User-1767698477 posted
I have spent hours reading articles on this. Scott Mitchell explains membership with his Security Tutorials article. I did all this and I'm trying to get his code to redirect based on the ROLE of the user. I'm able to get the redirection, with the
following:
Partial Class Login
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.IsAuthenticated AndAlso Not String.IsNullOrEmpty(Request.QueryString("ReturnUrl")) Then
' This is an unauthorized, authenticated request...
Response.Redirect("~/UnauthorizedAccess.aspx")
If Request.IsAuthenticated AndAlso Roles.IsUserInRole("Originator") = True Then
Dim originator As Boolean = Roles.IsUserInRole("Originator")
Response.Redirect("~/users/Default.aspx")
Dim processor As Boolean = Roles.IsUserInRole("Processor") = True
ElseIf Request.IsAuthenticated AndAlso Roles.IsUserInRole("Processor") = True Then
Response.Redirect("~/users2/default.aspx")
End If
End If
End If
End Sub
'Protected Sub LoginButton_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles LoginButton.Click
' ' Validate the user against the Membership framework user store
' If Membership.ValidateUser(UserName.Text, Password.Text) Then
' ' Log the user into the site
' FormsAuthentication.RedirectFromLoginPage(UserName.Text, RememberMe.Checked)
' End If
' ' If we reach here, the user's credentials were invalid
' InvalidCredentialsMessage.Visible = True
'End Sub
Protected Sub myLogin_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles myLogin.Authenticate
' Get the email address entered
Dim EmailTextBox As TextBox = CType(myLogin.FindControl("Email"), TextBox)
Dim email As String = EmailTextBox.Text.Trim()
' Verify that the username/password pair is valid
If Membership.ValidateUser(myLogin.UserName, myLogin.Password) Then
If Roles.IsUserInRole(myLogin.UserName, "Originator") Then
Response.Redirect("~/users/default.aspx")
ElseIf Roles.IsUserInRole(myLogin.UserName, "Processor") Then
Response.Redirect("~/users2/default.aspx")
' Username/password are valid, check email
' Dim usrInfo As MembershipUser = Membership.GetUser(myLogin.UserName)
'If usrInfo IsNot Nothing AndAlso String.Compare(usrInfo.Email, email, True) = 0 Then
' Email matches, the credentials are valid
e.Authenticated = True
Else
' Email address is invalid...
e.Authenticated = False
End If
' Else
' Username/password are not valid...
e.Authenticated = False
End If
End Sub
Protected Sub myLogin_LoginError(ByVal sender As Object, ByVal e As System.EventArgs) Handles myLogin.LoginError
' Determine why the user could not login...
myLogin.FailureText = "Your login attempt was not successful. Please try again."
' Does there exist a User account for this user?
Dim usrInfo As MembershipUser = Membership.GetUser(myLogin.UserName)
If usrInfo IsNot Nothing Then
' Is this user locked out?
If usrInfo.IsLockedOut Then
myLogin.FailureText = "Your account has been locked out because of too many invalid login attempts. Please contact the administrator to have your account unlocked."
ElseIf Not usrInfo.IsApproved Then
myLogin.FailureText = "Your account has not yet been approved. You cannot login until an administrator has approved your account."
End If
End If
End Sub
End Class
And I have the following in the /users folder and /users2 folder.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Originator" />
</authorization>
</system.web>
</configuration>
Users2 folder
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Processor" />
</authorization>
</system.web>
</configuration>
I tried adding
<deny users="*" /> right below the allow roles="Processor" and I would NOT get directed into the folder.
So leaving things as they are without the <deny users="*" /> I can get into the folder and the system seems to recognize the user has the role, but if I go into my browser url window and remove the 2 from users2 and try to go into just /users, it lets
me in!!! It's not supposed to do that....
So why is this happening?
Besides this issue, I have a separate Siteuser table in which I store the user name password and about 20 other fields including the active boolean field. This user doesn't get activated until the user clicks a link in the activation email that he receives.
How should I integrate my existing Siteuser table with these membership and roles tables? I have spent lots of time coding my site. I really don't want to say that my table is "obsolete" because I'm using this sqlmembership thing. It should be able to work
alongside my existing db.
Also, Scott Mitchell in his tutorial checks the email address. Why does he do this? In about 99 out of 100 websites which require authentication, it's just a username and password to login. I understand that it is added security but actually I think
that might frustrate people to have to enter 3 pieces of information to login. Does anyone agree with me?
