i creating cms , have section user can create, edit , delete users. information generated database, have made table user_id, user_name , user_password. means not want use automatically generated database tables vs gives log ins.
with trying develop basic log in having trouble understanding process.
this web.config whole application:
<?xml version="1.0"?> <configuration> <connectionstrings> <add name="websitecontent" connectionstring="uid=aaa;pwd=aaa;initial catalog=aaa;data source=.\sqlexpress"/> </connectionstrings> <system.web> <compilation debug="true" targetframework="4.0"/> <authentication mode="forms"> <forms loginurl="~/tools/default.aspx" timeout="2880"/> </authentication> </system.web> </configuration> web.config login:
<?xml version="1.0"?> <configuration> <location path="default.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </configuration> this log in on front end:
<asp:login id="login1" runat="server" cssclass="loginsec" textlayout="textontop" titletext="" onauthenticate="login1_authenticate"> <labelstyle cssclass="lbllogin" /> <textboxstyle cssclass="txtlogin" /> </asp:login> log in end:
protected void login1_authenticate(object sender, authenticateeventargs e) { string username = login1.username; string password = login1.password; bool rememberusername = login1.remembermeset; using (sqlconnection sqlcon = new sqlconnection(configurationmanager.connectionstrings["websitecontent"].connectionstring)) { sqlcon.open(); string sql = "select cms_username, cms_password cms_users cms_username ='" + username + "' , cms_password ='" + password + "'"; using (sqlcommand sqlcomm = new sqlcommand(sql, sqlcon)) { sqlcomm.executescalar(); if (sqlcomm.executescalar() != null) { response.redirect("cms.aspx"); } else { session["userauthentication"] = ""; } } sqlcon.close(); } } what have done far has prevented access page cms.aspx, log in never redirects page.
any insight appreciated!!
i have added settings of authenticated required docs
custom authentication schemes should set authenticated property true indicate user has been authenticated.
more research has led me neccessity add line in code
formsauthentication.setauthcookie(login1.username, true); also try change code in such way executescalar returns count of user username , password. in way executescalar never return null, value 0 if no user exists or 1 if user exists (i suppose don't have 2 records same user , password)
using (sqlconnection sqlcon = new sqlconnection(configurationmanager.connectionstrings["websitecontent"].connectionstring)) { sqlcon.open(); string sql = "select count(*) loginfound cms_users " + "where cms_username =@usr , cms_password = @pwd"; using (sqlcommand sqlcomm = new sqlcommand(sql, sqlcon)) { sqlcomm.parameters.addwithvalue("@usr", username); sqlcomm.parameters.addwithvalue("@pwd", password); int result = (int)sqlcomm.executescalar(); if (result > 0) { // in case of success need communicate e.authenticated = authenticated; formsauthentication.setauthcookie(login1.username, true); response.redirect("~/tools/cms.aspx"); } else { session["userauthentication"] = ""; } } } also, have removed string concatenation sql command. right way pass string text database. particularly if values comes user input.
edit of course cmd.aspx page should check if user has been authenticated because otherwise 1 type directly url of cms.aspx page bypassing login control.
in page_load event of cms.aspx add code
protected void page_load(object sender, eventargs e) { if ( !request.isauthenticated) { response.redirect("~/tools/default.aspx"); } } 
Comments
Post a Comment