login with forms authentication 1

[bclt]

Hi,

there is a site for example that has 2 pages .aspx. The login and the default. When i "authenticate" the user that logins (e.g. if txtpass="123" and txtname="nick") i'll redirect him to the default page.

How can i prevent anyone from writing in the address bar "

http://www.MySite.com/default.aspx"

?


Tnx

 

[angst11]

Is your web.config file setup correctly?

 

[dace]

If you properly set up forms authentication they will be automatically redirected to the LoginUrl specified in web.config:

 <authentication mode="Forms">
  <forms name="MyAuth" 
       loginUrl="Login.aspx" 
       protection="Encryption"
       timeout="20" 
       path="/" >
  </forms>

If they type in the path to default.aspx, it should redirect them to Login.aspx. Once they authenticate on the login page, it will redirect them automatically to their originally-requested page (in this case default.aspx).

 

[bclt]

Thanks for your posts.By reading these i have 2 more questions.
1. Where did u fing the "MyAuth" name? I mean why didn;t you write name="Hi" ?

2. Is there any way to check if "Nick" has loged in? I mean if 2 persons share the password and the username, and one has loged, the second one shouldn't be able to login.

Thanks

 

[dace]

1) I don't think the name matters, you can write anything.

2) You'd have to implement custom security tracking - so you would have to store for instance a list of users logged in in the Application cache, a database, etc. and update it when someone signs in and when sessions time out.
But, this isn't a good thing to have to do in a web application - why would you have different people logging in with the same account?

 

[bclt]

The people who login pay a fee about 100$/month to use the "things" offered in the site. With a pair of Name and Pass 5 people may login together from different pcs and use the page. Of course i don't have any kind of this page and of course no fee exists...just making thoughts and dreams.

 

[dace]

There's no efficient way to prevent this for a web application.
An alternate solution might be to log IP addresses for each login, and run occasional checks to see if there's concurrent access from different IP addresses, in which case you could disable that login until they explain why. That ensures it's in their best interest not to share a login.

 

[bclt]

Dace you are God. That's the best (disable the login) but I am not able to develop this with IPs checks.
for me. I have no idea how to do something like that

 

[dace]

It's pretty easy
One way to get the user IP (there's other solutions as well):

-In the page_load sub of your protected page, check
Request.UserHostAddress to get the IP of the client browser.
-You could then write this, along with a timestamp of the current time and the current user, to a database, save it to a textfile log, keep it in the Application cache object, etc. (you can get the username that they logged in with using User.Identity.Name)
-Every week, run a script that analyzes the log and look for multiple IPs at the same time for the same account name.

 

[bclt]

I want to open a file to add in it,suppose i use "append"?
There is no permittion to create the file (txt file to store {name, time and IP}) in e.g "/files". How can i handle this?

Thanks

 

[bclt]

There is a problem:

this is the code

imports system.web.security
FormsAuthentication.RedirectFromLoginPage(txtName.Text, True)

I have as startup page the login.aspx. This will redirect me to /default.aspx
If i type in the addressbar

http://localhost/webapp/default.aspx

even without having entered name and pass in loagin.aspx; the default will appear !

Any ideas?

 

[ca8msm]

If i type in the addressbar

http://localhost/webapp/default.aspx

even without having entered name and pass in loagin.aspx; the default will appear !

In that case you haven't set up the forms authentication correctly. Check out the first post made by dace or read the following URL for more information:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp

----------------------------------------------------------------------

Need help finding an answer?

Try the search facilty (

http://www.tek-tips.com/search.cfm)

or read FAQ222-2244 on how to get better results.

 

[bclt]

this doesn't work....


<authentication mode="Forms">
<forms name="MyAuth"
loginUrl="Login.aspx"
protection="Encryption"
timeout="20"
path="/" >
</forms>


Error message : Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Unrecognized configuration section Forms.

 

[ca8msm]

It should do (see URL below) - do you have the section in the correct place in the web.config file?

http://msdn.microsoft.com/library/d.../cpgenref/html/gngrfauthenticationsection.asp

----------------------------------------------------------------------

Need help finding an answer?

Try the search facilty (

http://www.tek-tips.com/search.cfm)

or read FAQ222-2244 on how to get better results.

 

[bclt]

Still,,, have a look in it

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    
  <system.web>

<compilation defaultLanguage="vb" debug="true" />

<customErrors mode="Off" />

      <authentication mode="Forms">
         <forms name="401kApp" loginUrl="/login.aspx"/>
      </authentication>

   <authorization>
        <allow users="*" />
</authorization>

<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />

    <sessionState 
            mode="InProc"
            stateConnectionString="tcpip=127.0.0.1:42424"
            sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
            cookieless="false" 
            timeout="20" 
    />

    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
   
  </system.web>

</configuration>




Where is the error?