Click here to Skip to main content
13,799,870 members
Rate this:
 
Please Sign up or sign in to vote.
See more:
When I Loged into the web and clicked on Login, it was navigating to the LogIn page but it adds 'ReturnUrl=%2f' to the URL. For example, authentication.aspx?ReturnUrl=%2fAXERP-UAT%2fsubsystem%2fmain_menu.aspx.After Login, it should point to this page subsystem/main_menu.aspx. Can anyone help me? Thanks a lot.


What I have tried:

----------------------------------web.config
<appSettings>
    <add key="ConnectionString" value="AX-UAT;Integrated Security=false;Initial Catalog=SBG_AX_2020;User ID=sbax;Password=sbax;Connection TimeOut=99999" />
  </appSettings>

<authentication mode="Forms">
      <forms name="AXERP-UAT" loginUrl="authentication.aspx" protection="All" path="/" timeout="1500" />
    </authentication>
    <authorization>
      <deny users="*" />
    </authorization>


----------------------------CODING C#
protected void authenticate(object sender, EventArgs e)
    {
        if (txtUsername.Text == null | txtUsername.Text == string.Empty)
        {
            ClientScript.RegisterStartupScript(this.GetType(), "alert", "alert('Error? Please enter email address');", true);
            return;
        }

        if (txtPassword.Text == null | txtPassword.Text == string.Empty)
        {
            ClientScript.RegisterStartupScript(this.GetType(), "alert", "alert('Error? Please enter password');", true);
            return;
        }

        SqlConnection con_Check_UserData = new SqlConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
        SqlCommand cmd_Check_UserData = new SqlCommand();
        try
        {
            cmd_Check_UserData.CommandText = "select * from VIEW_LOGIN where username = '" + txtUsername.Text + "' and password = '" + txtPassword.Text + "'";
            cmd_Check_UserData.Connection = con_Check_UserData;
            con_Check_UserData.Open();
            System.Data.SqlClient.SqlDataReader rd_Check_UserData = cmd_Check_UserData.ExecuteReader(System.Data.CommandBehavior.CloseConnection);
            if (rd_Check_UserData.HasRows)
            {
                while (rd_Check_UserData.Read())
                {
                    rd_Check_UserData.Read();
                    ClientScript.RegisterStartupScript(this.GetType(), "alert", "alert('Login Successful');", true);
                    Response.Redirect("subsystem/main_menu.aspx");

                    FormsAuthentication.RedirectFromLoginPage(txtUsername.Text.ToLower(), false);
                }
            }
            else
            {
                ClientScript.RegisterStartupScript(this.GetType(), "alert", "alert('Invalid Username/ Password');", true);
                return;
            }
        }
        catch (Exception ex)
        {
            con_Check_UserData.Close();
            Lbl_Message.Text = ex.Message;
            //Response.Redirect("main_menu.aspx");
            return;
        }
        finally
        {
            con_Check_UserData.Close();
        }

        con_Check_UserData.Dispose();
        cmd_Check_UserData.Dispose();
        con_Check_UserData = null;
        cmd_Check_UserData = null;

    }
Posted 16-Mar-18 7:52am
Updated 6-Dec-18 10:47am
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

That's exactly what the ReturnUrl is pointing to. It just has to be encoded to be used in a querystring parameter.

But you have more serious issues to deal with:

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

NEVER store passwords in plain text:
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

And why are you re-inventing the wheel? ASP.NET has several perfectly good authentication systems built-in - for example, ASP.NET Identity[^]


Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
  Permalink  
Comments
Member 13318869 19-Mar-18 4:44am
   
"That's exactly what the ReturnUrl is pointing to. It just has to be encoded to be used in a querystring parameter."
What do u mean by this? I dont understand. Sorry............
Richard Deeming 19-Mar-18 7:35am
   
HTML URL Encoding Reference[^]

Decoded, your return URL is:
/AXERP-UAT/subsystem/main_menu.aspx
Member 13318869 19-Mar-18 21:48pm
   
Done, but it still not working for me.
Richard Deeming 20-Mar-18 8:00am
   
What do you mean by "not working"? The return URL you've shown is exactly what you said you want it to be. What's the problem?
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 2

cmd_Check_UserData.CommandText = "select * from VIEW_LOGIN where username = '" + txtUsername.Text + "' and password = '" + txtPassword.Text + "'";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy | Cookies | Terms of Service
Web01 | 2.8.181214.1 | Last Updated 6 Dec 2018
Copyright © CodeProject, 1999-2018
All Rights Reserved.
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100