Putting a hole into forms authentication?

[harrismax]

My application uses forms authentication. On the sign-in page is a form (with takes a username, a password, and has a button [SignUp]) that allows for the creation of new user accounts

I'm trying to get it so that when the SignUp (not SignIn) button is clicked, a user account is created in the database, and the forms authentication stuff is taken care of, so that I can redirect a user to another page (CustomerInfo.aspx) so they can continue filling out their account information

The problem is that I can't figure out how to get past the forms authentication mechanism so that new users get to the the other page (CustomerInfo.aspx)

private void SignUpButton_Click(object sender, System.EventArgs e
{
string SqlStatement = "INSERT INTO Customers (UserName, Password) VALUES ('" + SignUpUserName.Text.Trim() + "', '" + SignUpPassword.Text.Trim()+ "')"

SqlConnection Connection = new SqlConnection("server=*********; database=********; Trusted_Connection=SSPI")
SqlCommand Command = new SqlCommand(SqlStatement, Connection)
SqlDataReader Reader = null

Connection.Open()
Reader = Command.ExecuteReader()
while(Reader.Read()

if (Int32.Parse(Reader[0].ToString()) >= 1

SignUpError.Text = "<p><b>Signup successful.</b></p>"

SetCookie(SignUpUserName.Text.Trim(), SignUpPassword.Text.Trim(), "NEWUSR")
// can't authenticate here - I have tried several methods
Server.Transfer("CustomerInfo.aspx")

els

SignUpError.Text = "<p><b>Signup failed.</b></p>"
return


Connection.Close();

 

[Mary Chipman]

You probably don't want to use that technique even if you could get it
to work, since it would leave you vulnerable to SQL injection attacks.
Here are some good resources that will help you set up forms
authentication safely:
http://www.microsoft.com/downloads/release.asp?ReleaseID=44047
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp

-- Mary
MCW Technologies
http://www.mcwtech.com