Login validation and redirection

Eager_Beever

Newcomer
Joined
Jan 30, 2009
I am trying to implement a Login validation using C# 2005 in ASP.net 2.0 web application. The SQL Server database contains a table named "UserList" with columns LoginId, Password and Role. The Login webform should authenticate the LoginId and password and depending upon the Role assigned to that user/visitor should redirect to a specific webform with a pre-defined menu options. The role might be Admin, DEO, Accounts or Member. How should I implement it? I have tried the following:

Code:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
        {
            try
            {
                string uname = Login1.UserName.Trim(); 
                string password = Login1.Password.Trim(); 

                int flag = AuthenticateUser(uname, password);

                if (flag == 1)
                {
                    e.Authenticated = true;
                    Login1.DestinationPageUrl = "~/MenuAdmin.aspx";
                }
                else if (flag == 2)
                {
                    e.Authenticated = true;
                    Login1.DestinationPageUrl = "~/MenuDEO.aspx";
                }
                else if (flag == 3)
                {
                    e.Authenticated = true;
                    Login1.DestinationPageUrl = "~/MenuAccts.aspx";
                }
                else if (flag == 4)
                {
                    e.Authenticated = true;
                    Login1.DestinationPageUrl = "~/MenuMember.aspx";
                }
                else
                {
                    e.Authenticated = false;
                }
            }

            catch (Exception)
            {
                e.Authenticated = false;
            }
        }

	private int AuthenticateUser(string uname, string password)
        {
            int bflag = 0;
            string connString = ConfigurationManager.ConnectionStrings["LoginDemoConnString"].ConnectionString;
            string strSQL = "Select * FROM UserList where ULoginId ='" + uname + "' AND UPassword ='" + password + "'";

            DataTable dt = new DataTable();
            SqlConnection m_conn;
            SqlDataAdapter m_dataAdapter;

            try
            {
                m_conn = new SqlConnection(connString);
                m_conn.Open();
                m_dataAdapter = new SqlDataAdapter(strSQL, m_conn);
                m_dataAdapter.Fill(dt);
                m_conn.Close();
            }

            catch (Exception ex)
            {
                dt = null;
            }

            finally
            {
                //m_conn.Close();
            }

            if (dt.Rows.Count > 0)
            {
                if (dt.Rows[0][3].ToString() == "Administrator")
                    bflag = 1;
                else if (dt.Rows[0][3].ToString() == "DEO")
                    bflag = 2;
                else if (dt.Rows[0][3].ToString() == "Accts")
                    bflag = 3;
                else
                    bflag = 4;
            }
            return bflag;
        }
 

PlausiblyDamp

Administrator
Joined
Sep 4, 2002
Location
Lancashire, UK
If you are using Asp.Net 2.0 then it already has built in providers for managing users and roles, unless you have an overriding reason to do all the work yourself using the built in support will be far easier.

If you are going to do this yourself then you have some issues you need to address:

Firstly the line of code
Code:
 string strSQL = "Select * FROM UserList where ULoginId ='" + uname + "' AND UPassword ='" + password + "'";
leaves you wide open to sql injection attacks, which in this situation can leave your entire security system worthless. http://www.xtremedotnettalk.com/showthread.php?p=463520#post463520 gives more details on what this means. As a quick one though run your application and enter any username and any password at all, however make sure the password field has
Code:
' OR 1 = 1 --
at the end and notice the login is being bypassed.

Secondly storing the password in plain text is a big security risk, anyone who can get access to the database (in fact the first point above means just about anyone can do this) could get a list of usernames and passwords making the entire system a risk. This could be worse as often people will use the same password for multiple systems and all of them are now compromised - you really should be storing a hash of the password not the password itself.
 
Top Bottom