asp.net problem

M

MS News Public

Hi

I have an asp.net 2.0 project and am experiencing a problem.

In the project, I am trying to make use of Membership.

I have one Role, called "Basic User" and two users - "admin" and "test".

"admin" is a member of the Role but "test" is not.

I have only a few pages in the project at the moment: -

.. SecurePage.aspx - The page I want only authenticated users that are
members of the Role to use.

.. Login.aspx - Login page

.. Unauthorized.aspx - Informs user that they cannot view the secure page
because of a lack of permissions

SecurePage.aspx just contains a ChangePassword control.

Unauthorized.aspx has some text and a LoginStatus control.

So in the SecurePage.aspx, I have this code to handle this: -

Protected Sub form1_Load(ByVal sender As Object, ByVal e As
System.EventArgs)

If User.Identity.IsAuthenticated = False Then
Server.Transfer("login.aspx")
End If

If Roles.IsUserInRole("Basic User") = False Then
Server.Transfer("unauthorized.aspx")
End If

End Sub

If I go to the SecurePage and am not authenticated, it transfers me to
login.aspx.

If I then login with the user "admin", which is in the Role "Basic User", it
works ok.

If I first login with "test", which is NOT in the Role, then I am transfered
to the "unauthorized.aspx" page.

Upto this point, this is fine.

However, if I click "Logout" on the LoginStatus control on the
"unauthorized" page it refreshes and changes to display "Login".

So, if I then click "Login", I am taken back to the login page. The URL in
the address bar at this point is: -

http://localhost:1489/Lesson09/login.aspx?ReturnUrl=/unauthorized.aspx

If I then login with using "admin" - which is a member of the Role - this is
where I get a problem.

Instead of being taken to the SecurePage.aspx as expected, I get taken back
to the "unauthorized.aspx" page.

This is obviously wrong.

Now, I know that this should work but does anybody know why it is not
working?

Is there some settings or something I need to change on my PC? Am I missing
a step or not doing something?

I've checked the obvious things - like that the user was actually in the
Role etc.

However, I just cannot get this to work.

I am new to ASP.Net and so I don't really know where to start to look for
what the problem is?

I have gone through re-doing the project twice now and I still get the same
problem.

For info, I am using: -

- Visual Studio .Net 2005 (Professional) (up to date)
- Latest .Net installed
- Windows XP Pro
- Internet Explorer 6 (version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519) SP2

This project is actually from a training video from learnvisualstudio.net
(available also via www.asp.net). It is Lesson 09 on ASP basics. On the
video, this project works fine, but it does not on my PC.

I would very much appreciate any help or advice on this problem.

Thanks in advance.

Kind regards
Darren Brook
email: (e-mail address removed)
 
M

Mark Fitzpatrick

You'll have to do a bit of testing then to determine if the ReturnUrl
parameter is to a spot you want. In the login code, usually what I do is
check to ensure that 1) there is a returnUrl parameter so if not I can
redirect them to a better default spot. 2) if it does exist it doesn't
equal a page that is innappropriate for them to be redirected to (which is
your case). It sounds as if the Logout page is being protected by the login
system. This probably isn't the best way to do it since it causes exactly
this sort of problem. If you have only particular directories secured by
authentication, that can make it a lot easier to show files such as the
logout.aspx without having this login problem (and lets you show the message
that they have successfully logged out). You actually shouldn't have to
bother with any code in the securepage.aspx identifying whether the user is
logged in or not. Create a directory to place your secure pages. Then,
create a web.config for that directory and put the following:

<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</configuration>

This will tell the application that only authenticated users are allowed in
this directory. The deny ? users means anonymous and the allow * users means
authenticated. You could also deny/allow certain roles as well here.
 
D

Darren Brook

Thanks for the reply.

Do you know why the project (which you can download from www.asp.net) works
okay in the training video but not on my PC?

I am totally new to asp.net -> the "ReturnUrl" in the address bar appears
after I click the LoginStatus control on the unauthorized page, when
LoginStatus displays "Login". When I click on it, it takes me back to the
login page and that's when the "ReturnUrl" appears in the address bar. I've
not set it in any properties or coded it etc.

But the "DestinationUrl" for a successful login on the actual login control
is set to the secure page. I do not understand what is happening, why the
project works in the video but not on my PC, nor how it is "supposed" to
work (which is why I am trying to go through these videos!). It is very
frustrating!

Thanks
Darren
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top