This is a decent article over Authentication types in ASP.NET, but to say the article covers "Securing" applications isn't true.
Your code below demonstrates how you are using Forms Authentication in the "Real World".
Code:
namespace Auth
{
using System;
using System.Collections;
using System.ComponentModel;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
public class CodeBehind : System.Web.UI.Page
{
public System.Web.UI.WebControls.Label Message;
public System.Web.UI.HtmlControls.HtmlTable tblSignIn;
public System.Web.UI.WebControls.TextBox txtLogin;
public System.Web.UI.WebControls.TextBox txtPassword;
public System.Web.UI.WebControls.Button btnSignIn;//the web //controls
protected void btnSignIn_Click(Object obj, EventArgs e)
{
if(Page.IsValid)
{
// check username/password against a database table
SQLConnection conn = new
SQLConnection("server=localhost;uid=sa;pwd=;database=CodeBehind");
// get row back based on username/password
string strSQL = "Select * From Users Where UserId='" +
txtUser.Text + "' And Password = '" +
txtPassword.Text + "'";
SQLDataSetCommand dsc = new SQLDataSetCommand(strSQL, conn);
// populate a dataset with the SQL results
DataSet ds = new DataSet();
dsc.FillDataSet(ds, "Users" );
// check to see if the dataset contains no rows (if it is EOF (i.e.
// contains no rows), then the user is invalid)
if( ds.Tables["Users"].Rows.Count == 0 )
{
Message.Text = "Invalid User Name and Password. Try Again.";
} else {
FormsAuthentication.RedirectFromLoginPage(txtUser. Text,
false);
}
}
}
}
}
but any programmer with a hint of understand how to secure web based applications can easily spot the flaw in this code.
Code:
string strSQL = "Select * From Users Where UserId='" +
txtUser.Text + "' And Password = '" +
txtPassword.Text + "'";
You wrote an article on "Securing ASP.NET Applications", but the code you provided as a sample on how to do it, leaves the application wide open for SQL Injection attacks.
1) You're connecting to a SQL Database, then you use inline SQL, instead of handling the process with a stored procedure.
2) There isn't any type of input validation being done to ensure the input from the client is actually "clean" valid data and not malicious input.
The name of the article would be better titled "ASP.NET Authentication Types", since your articles example code leaves the application vulnerable to the most well known of all web attacks and doesn't secure the application in anyway.
ASP Free Forums Sponsor:
December 14th, 2005, 08:00 AM
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
