ASP.Net登录身份验证
[英]ASP.Net Login Authentication
问题描述
Having some trouble with my ASP.net website; 
我的ASP.net网站出现问题;
when i goto my website i can log in, fine. 当我转到我的网站时,可以登录。 However when i goto the first address of a page i can bypass my login. 但是,当我转到页面的第一个地址时,我可以绕开我的登录名。
www.123.com <-- login fine directs me to --> www.123.com/Memebers/members.aspx but if i go straight to www.123.com/Memebers/members.aspx i can bypass the login altogether. www.123.com <-登录可以将我引导至-> www.123.com/Memebers/members.aspx,但是如果我直接访问www.123.com/Memebers/members.aspx,我可以完全绕开登录。
What i want it to do is redirect to the login page if someone tries to go to a direct link missing out the login altogether, i can see this being very insecure 我想要做的是如果有人试图转到直接链接而完全丢失了登录名,则重定向到登录页面,我可以看到这是非常不安全的
Here is my LoginPage code; 这是我的LoginPage代码;
<asp:Login ID="LoginControl" runat="server"
OnAuthenticate="LoginControl_Authenticate">
<asp:TextBox Placeholder="UserName" ID="UserName" runat="server" OnTextChanged="UserName_TextChanged" CssClass="input">
</asp:TextBox>
<asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName" ErrorMessage="User Name is required." ToolTip="User Name is required." ValidationGroup="LoginControl">
</asp:RequiredFieldValidator>
<asp:TextBox Placeholder="Password" ID="Password" runat="server" TextMode="Password" CssClass="input">
</asp:TextBox>
<asp:RequiredFieldValidator ID="PasswordRequired" runat="server" ControlToValidate="Password" ErrorMessage="Password is required." ToolTip="Password is required." ValidationGroup="LoginControl">
</asp:RequiredFieldValidator>
<asp:Literal ID="FailureText" runat="server" EnableViewState="False">
</asp:Literal>
<asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log In" ValidationGroup="LoginControl" CssClass="Lbutton" />
</asp:Login>
BackEnd to LoginPage: 后端到LoginPage:
protected void Page_Load(object sender, EventArgs e)
{
}
protected void LoginControl_Authenticate(object sender, AuthenticateEventArgs e)
{
bool authenticated = this.ValidateCredentials(LoginControl.UserName, LoginControl.Password);
if (authenticated)
{
FormsAuthentication.RedirectFromLoginPage(LoginControl.UserName, LoginControl.RememberMeSet);
}
}
public bool IsAlphaNumeric(string text)
{
return Regex.IsMatch(text, "^[a-zA-Z0-9]+$");
}
private bool ValidateCredentials(string userName, string password)
{
bool returnValue = false;
if (this.IsAlphaNumeric(userName) && userName.Length <= 50 && password.Length <= 50)
{
SqlConnection conn = null;
try
{
string sql = "select count(*) from dbo.Users where UserName = @username and password = @password";
conn = new SqlConnection(ConfigurationManager.ConnectionStrings["MembershipSiteConStr"].ConnectionString);
SqlCommand cmd = new SqlCommand(sql, conn);
SqlParameter user = new SqlParameter();
user.ParameterName = "@username";
user.Value = userName.Trim();
cmd.Parameters.Add(user);
SqlParameter pass = new SqlParameter();
pass.ParameterName = "@password";
//pass.Value = Hasher.HashString(password.Trim());
pass.Value = password.Trim();
cmd.Parameters.Add(pass);
conn.Open();
int count = (int)cmd.ExecuteScalar();
if (count > 0) returnValue = true;
}
Here is some of my Web.config located in root dir; 这是我的一些Web.config位于根目录下。
<connectionStrings>
<add name="MembershipSiteConStr" connectionString="Data Source=MYIPADDRESS;Initial Catalog=MembershipSite;User ID=123;Password=123" providerName="System.Data.SqlClient" />
<authentication mode="Forms">
<forms defaultUrl="~/members/member.aspx" loginUrl="~/login.aspx" slidingExpiration="true" timeout="20"></forms>
</authentication>
This web.config is located in my ~Members/ Folder; 这个web.config位于我的〜Members /文件夹中;
<authorization>
<deny users="?"/>
</authorization>
this is the backend to my Memebers.aspx 这是我Memebers.aspx的后端
Just some button clicks nothing else.
1 个解决方案
解决方案1
1 已采纳 2016-01-19 17:58:25
If the user is already authenticated (the request have the valid Auth cookie) then he can open any page that allow authenticated users. 如果用户已经通过身份验证(请求具有有效的Auth cookie),则他可以打开任何允许身份验证的用户的页面。 and this is what I think you did. 这就是我认为您所做的。
Try to add a logout button on your member page and logout and test it again (to remove the auth cookie). 尝试在会员页面上添加注销按钮,然后注销并再次测试(以删除auth cookie)。
You could also use another browser or remove the cookies from the browser and try to access the member page again without going to the login page and you will see the redirection is working fine. 您还可以使用其他浏览器或从浏览器中删除cookie,然后尝试再次访问成员页面而不进入登录页面,您将看到重定向工作正常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.