Invalid users logging in. Memership services. asp.net

Question

I have a default page which has the login control, this page is in the main directory. Then I have a bunch of pages that I only want viewable to people that have logged in a "MemberPages" directory. My problem is when I click on login button on the default page, using a username and pass that is not in the DB, it still takes me to all my member pages

I went through the asp.net config and set the "MemberPages directory to deny all not auth users. But it still has the faded one that is inherited from the main that allows all and cant be changed (maybe that is the problem? But I can't delete it) What else? Thanks

Here is my web.config from the MemberPages directory.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

Here is my main web.config.

<configuration>

  <connectionStrings>
    <add name="LoginSQL" providerName="System.Data.SqlClient"
         connectionString="Data Source=xx.xx.xx.xx;Initial Catalog=xxxx;UID=xxxxxxx ;pwd=xxxxx;"/>
  </connectionStrings>

  <system.web>
    <compilation debug="true" targetFramework="4.0"/>

    <authentication mode="Forms">
      <forms name="Login" loginUrl="Default.aspx" timeout="20" />
    </authentication>


    <membership>
      <providers>
        <add connectionStringName="LoginSQL" applicationName="Login"
          enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true"
          requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="3"
          passwordAttemptWindow="30" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
          name="MySqlLoginProvider" type="System.Web.Security.SqlMembershipProvider" />
      </providers>
    </membership>


    <profile>
      <providers>
        <clear/>
        <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
      </providers>
    </profile>

    <roleManager cacheRolesInCookie="true" cookieName=".ASPRoles"
      cookieTimeout="60">
      <providers>
        <add connectionStringName="LoginSQL" applicationName="Login"
          name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider" />
      </providers>
    </roleManager>

  </system.web>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
</configuration>

Answer 1

"My problem is when I click on login button on the default page, using a username and pass that is not in the DB, it still takes me to all my member pages."

From your statement above, it is clear that you are not validating user logins correctly . If the user/password does not exist, your code should not redirect the user away from the login page at all.

Check your code around the login click event handler. You should have something like this:

protected void btnLogin_Click(object sender, EventArgs e)
{
    if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
    {
        FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);
    }
    else
    {
        txtLoginFailedMsg.Text = "Login failed. Please check your user name and password and try again.";
    }
}

Answer 2

I am not sure if this works, but the way I have it in my code is as follows:

<location path="~path\LoginPage">  
 <system.web>
  <authorization>
   <allow roles="*"/>  
  </authorization>  
 </system.web>    
</location>  
<location path="~\path\MemberPages">  
 <system.web>
  <authorization>  
   <allow roles="auth user"/>  
   <deny users="*"/>  
  </authorization>  
 </system.web>    
</location>  

This way it allows anyone to access loginPage but only the users with roles "auth users" to access the pages in MemberPages
I set the user roles in Roles.vb file in App_code folder.

Hope this helps.