Having some trouble with my ASP.net website;
when i goto my website i can log in, fine. However when i goto the first address of a page i can bypass my login.
www.123.com <-- login fine directs me to --> www.123.com/Memebers/members.aspx but if i go straight to www.123.com/Memebers/members.aspx i can bypass the login altogether.
What i want it to do is redirect to the login page if someone tries to go to a direct link missing out the login altogether, i can see this being very insecure
Here is my LoginPage code;
<asp:Login ID="LoginControl" runat="server"
OnAuthenticate="LoginControl_Authenticate">
<asp:TextBox Placeholder="UserName" ID="UserName" runat="server" OnTextChanged="UserName_TextChanged" CssClass="input">
</asp:TextBox>
<asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName" ErrorMessage="User Name is required." ToolTip="User Name is required." ValidationGroup="LoginControl">
</asp:RequiredFieldValidator>
<asp:TextBox Placeholder="Password" ID="Password" runat="server" TextMode="Password" CssClass="input">
</asp:TextBox>
<asp:RequiredFieldValidator ID="PasswordRequired" runat="server" ControlToValidate="Password" ErrorMessage="Password is required." ToolTip="Password is required." ValidationGroup="LoginControl">
</asp:RequiredFieldValidator>
<asp:Literal ID="FailureText" runat="server" EnableViewState="False">
</asp:Literal>
<asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log In" ValidationGroup="LoginControl" CssClass="Lbutton" />
</asp:Login>
BackEnd to LoginPage:
protected void Page_Load(object sender, EventArgs e)
{
}
protected void LoginControl_Authenticate(object sender, AuthenticateEventArgs e)
{
bool authenticated = this.ValidateCredentials(LoginControl.UserName, LoginControl.Password);
if (authenticated)
{
FormsAuthentication.RedirectFromLoginPage(LoginControl.UserName, LoginControl.RememberMeSet);
}
}
public bool IsAlphaNumeric(string text)
{
return Regex.IsMatch(text, "^[a-zA-Z0-9]+$");
}
private bool ValidateCredentials(string userName, string password)
{
bool returnValue = false;
if (this.IsAlphaNumeric(userName) && userName.Length <= 50 && password.Length <= 50)
{
SqlConnection conn = null;
try
{
string sql = "select count(*) from dbo.Users where UserName = @username and password = @password";
conn = new SqlConnection(ConfigurationManager.ConnectionStrings["MembershipSiteConStr"].ConnectionString);
SqlCommand cmd = new SqlCommand(sql, conn);
SqlParameter user = new SqlParameter();
user.ParameterName = "@username";
user.Value = userName.Trim();
cmd.Parameters.Add(user);
SqlParameter pass = new SqlParameter();
pass.ParameterName = "@password";
//pass.Value = Hasher.HashString(password.Trim());
pass.Value = password.Trim();
cmd.Parameters.Add(pass);
conn.Open();
int count = (int)cmd.ExecuteScalar();
if (count > 0) returnValue = true;
}
Here is some of my Web.config located in root dir;
<connectionStrings>
<add name="MembershipSiteConStr" connectionString="Data Source=MYIPADDRESS;Initial Catalog=MembershipSite;User ID=123;Password=123" providerName="System.Data.SqlClient" />
<authentication mode="Forms">
<forms defaultUrl="~/members/member.aspx" loginUrl="~/login.aspx" slidingExpiration="true" timeout="20"></forms>
</authentication>
This web.config is located in my ~Members/ Folder;
<authorization>
<deny users="?"/>
</authorization>
this is the backend to my Memebers.aspx
Just some button clicks nothing else.
If the user is already authenticated (the request have the valid Auth cookie) then he can open any page that allow authenticated users. and this is what I think you did.
Try to add a logout button on your member page and logout and test it again (to remove the auth cookie).
You could also use another browser or remove the cookies from the browser and try to access the member page again without going to the login page and you will see the redirection is working fine.