Best practice for login screen using database

Discussion in 'ASP .Net Security' started by Carlos, Feb 18, 2005.

  1. Carlos

    Carlos Guest

    I have an c# as.net app that check if the user exist in a USERS table, that
    part is ok but now I need to pass the user ID no the next page beacuse I
    need to do some databse queries with that user ID, I'm passing the values as
    :
    Context.Items.Add("UserID",TempUserID);
    Context.Items.Add("VerifyString","OkPEV");
    Server.Transfer("timesheet.aspx", true);

    Now my problem is that in the timesheet.aspx page ths UserID come fine the
    first time, but if I do refeesh or add a record to my timesheet databse I
    loose the UseID.

    So is it any way to keep that variable on memmory while the session is open
    ?

    Thanks
     
    Carlos, Feb 18, 2005
    #1
    1. Advertising

  2. Hi
    I see there is some problem with the logic you have
    chosen to adopt. If you pass the user ID through context
    variables, there is every possibility that a potential
    hacker could, do the same, just that he needs to know the
    context keys you have chosen to use.
    Instead, i would suggest you to use a different approach,
    where every page that needs the user to be signed-in
    should look up at a common function, which will return
    the user ID. For this to happen, you can design all your
    code-behind classes to inherit from a single base class,
    extending System.Web.UI.Page. And in the page_load events
    of all the pages, call the base class method, say
    base.CheckIfUserIsSignedIn();
    And in this base class method, write code in such a way
    that it will check if the user us signed in, based on
    some cookie value(i guess cookies are allowed) or you can
    use session variables. For the first time, when the user
    is shown a log-in form, s/he will be prompted to enter
    the credentials. Once validated, you can store the user-
    id token to a cookie or have it in session. The same can
    be used wherever required. Checking for signed in, in
    each page is to ensure, no one can by-pass the signed in
    form and directly land to some transaction form.
    The CheckIfUserSignedIn() method, should redirect the
    user to a sign-in form or access denied form, if it finds
    out that the user is not signed in.
    Hope this solves your problem too
    Let me know, if this has helped you in anyway.
    Ramjee
    >-----Original Message-----
    >I have an c# as.net app that check if the user exist in

    a USERS table, that
    >part is ok but now I need to pass the user ID no the

    next page beacuse I
    >need to do some databse queries with that user ID, I'm

    passing the values as
    >:
    >Context.Items.Add("UserID",TempUserID);
    >Context.Items.Add("VerifyString","OkPEV");
    >Server.Transfer("timesheet.aspx", true);
    >
    >Now my problem is that in the timesheet.aspx page ths

    UserID come fine the
    >first time, but if I do refeesh or add a record to my

    timesheet databse I
    >loose the UseID.
    >
    >So is it any way to keep that variable on memmory while

    the session is open
    >?
    >
    >Thanks
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >.
    >
     
    Ramjee Tanguturi, Feb 18, 2005
    #2
    1. Advertising

  3. Carlos

    Garry Guest

    I am using VB net app which uses the login component. I want to check the
    user ID & password entered against a user table in my sql server database. I
    do not know how to do this. Can you help me, or show me a code example.

    thanks

    garry

    "Carlos" <> wrote in message
    news:...
    >I have an c# as.net app that check if the user exist in a USERS table,
    >that
    > part is ok but now I need to pass the user ID no the next page beacuse I
    > need to do some databse queries with that user ID, I'm passing the values
    > as
    > :
    > Context.Items.Add("UserID",TempUserID);
    > Context.Items.Add("VerifyString","OkPEV");
    > Server.Transfer("timesheet.aspx", true);
    >
    > Now my problem is that in the timesheet.aspx page ths UserID come fine the
    > first time, but if I do refeesh or add a record to my timesheet databse I
    > loose the UseID.
    >
    > So is it any way to keep that variable on memmory while the session is
    > open
    > ?
    >
    > Thanks
    >
    >
    >
    >
    >
    >
    >
    >
    >
     
    Garry, Mar 28, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bryan Ax
    Replies:
    0
    Views:
    609
    Bryan Ax
    Jun 26, 2003
  2. =?Utf-8?B?RXJpY2g=?=

    Best Practice for login systen with asp.net

    =?Utf-8?B?RXJpY2g=?=, Feb 5, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    729
    Lucas Tam
    Feb 6, 2005
  3. Carlos
    Replies:
    2
    Views:
    549
    Carlos
    Feb 18, 2005
  4. Colin Graham

    Login to admin system through login screen only

    Colin Graham, Apr 10, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    251
    Joseph MCAD
    Apr 11, 2005
  5. oldyork90
    Replies:
    1
    Views:
    160
    Jeremy J Starcher
    Sep 10, 2008
Loading...

Share This Page