Security :: Membership And Folder Security?
Jul 22, 2010
I created a soultion and used membership for login and I have the site working fine you can log in and out and I can see that my roles are working. I created a folder called Admin and I created a webpage in there that I can edit my data table that I wanted to be able to edit when I am logged in as a user with Admin role thats working... well it works...
anyone can get to this webpage and edit my data. I have it set in the membership using the role managment to deny users * and allow users with Admin role however I can open up a new browser with out login into my site and type in the web information and it pops right up says Welcome:Guest [LOGIN] theres my data and I can edit it see do whatever and this page shouldn't be able to be seen.
What did I do wrong?
example www.domainname.com/admin/editmydata.aspx
View 3 Replies
Similar Messages:
Jun 23, 2010
I have a business site that I want to use to show clients their projects I am working on. I don't want these projects to be visible to anyone but the clients, so I give them a user ID and password. I want to use asp.net membership to manage the login IDs and passwords, but I want to use jquery to submit the login form (it's lighter and leaner than the login control). Here is what I have: Page with an html form for login .js file with the jquery calls & code in it httpHandler to process the information from the formI have the user to entering their ID and password, I am using jquery.forms.js to process the form, which calls the httpHandler and passes the form values to the handler. I have the handler check to see if the user ID and password are correct, if not, it passes back a message to be displayed to the user. If the user is valid, then I have it passing back the role of the user, which also happens to be the name of the folder the client needs to view. I have the page redirecting via javascript to the client's folder once they are authenticated. I have the location of the client folder setup in my web.config.
The problem I'm having is the page just redirects back to the login page, with the return url included (?ReturnUrl=%2fCTS%2f2010+Design%2fLasmer%2findex.aspx). I want it to go to the client folder (Lasmer in this case) once the user has been authenticated. Shouldn't it send me to the folder's default page once it knows the user is authenticated? Do I have a problem in the way my web.config is wired up, and do I need anything in the client folder's web.config?Here is the code for the web.config:
[Code]....
Here is the code for the handler:
[Code]....
Here is the code for the .js file:
[Code]....
Here is the code for the page:
[Code]....
View 8 Replies
Oct 30, 2010
The following code is used to add the asp membership tables to an already existing database instead of creating a seperate database for membership and having two databases in the application.
aspnet_regsql.exe -S .SQLEXPRESS -U username -P password -d databsename -A all
It works fine by adding the membership tables to the existing database that is located in the c drive, program files sqlserver folder.
But my database however is not in the c drive but located in my asp website app_data folder, so the above code does not give any error and the tables are not added after I run it. how can I now add the membership tables using the above code when my database is located in the website app_data folder,
View 1 Replies
Sep 9, 2010
I'm working on a website where it should be possible for registered users to upload word documents. The administration of users is done through Membership and Profiles. When the documents have been uploaded, the following needs to be achieved:Non-registered users should not be allowed to download documents I should be able to control which users that has access to which documents I should be able to register which user downloads which documents I should be able to track how many times a document has been downloaded
Can this be achieved be using Membership and Profiles?
View 1 Replies
Feb 28, 2011
I'm trying to use the Membership.CreateUser method without passing a security question and answer. I set them to string.empty, but no go. I have my provider set to not require a question in my web.config. What am I doing wrong?
[Code]....
View 2 Replies
Jan 12, 2010
I have a web page where I am denying anonymous users from accessing. In the web site I have a folder called FileManager. In the web app the usres have the ability to uploaded files and when they do a folder gets created under the filmanger and the files are saved. I have created a web.config in this folder that denies anonymous users. The problem is if the user knows the directory structure they can type in the url of the site add /FilManager/x/x/NameOfFile, where x are the sub directories. If the file is an image it shows the image in ie, if it is a .xls or .doc or what ever they get the prompt to either download or save the file. What am I doing wrong. Will the web.config file not stop an anonymous user from access files? I put a webpage in the folder and it is blocked and the user gets sent to the login screen, but files seem to be unsecured.
How do I block anonymous users from being able to access the files in this folder?
View 4 Replies
Mar 11, 2011
I am creating an application hosted on GoDaddy.com. The base files are kept in a folder called /sky while the Admin files and User files are kept in /sky/Admin and /sky/User respectively. I'm having difficulty configuring the security so that when a user tries to access Admin or User files they should be redirected to the login.aspx file in the /sky folder. I keep getting an error that its trying to access sky/sky/login.aspx instead of just sky/login.aspx.
Here are the relevant sections of my web.config file.
<?xml version="1.0"?>
<configuration>
...
<location path="sky/admin">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="user">
<system.web>
<authorization>
<allow roles="Admin,User" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name="login" loginUrl="login.aspx" />
</authentication>
...
</system.web>
...
</configuration>
Can someone point me to articles or provide assistance with the proper configuration?
View 3 Replies
Feb 9, 2010
I have started to implement asp membership. I go the administration page and click provider. I have a database on a server on the local network that i want to install my members tables in. When i run the
aspnet_regsq.exe it doesn't ask me what SQL database i want to use and seems to default to my local SQL Server 2005 installation. How I change this to use my SQL Express database on a local server?
View 6 Replies
Aug 10, 2010
I have to implement a small webshop. Basically it's just a website with a huge backend ERP System and with the possibility to sell one (yap, really only one!) product on the website. The only requirement is a MySQL Server. The backend is almost finished (about 95%) and is secured with the .net MemberShip Provider for MySQL (the one in MySql.Web from the MySql Connector .NET).
Now to my question: I can set up the membership system easily but I do not need such things like username or password-question but I would need a reference to an address table to store the users home address. So, it is possible to change or customize the membership system to for eg. a unique customer id instead of the username column and set this in codebehind when the user is creating a new account? And is it possible to insert new users/customers from codebehind in an easy way? (I mean without checking each foreign key and inserting the customer reference to the userinrole table and so on...)
View 10 Replies
Apr 14, 2010
I am building a site and I want to use the default membership controls provided with asp.net like Login View Control etc. I don't want to use the ASP.Net Membership DB as I want to use my own Security structure and I don't want to inherit the ASP.Net membership class either. In my case how can I use these controls to aid me like how will a login view control detect if someone is authenticated or not.
View 7 Replies
Jan 21, 2010
I've set up a system with forms based authentication and using the asp:Login control. When I put in an invalid password I get the approriate invalid password message. However when I put in a valid password, it does nothing...just returns to the login page again. I'm triple checked the login info. There is no error message, and the invalid attempts counter doesn't increment. When I put a break point in the Login_LoggedIn event of the Login form, it hits it, but User.Identity.IsAuthenticated is false. I'm not 100% sure it should be true at this point, as I'm pretty new to .NET but it seems kind of odd.
My user database is stored in a sqlserver 2005 db that already existed. I've added a new connection for it.In the authorization I have
<authorization>deny
users="?"/><authorization>
View 2 Replies
Oct 1, 2010
am working on an asp.net application with membership controls and the SQL Server database. I have this put together, however it appears that adjustments need to be made to enhance security. Many websites have membership features, so I was wondering if there are some blog posts that describe the steps that need to be made to enhance security.
View 3 Replies
Mar 18, 2011
Is it possible to add some security rules for files inside a folder with session value, as with impersonate settings in a config.web file? Right now i restrict my pages with sessions value, but can't obviously not do it for downloaded file like .zip, .doc, .ppx etc.
View 9 Replies
Aug 16, 2010
Im designing a site where registered users can upload their own images that should be displayed to any visitor. However the images have to be approved by an admin. So when the images are aproved they will show in an image gallery.
My problem is how to protevct the images from browsing. I dont want anyone to be able to just write in the folder url and broswe through all the images.
My questions:
1. If i store the images in the app_data folder they will be proteceted from browsing directly. But they cant be used in an webpage that is public either, correct?
2. If i store them in a public folder the images can be used to display on a public page, but even the images that are not aproved will be accesible if one knows the url to the folder or the image itself, correct?
3. It wont help if i secure the image folder with roles cause then the images will only be accesible by the user that is logged in and is in the proper role.
View 1 Replies
Jun 16, 2010
I have a folder with png images that are not shared or public (the folder is outside my application folder). Now I want my users to be able to view thoose images only if they are logged in (different users, different images). All images have a name that correspond to the users id. My idea is to stream thoose images into the asp:Image control, is that possible? How do I do that? Other (better) solutions?
View 6 Replies
Feb 8, 2010
why cant i type the following code on the masterpage's vb code behind?I am abel to do it on a normal aspx's code behing, why not on the masterpage'si am trying to use the following code in the page_load event
[Code]....
View 3 Replies
Oct 21, 2010
i use membership provider in my website
i use membership methods like getUser() and so one
i need to add some other methods like getAllApprovedUsers()
where and how can i add this method to membership but i want to use standard membership methods
View 5 Replies
Dec 13, 2010
I am using SQL Membership Provider to create user accounts for my web site and for some reason, the CreateDate and LastLoginDate fields are NOT saving the current time of my machine when I add a new user to the website. It is showing the previous day's date and the time is displayed as PM when it's AM and vise-versa in the CreateDate and LastLoginDate fields in aspnet_Membership table. I am developing and running the website via localhost on my laptop using IIS 7 (Windows 7). Does this have anything to do with my laptop's clock settings or is there something I need to configure in the web.config file or in IIS.
View 4 Replies
Jul 25, 2010
I could really use some help here. I owuld like to implement a simple CAPTCHA mechanism with the membership system. Can someone please help me out. I have found MSCAPTCHA, but it doesn't seem to work in the .NET 3.5 world. I have been pulling my hair out for a couple of days now.
View 6 Replies
May 14, 2010
In what way, if any, can/does the 'membership db' play friendly with another SQL db.. or can I wire up the 'login control' to use a SQL DB to validate/get perm info?...
I believe the aspnetdb inside the actual site in app_code or somewhere is the 'membership db, correct?
Whereas I wish to use all info pertaining to logins/perms from fields in an actual SQL DB since my web app is using a huge DB for a factory floor's production management.
How do I authenticate this way? Also, I would like it to be in a master page, and upon login, redirect to another directory say, '/Members' which is locked out from anonymous browsing.
I previously had the following code:
web.config :
[Code]....
Default.aspx :
[Code]....
View 7 Replies
May 5, 2010
I have a test site that is using the sqlprovidermembership. It is now working as expected. one of our clients has a site that was written in PHP. They created a link to our test site and when you click on one of there menu items it places the login page in a frame on there site for instance (http://www.client.com/staff.php). Now when the user enters their username and password the validation does not work. It simply continues to bring up the login page. it does not even say that they login was unsuccessful.
View 1 Replies
Mar 1, 2010
Pls explain the Membership Roles in MVC ASP.NET 3.5
View 1 Replies
Feb 8, 2011
i have some website with users that registered trought membership. I want to build another site (diffrent url, diffrent issue) but i want my user to use the same details (username, password, email etc) they are using the first site. is it possible to use the same aspnet_ tables in diffrent website?
View 3 Replies
Oct 11, 2010
I am working on a new application that will feed off my application's DB that was written with .net 3.5 (really 2.0, since thats where the aspnet_regsql.exe lives)... I open up the application settings page on my old VS2008 application, and see all my 4000+ users, but if i link the membership to that database in VS2010 with asp .net 4.0, it shows 0. I have verified the connections, and i also noticed there is a net aspnet_regsql.exe in the 4.0 framework folder.
Is there any way to make the old membership work, or a way to migrate my users? If not, i would think this would cause a LOT of issues with many .net applications with many forms based users.
View 3 Replies
Jan 5, 2011
This is my first membership provider; I converted the sample provider [URL] to SQL. I created a vb class provider and put it into the App_Code folder. After it was created I tried to modify my webconfig but the error pops up. I don't know what else to try, I don't know if I have missed something
webconfig:
[code]....
View 1 Replies
