CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 4 of 4
  1. #1
    Join Date
    Dec 2007
    Location
    South Africa
    Posts
    263

    Question Users Bypass the Login Screen

    Good Afternoon Guys

    i have a Web Application that, it has a login Screen. I tried to make sure that a User does not bypass the login Screen on the Page load event i used the following line of code

    Code:
            if (Session.IsNewSession)
            {
                Response.Redirect("login.aspx");
            }
    to Prevent the user from going straight to other pages ,i have successfully used this code

    Code:
    Response.Write("<script> window.history.forward(1);</script>;");
    to make sure that they dont use back to bypass the Pages. Now if a User can log in and Copy the URL to the Exact page they want it does directly ,

    How can i prevent this

    Thank you
    Few companies that installed computers to reduce the employment of clerks have realized their expectations.... They now need more and more expensive clerks even though they call them "Developers" or "Programmers."

  2. #2
    Join Date
    Nov 2007
    Location
    .NET 3.5 / VS2008 Developer
    Posts
    624

    Re: Users Bypass the Login Screen

    I made a post about windows and forms based authentication with ASP.Net.

    http://www.codeguru.com/forum/showthread.php?t=462169

    you will want to note the web.config entries.

    Code:
    <system.web>
          <authentication mode="Forms">
                 <forms name=".LOGINAUTH" loginUrl="Login.aspx"/>
          </authentication>
    
          <authorization>
                 <deny users="?"/>
          </authorization>
    </system.web>
    this will basically redirect all non-authenticated users to the login page. Of course, you will need to put the name of your login page.

    Then, after you have authenticated the user, you will want to use this code.

    Code:
    FormsAuthentication.SetAuthCookie([userIdentification], false);
    FormsAuthentication.RedirectFromLoginPage([userIdentification], false);  // This will redirect the visitor to the page they were trying to get to.
    This code will handle those times when the user tries to do directly to a page. They will be redirected to the Login page, and after a successful login, they will be redirected to the page they were trying to go to.

  3. #3
    PeejAvery's Avatar
    PeejAvery is offline Super Moderator Power Poster
    Join Date
    May 2002
    Posts
    10,943

    Re: Users Bypass the Login Screen

    Quote Originally Posted by vuyiswam
    to Prevent the user from going straight to other pages ,i have successfully used this code

    Code:
    Response.Write("<script> window.history.forward(1);</script>;");
    Rule #1 of security on the internet...Never, never, never rely on JavaScript since it is easily disabled! All security, authentication, and validation must come from the server-side.
    If the post was helpful...Rate it! Remember to use [code] or [php] tags.

  4. #4
    Join Date
    Mar 2002
    Location
    St. Petersburg, Florida, USA
    Posts
    12,117

    Re: Users Bypass the Login Screen

    Quote Originally Posted by PeejAvery
    Rule #1 of security on the internet...Never, never, never rely on JavaScript since it is easily disabled! All security, authentication, and validation must come from the server-side.
    For SECURITY, this is true. But not just because it can be disabled...it can also be modified.

    On the other hand, most modern sites requires JavaScript to be enabled. Consider that without it, all AJAX and SilverLight website will drip dead instantly.

    Of course, it is a good idea to CHECK if Javascript is enabled on your ENTRY page, so that the user gets a nice clean message rather than just poor behaviour..

    There are also times where a "script free" site IS required, but these are becoming rarer and rarer (remember when CSS was first introduced and many sites avoided it because of compatability issues??) and are most often (again in MY experience) as "fall-back" sites with limited capabilities.
    TheCPUWizard is a registered trademark, all rights reserved. (If this post was helpful, please RATE it!)
    2008, 2009,2010
    In theory, there is no difference between theory and practice; in practice there is.

    * Join the fight, refuse to respond to posts that contain code outside of [code] ... [/code] tags. See here for instructions
    * How NOT to post a question here
    * Of course you read this carefully before you posted
    * Need homework help? Read this first

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured