Thread: [02/03] Creating a ASP.NET application, login function.

To start off, i ran searches for "login" on multiple forums, including the code sample forums, but could not seem to find any relevant threads. I am not sure if this is the correct forum to post this. I am using Visual stuido .net 2003, and am creating a ASP.NET application. I am trying to make a login function for a web site. It will access the SQL database to check whether the entered userID and password matches, and if it does it will authenticate the user.

My stored procedure in SQL :

Code:

ALTER  proc spSupplierLogin(@UserID varchar(30), @Password varchar(15))

as

if not exists (select * from supplier where UserId = @UserId)
     return -101 //Checks whether the userid exists, if not returns -101

if not exists (select * from supplier where UserId = @UserId and Password = @Password)
return - 102 //Checks whether the user ID and password matches the ones entered in the database, if not, return -102. I am not sure if this is correct.

if @@ERROR <> 0
return - 103 //If unexpected error, return -103

return

The problem is simple.....i do not know how to write the code for authenticating a user, and then determining which user is the one logged in and trying to access restricted data.

For example, i want user A to be able to login and modify his user account details, but only his user account's details. How would i go around writing the code to check that the account details he is modifying are his own, and not someone else's?

Secondly i want user A to be able to login and modify certain product information in a catalog, but only the ones he is authorised for. How do i write code so that it checks that user A is authorised to modify details for a certain product? Are there any special SQL tables i need?

My VB code for the login page :

VB Code:

Dim connection As New SqlConnection _
        (ConfigurationSettings.AppSettings("ConnectionString"))
        Dim command As New SqlCommand _
        ("spSupplierLogin", connection)
 
        command.CommandType = CommandType.StoredProcedure
        command.Parameters.Add("@UserID", txtLoginID.Text) //User ID entered
        command.Parameters.Add("@Password", txtLoginPass.Text) //Password entered
 
        command.Parameters.Add("@Status", SqlDbType.Int)
        command.Parameters("@Status").Direction = ParameterDirection.ReturnValue
 
        Try
            connection.Open()
            command.ExecuteNonQuery()
 
            Dim status As Integer
            status = command.Parameters("@Status").Value
 
            If status = -101 Then
                lblLoginMessage.Visible = True
                lblLoginMessage.Text = "User ID does not exist in the database."
            ElseIf status = -102 Then
                lblLoginMessage.Visible = True
                lblLoginMessage.Text = "The entered user ID and password do not match."
            ElseIf status = -103 Then
                lblLoginMessage.Visible = True
                lblLoginMessage.Text = "An unexpected error occured during the login process. Please try again or contact support."
              Else
                Response.Redirect("home.aspx") //If successful will re-direct to the home page
            End If
        Catch ex As Exception
            lblLoginMessage.Visible = True
            lblLoginMessage.Text = ex.Message
        Finally
            connection.Close()
        End Try