locked
Modify session variable based on type of user that has connected RRS feed

  • Question

  • User301392333 posted

    Hello!

    I have two tables Owners and Users. There can be two type of users for my website: owner or simple user, but the owner is still a user. Therefore, I have the UserID primary key from the "Users" table as a foreign key in the "Owners" table. When I connect to the website, I want certain pages to appear for a simple user, and other to appear for the owner. I am trying to do this by setting a Session variable "role" to "user" or "owner", but it doesn't work. How can I set the "role" to "owner" by checking if the user that has logged in can be found in the "owners" table?

    My code is:

    protected void Button1_Click(object sender, EventArgs e)
            {
                try
                {
                    SqlConnection con = new SqlConnection(strcon);
                    if (con.State == ConnectionState.Closed)
                    {
                        con.Open();
                    }
    
                    SqlCommand cmd = new SqlCommand("SELECT * FROM Users WHERE Username = '" + TextBox1.Text.Trim() + "' " +
                        "AND Password = '"+ TextBox2.Text.Trim() +"'", con);
    
                    SqlDataReader dr = cmd.ExecuteReader();
    
                    if (dr.HasRows)
                    {
                        while(dr.Read())
                        {
                            SqlCommand cmd1 = new SqlCommand("SELECT * FROM Owners WHERE (UserID='" + dr.GetValue(0) + "')");
                            SqlDataReader propr = cmd1.ExecuteReader();
                            Response.Write("<script>alert('Connected!');</script>");
    Session["username"] = dr.GetValue(2).ToString(); if(propr.HasRows) { Session["role"] = "owner"; } else { Session["role"] = "user"; } } Response.Redirect("homepage.aspx"); } else { Response.Write("<script>alert('Invalid user!');</script>"); } } catch(Exception ex) { Response.Write("<script>alert('" + ex.Message + "'); </script>"); } }

    Monday, November 23, 2020 3:15 PM

Answers

  • User-939850651 posted

    Hi ioanas14,

    SqlCommand cmd1 = new SqlCommand("SELECT * FROM Owners WHERE (UserID='" + dr.GetValue(0) + "')");
    SqlDataReader propr = cmd1.ExecuteReader();
    Response.Write("<script>alert('Connected!');</script>");
    
    Session["username"] = dr.GetValue(2).ToString();
    if(propr.HasRows)
    {
     Session["role"] = "owner";
    }
    else
    {
     Session["role"] = "user";
    }

    Based on the code you currently provide and the previous thread, you seem to save all users to the Owner table. So how do you judge whether a logged-in user is a normal user or an owner? In the current situation, if the login is successful, then the role must be the owner. Therefore, I am confused about your purpose.

    In addition, what is the problem with your current code execution, could you provide more details?

    Best regards,

    Xudong Peng

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 24, 2020 2:25 AM
  • User-821857111 posted

    SqlCommand cmd = new SqlCommand("SELECT * FROM Users WHERE Username = '" + TextBox1.Text.Trim() + "' " +
                        "AND Password = '"+ TextBox2.Text.Trim() +"'", con);

    This is very dangerous. Anyone can log into your application by entering ' or ''=' into both textboxes. It's called SQL Injection: https://www.mikesdotnetting.com/article/113/preventing-sql-injection-in-asp-net

    Also, using Session to store authentication state is poor practice. You should use FormsAuthentication cookies and profiles.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 24, 2020 8:22 AM

All replies

  • User-1716253493 posted

    Try this

    SELECT USERID, USERNAME FROM USERS instead of SELECT * FROM USERS

    Monday, November 23, 2020 4:19 PM
  • User-939850651 posted

    Hi ioanas14,

    SqlCommand cmd1 = new SqlCommand("SELECT * FROM Owners WHERE (UserID='" + dr.GetValue(0) + "')");
    SqlDataReader propr = cmd1.ExecuteReader();
    Response.Write("<script>alert('Connected!');</script>");
    
    Session["username"] = dr.GetValue(2).ToString();
    if(propr.HasRows)
    {
     Session["role"] = "owner";
    }
    else
    {
     Session["role"] = "user";
    }

    Based on the code you currently provide and the previous thread, you seem to save all users to the Owner table. So how do you judge whether a logged-in user is a normal user or an owner? In the current situation, if the login is successful, then the role must be the owner. Therefore, I am confused about your purpose.

    In addition, what is the problem with your current code execution, could you provide more details?

    Best regards,

    Xudong Peng

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 24, 2020 2:25 AM
  • User-821857111 posted

    SqlCommand cmd = new SqlCommand("SELECT * FROM Users WHERE Username = '" + TextBox1.Text.Trim() + "' " +
                        "AND Password = '"+ TextBox2.Text.Trim() +"'", con);

    This is very dangerous. Anyone can log into your application by entering ' or ''=' into both textboxes. It's called SQL Injection: https://www.mikesdotnetting.com/article/113/preventing-sql-injection-in-asp-net

    Also, using Session to store authentication state is poor practice. You should use FormsAuthentication cookies and profiles.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 24, 2020 8:22 AM