Now I need my login page to authenticate the user based on a "User" table in the database. What is the best way to do this?
The idea I had is to create a Select statement, specifying "Select * From User where username = entered username and password = entered password"
Fill it into a dataset. If the dataset row count is equal to one than authenticate the user and take him to the main menu.
Is this the best way to do this?
Also, how do I redirect the user to the main menu if the authentication is succesful?You are definitely on the right path, but I would suggest doing a google search on "Forms Authentication in ASP.net" and you will find a bunch of articles that will help you make it better and more secure.
smtraber
Hi,
Definitely it is not the best way to do (select query within your code). If you are developing this application for client, then you need to change certain things.
First of all, decide the authentication mechanism you want to use. From your post I am able to make out that you want people to login by providing an user name and password in a login page. So you can use Forms Authentication.
In the Web.Config specify the authentication mode as Forms and specify the URL for the login page. Then, in your authorization settings just below the authentication setting in the web.config, specify deny users="?" (default will be allow users="*"). This will take care of things like making users to login before accessing your pages. You dont have to check in each and every page whether the user is logged in.
Create a stored procedure that would receive username and password as parameters and do a comparison in the database and return 0 or 1 based on whether the credentials were true or false. Based on the return value, you can verify whether the credentials supplied by your user were correct.
In your login.aspx page, execute that storedprocedure by passing the UserName and Password TextBox values and capture the return value in an integer value.
Now, when implementing Forms Authentication, it would by default look if there is any ReturnUrl parameter to which it has to take the user once he successfully logs in. If it doesnt find any ReturnUrl, it would try to take it default.aspx (even if you dont have a default.aspx).
There, you need to change your code as follows:-
if(Request.QueryString["ReturnURL"] != null)
{
FormsAuthentication.RedirectFromLoginPage(txtUseName, false);
}
else
{
FormsAuthentication.SetAuthCookie(txtUserName, false);
Response.Redirect("MainPage.aspx");
}
In the above,txtUserName is the ID of the TextBox where users enter user name. Thefalse attribute specifies whether you want to set a persistent cookie (which would allow the user to automatically login next time to your application unless they explicity log out - remember me thing). Setting it to true would actually implement the same.
The above code you need to place once you get a return value of 1 from the stored procedure which indicates the credentials were right.
Write back if this doesnt help.
Thanks.
This is my case right now, I have an account on Brinkster.com where my SQL Server resides. I am recreating from scratch a web based system that I developed in ASP 3.1 in order to learn .Net
I am going to look into now how to execute stored procedures, and whether if its even possible with my Brinkster.com account.
Thanks for the help.
I usually do select userID from users where username = @.username and password = @.password. userID is an integer (usually primary key) so then I check for a value greater than 0 to authenticate them. I would also use a scalar command to do this - a dataset is way too much overhead.
Ok, thanks.
Now to look into how to use scalar commands :p
I think I am going to stay away from Stored Procedures for the time being, since I have no clue where to really "store" them as the SQL Server is a online server not under my control.
With the check that I am using, how do I redirect them to a different page if login is succesful. I know in ASP, it was a simple Response.redirect, whats the way to accomplish it in ASP.Net ?
Thanks
I agree that a dataset is too much overhead, but a datareader is a good way to go if you want to retrieve any information about the user from your table, other that just the userID.
smtraber
In ASP.NET also, its the same Response.Redirect.
Thanks.
If you use forms authentication, which will automatically send them to your login page if they try to navigate to a page that requires them to be logged in, you can use redirectFromLogin which will send them back the page they were originally trying to get to once they have been authenticated.
smtraber
Dear Kumarshah,
Please read my first reply to this post.
I have clearly specified how to redirect user upon succesful authentication.
Thanks.
0 comments:
Post a Comment