[英]How do I prevent a web form from being accessed by manually typing the aspx file name into the browser?
I have created a Login page that is only for admins (so there is no need to check if the user is admin or not). 我创建了一个仅适用于管理员的登录页面(因此,无需检查用户是否为管理员)。 The page does the check against a database where the username and password is stored.
该页面将对存储用户名和密码的数据库进行检查。 I am able to successfully check the name/password against the database and then transfer the user to the admin page, however, I noticed that I can still type http://localhost:xxxxx/AdminPage and it will take me there.
我能够针对数据库成功检查名称/密码,然后将用户转移到管理页面,但是,我注意到我仍然可以键入http:// localhost:xxxxx / AdminPage ,它将带我到那里。 How do I stop people from doing this?
如何阻止人们这样做? I have tried adding
我尝试添加
<authorization><deny users="?"/></authorization>
to the web.config file, which stops all anonymous users from entering, but now I need to know how to allow users from the database to be given permission. 到web.config文件,该文件阻止所有匿名用户进入,但是现在我需要知道如何允许数据库中的用户获得权限。 (NOTE: this is not a normal Login to Default setup. This is directing to a page other than Default)
(注意:这不是正常的“默认登录”设置。这将指向“默认”以外的页面)
You can user role based authorization described here . 您可以在此处描述基于用户角色的授权。 If you use default ASP role system, you need to add some code to web.config:
如果使用默认的ASP角色系统,则需要向web.config中添加一些代码:
<location path="your_page" >
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.