication process should validate the user's right to use the site and subsequently the derived user's Id should be used to determine what priveledges that user has within the context of the site.

If that is not possible, you should use an OUTPUT parameter in your stored procedure to return to the calling function the user's role in the application.




Mark

"You guys pair up in groups of three, then line up in a circle."
- Bill Peterson, a Florida State football coach

 

[jbenson001]

Another point. Don't let the user know if the Username or Password is wrong. Just have a generic message like "Login failed: The username or password entered is incorrect."
Otherwise, the user will know they have a correct username or password and can hack your system.

 

[primagic]

Ok thanks for your comments. both taken.

I have decided I will get the users into one table and authenticate.

My other question is there a way then to redirect them to a different defaulturl depending if they are a babysitter or a parent?


In my web config file i have

<authentication mode="Forms">
      <forms name=".Login" loginUrl="parents/login.aspx" defaultUrl="secure/home.aspx" protection="All" timeout="30" slidingExpiration="true"></forms>
    </authentication>

and I know I cant have two different defaulturls?