How to i protect my admin page?

Question

adam1991 0 Newbie Poster

15 Years Ago

Ive just created a login system using a tutorial, but it doesnt say how to protect the admin page, just logs you in..

Here first is my HTML, Login form

<%@ Page Language="VB" AutoEventWireup="false" CodeFile="login.aspx.vb" Inherits="login" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
<form runat="server">
   <div>
<h1>Log In</h1>

Username:<br />
<asp:TextBox ID="UserName" Runat="server" /><br />
Password:<br />
<asp:TextBox ID="Password" TextMode="password" Runat="server" /><br />
<asp:Button ID="LoginButton" Text="Log In" OnClick="LogIn" Runat="server" /><br />

<asp:Literal ID="LtlLogin" Runat="server" />

</div>
</form>


</body>
</html>

Here is my code behind the login in button..

Function DBAuthenticate(ByVal strUsername As String, ByVal strPassword As String) As Boolean
        Dim Connection As OleDbConnection
        Connection = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;data source=" & Server.MapPath("database\UsersPasswords.mdb"))
        Connection.Open()
        Dim Command As OleDbCommand
        Dim UserExists As Boolean
        Command = New OleDbCommand("SELECT * FROM UsersPasswords WHERE [Username]='" & strUsername & "' AND [Password]='" & strPassword & "'", Connection)
        Dim DataReader As OleDbDataReader
        DataReader = Command.ExecuteReader()

        If DataReader.Read() Then
            UserExists = True
        Else
            UserExists = False
        End If
        Connection.Close()

        Return UserExists
    End Function

    Public Sub LogIn(ByVal sender As Object, ByVal e As System.EventArgs) Handles LoginButton.Click
        If FormsAuthentication.Authenticate(UserName.Text, Password.Text) = True Then
            FormsAuthentication.SetAuthCookie(UserName.Text, True)
            Response.Redirect("admin/default.aspx")
        Else
            If DBAuthenticate(UserName.Text, Password.Text) Then
                FormsAuthentication.SetAuthCookie(UserName.Text, True)
                Response.Redirect("members/default.aspx")
            Else
                LtlLogin.Text = "<p>sorry wrong login details</p>"
            End If
        End If
    End Sub

Here is my web.config file code..

<?xml version="1.0"?>
<!-- 
    Note: As an alternative to hand editing this file you can use the 
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in 
    machine.config.comments usually located in 
    \Windows\Microsoft.Net\Framework\v2.x\Config 
-->
<configuration>
    <system.web>
      <authentication mode="Forms">
        <forms loginUrl="Login.aspx">
          <credentials passwordFormat="Clear">
            <user name="admin" password="password"/>
          </credentials>
        </forms>
      </authentication>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>

    <location path="admin">
      <system.web>
        <authorization>
          <allow users="admin"/>
          <deny users="*"/>
        </authorization>
      </system.web>
    </location>

    <location path="members">
      <system.web>
        <authorization>
          <deny users="?"/>
        </authorization>
      </system.web>
    </location>
</configuration>

The problem is anyone can just type /admin/default.aspx and get onto the admin page, i want to them to be redirected to the login page till they use the correct password.

Im guessing its code Behind the admin page, but im not sure what it is.

Hope you can help, Thanks

asp.net

2 Contributors
1 Reply
111 Views
3 Days Discussion Span
Latest Post 15 Years Ago Latest Post by guru_sarkar

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

guru_sarkar 0 Junior Poster in Training · Answer 1 · 2009-10-12T22:03:36+00:00

----> "The problem is anyone can just type /admin/default.aspx and get onto the admin page, i want to them to be redirected to the login page till they use the correct password."

Looking at your web.config it should take care of this and nobody except user with username "admin" can access the page. Now why is it not behaving properly...not sure but try any of these and see if it works:
1: in admin page_load check the user like below:
If HttpContext.Current.User.Identity.Name IsNot "admin" Then
FormsAuthentication.SignOut()
FormsAuthentication.RedirectToLoginPage()
End If

2: add a web.config to your adminFolder with following settings:

<system.web>        <authorization>          <allow users="admin"/>          <deny users="*"/>        </authorization>      </system.web>

This is just same what your location pat="admin" does but to make sure it is not that one ...remove it after you add web.config with above settings.

3: Or Could be admin cookie is persisted before