|
Best practice for login screen using database
I have an c# as.net app that check if the user exist in a USERS table, that
part is ok but now I need to pass the user ID no the next page beacuse I need to do some databse queries with that user ID, I'm passing the values as : Context.Items.Add("UserID",TempUserID); Context.Items.Add("VerifyString","OkPEV"); Server.Transfer("timesheet.aspx", true); Now my problem is that in the timesheet.aspx page ths UserID come fine the first time, but if I do refeesh or add a record to my timesheet databse I loose the UseID. So is it any way to keep that variable on memmory while the session is open ? Thanks |
Best practice for login screen using database
Hi
I see there is some problem with the logic you have chosen to adopt. If you pass the user ID through context variables, there is every possibility that a potential hacker could, do the same, just that he needs to know the context keys you have chosen to use. Instead, i would suggest you to use a different approach, where every page that needs the user to be signed-in should look up at a common function, which will return the user ID. For this to happen, you can design all your code-behind classes to inherit from a single base class, extending System.Web.UI.Page. And in the page_load events of all the pages, call the base class method, say base.CheckIfUserIsSignedIn(); And in this base class method, write code in such a way that it will check if the user us signed in, based on some cookie value(i guess cookies are allowed) or you can use session variables. For the first time, when the user is shown a log-in form, s/he will be prompted to enter the credentials. Once validated, you can store the user- id token to a cookie or have it in session. The same can be used wherever required. Checking for signed in, in each page is to ensure, no one can by-pass the signed in form and directly land to some transaction form. The CheckIfUserSignedIn() method, should redirect the user to a sign-in form or access denied form, if it finds out that the user is not signed in. Hope this solves your problem too Let me know, if this has helped you in anyway. Ramjee >-----Original Message----- >I have an c# as.net app that check if the user exist in a USERS table, that >part is ok but now I need to pass the user ID no the next page beacuse I >need to do some databse queries with that user ID, I'm passing the values as >: >Context.Items.Add("UserID",TempUserID); >Context.Items.Add("VerifyString","OkPEV"); >Server.Transfer("timesheet.aspx", true); > >Now my problem is that in the timesheet.aspx page ths UserID come fine the >first time, but if I do refeesh or add a record to my timesheet databse I >loose the UseID. > >So is it any way to keep that variable on memmory while the session is open >? > >Thanks > > > > > > > > > >. > |
Re: Best practice for login screen using database
I am using VB net app which uses the login component. I want to check the
user ID & password entered against a user table in my sql server database. I do not know how to do this. Can you help me, or show me a code example. thanks garry "Carlos" <cp@swa.com> wrote in message news:OfJtePdFFHA.3908@TK2MSFTNGP12.phx.gbl... >I have an c# as.net app that check if the user exist in a USERS table, >that > part is ok but now I need to pass the user ID no the next page beacuse I > need to do some databse queries with that user ID, I'm passing the values > as > : > Context.Items.Add("UserID",TempUserID); > Context.Items.Add("VerifyString","OkPEV"); > Server.Transfer("timesheet.aspx", true); > > Now my problem is that in the timesheet.aspx page ths UserID come fine the > first time, but if I do refeesh or add a record to my timesheet databse I > loose the UseID. > > So is it any way to keep that variable on memmory while the session is > open > ? > > Thanks > > > > > > > > > |
| All times are GMT. The time now is 07:05 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.