Having some trouble with my ASP.net website;
when i goto my website i can log in, fine. However when i goto the first address of a page i can bypass my login.
www.123.com <-- login fine directs me to --> www.123.com/Memebers/members.aspx but if i go straight to www.123.com/Memebers/members.aspx i can bypass the login altogether.
What i want it to do is redirect to the login page if someone tries to go to a direct link missing out the login altogether, i can see this being very insecure
Here is my LoginPage code;
<asp:Login ID="LoginControl" runat="server"
OnAuthenticate="LoginControl_Authenticate">
<asp:TextBox Placeholder="UserName" ID="UserName" runat="server" OnTextChanged="UserName_TextChanged" CssClass="input">
</asp:TextBox>
<asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName" ErrorMessage="User Name is required." ToolTip="User Name is required." ValidationGroup="LoginControl">
</asp:RequiredFieldValidator>
<asp:TextBox Placeholder="Password" ID="Password" runat="server" TextMode="Password" CssClass="input">
</asp:TextBox>
<asp:RequiredFieldValidator ID="PasswordRequired" runat="server" ControlToValidate="Password" ErrorMessage="Password is required." ToolTip="Password is required." ValidationGroup="LoginControl">
</asp:RequiredFieldValidator>
<asp:Literal ID="FailureText" runat="server" EnableViewState="False">
</asp:Literal>
<asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log In" ValidationGroup="LoginControl" CssClass="Lbutton" />
</asp:Login>
BackEnd to LoginPage:
protected void Page_Load(object sender, EventArgs e)
{
}
protected void LoginControl_Authenticate(object sender, AuthenticateEventArgs e)
{
bool authenticated = this.ValidateCredentials(LoginControl.UserName, LoginControl.Password);
if (authenticated)
{
FormsAuthentication.RedirectFromLoginPage(LoginControl.UserName, LoginControl.RememberMeSet);
}
}
public bool IsAlphaNumeric(string text)
{
return Regex.IsMatch(text, "^[a-zA-Z0-9]+$");
}
private bool ValidateCredentials(string userName, string password)
{
bool returnValue = false;
if (this.IsAlphaNumeric(userName) && userName.Length <= 50 && password.Length <= 50)
{
SqlConnection conn = null;
try
{
string sql = "select count(*) from dbo.Users where UserName = @username and password = @password";
conn = new SqlConnection(ConfigurationManager.ConnectionStrings["MembershipSiteConStr"].ConnectionString);
SqlCommand cmd = new SqlCommand(sql, conn);
SqlParameter user = new SqlParameter();
user.ParameterName = "@username";
user.Value = userName.Trim();
cmd.Parameters.Add(user);
SqlParameter pass = new SqlParameter();
pass.ParameterName = "@password";
//pass.Value = Hasher.HashString(password.Trim());
pass.Value = password.Trim();
cmd.Parameters.Add(pass);
conn.Open();
int count = (int)cmd.ExecuteScalar();
if (count > 0) returnValue = true;
}
Here is some of my Web.config located in root dir;
<connectionStrings>
<add name="MembershipSiteConStr" connectionString="Data Source=MYIPADDRESS;Initial Catalog=MembershipSite;User ID=123;Password=123" providerName="System.Data.SqlClient" />
<authentication mode="Forms">
<forms defaultUrl="~/members/member.aspx" loginUrl="~/login.aspx" slidingExpiration="true" timeout="20"></forms>
</authentication>
This web.config is located in my ~Members/ Folder;
<authorization>
<deny users="?"/>
</authorization>
this is the backend to my Memebers.aspx
Just some button clicks nothing else.
