Putting a hole into forms authentication?

Ask a Question related to ASP.NET Security, Design and Development.

  1. harrismax@nospam.com #1

    Default Putting a hole into forms authentication?

    My application uses forms authentication. On the sign-in page is a form (with takes a username, a password, and has a button [SignUp]) that allows for the creation of new user accounts

    I'm trying to get it so that when the SignUp (not SignIn) button is clicked, a user account is created in the database, and the forms authentication stuff is taken care of, so that I can redirect a user to another page (CustomerInfo.aspx) so they can continue filling out their account information

    The problem is that I can't figure out how to get past the forms authentication mechanism so that new users get to the the other page (CustomerInfo.aspx)

    private void SignUpButton_Click(object sender, System.EventArgs e
    {
    string SqlStatement = "INSERT INTO Customers (UserName, Password) VALUES ('" + SignUpUserName.Text.Trim() + "', '" + SignUpPassword.Text.Trim()+ "')"

    SqlConnection Connection = new SqlConnection("server=*********; database=********; Trusted_Connection=SSPI")
    SqlCommand Command = new SqlCommand(SqlStatement, Connection)
    SqlDataReader Reader = null

    Connection.Open()
    Reader = Command.ExecuteReader()
    while(Reader.Read()

    if (Int32.Parse(Reader[0].ToString()) >= 1

    SignUpError.Text = "<p><b>Signup successful.</b></p>"

    SetCookie(SignUpUserName.Text.Trim(), SignUpPassword.Text.Trim(), "NEWUSR")
    // can't authenticate here - I have tried several methods
    Server.Transfer("CustomerInfo.aspx")

    els

    SignUpError.Text = "<p><b>Signup failed.</b></p>"
    return


    Connection.Close();



    harrismax@nospam.com Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Accessing htm files without authentication (forms authentication)
      I have application with forms authentication. All works fine. When user opens .aspx file gets login form, login and then get the .aspx page. But...
    2. ASP.Net Forms authentication with basic authentication popup
      Relatively new to ASP.Net but have a strange problem. My site uses forms authentication for a large administration section however after the user...
    3. Forms authentication then redirection to a secure web with NT authentication?
      Hi, I want to allow access to particular secured intranet web sites. These intranet are stored in sharepoint (2003 version) Actually I've...
    4. Authentication ticket, cookieless, forms authentication?
      Hi. I want to use Forms Authentication, cookieless. The issue is setting the Authentication Ticket without using cookies (!) That is, the...
    5. Forms authentication with Windows authentication
      Hi, I have an ASP.NET web site that uses IIS Basic Authentication and accesses an OLAP Server at various stages. The OLAP Server authentication...
  2. Mary Chipman #2

    Default Re: Putting a hole into forms authentication?

    You probably don't want to use that technique even if you could get it
    to work, since it would leave you vulnerable to SQL injection attacks.
    Here are some good resources that will help you set up forms
    authentication safely:
    [url]http://www.microsoft.com/downloads/release.asp?ReleaseID=44047[/url]
    [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp[/url]

    -- Mary
    MCW Technologies
    [url]http://www.mcwtech.com[/url]

    On Mon, 16 Feb 2004 15:01:08 -0800, "harrismax@nospam.com"
    <anonymous@discussions.microsoft.com> wrote:
    >My application uses forms authentication. On the sign-in page is a form (with takes a username, a password, and has a button [SignUp]) that allows for the creation of new user accounts.
    >
    >I'm trying to get it so that when the SignUp (not SignIn) button is clicked, a user account is created in the database, and the forms authentication stuff is taken care of, so that I can redirect a user to another page (CustomerInfo.aspx) so they can continue filling out their account information.
    >
    >The problem is that I can't figure out how to get past the forms authentication mechanism so that new users get to the the other page (CustomerInfo.aspx).
    >
    >private void SignUpButton_Click(object sender, System.EventArgs e)
    >{
    > string SqlStatement = "INSERT INTO Customers (UserName, Password) VALUES ('" + SignUpUserName.Text.Trim() + "', '" + SignUpPassword.Text.Trim()+ "')";
    >
    > SqlConnection Connection = new SqlConnection("server=*********; database=********; Trusted_Connection=SSPI");
    > SqlCommand Command = new SqlCommand(SqlStatement, Connection);
    > SqlDataReader Reader = null;
    >
    > Connection.Open();
    > Reader = Command.ExecuteReader();
    > while(Reader.Read())
    > {
    > if (Int32.Parse(Reader[0].ToString()) >= 1)
    > {
    > SignUpError.Text = "<p><b>Signup successful.</b></p>";
    >
    > SetCookie(SignUpUserName.Text.Trim(), SignUpPassword.Text.Trim(), "NEWUSR");
    > // can't authenticate here - I have tried several methods!
    > Server.Transfer("CustomerInfo.aspx");
    > }
    > else
    > {
    > SignUpError.Text = "<p><b>Signup failed.</b></p>";
    > return;
    > }
    > }
    > Connection.Close();
    >}
    >
    Mary Chipman Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139