Windows Authentication

Basically I mean would the code be opening vulnerabilities being on the web for hackers being able to sniff out the username/password?

I do like the option of changing login validation methods ;) :thumb:

errr.nope. They could theoretically brute force it...but you can do that with any type of user authentication...DB, Hard coded etc.

My code above is ONLY validating that a username exists with that password. That's all it's doing.

Woka

Quote:

---

Originally Posted by RobDog888

I do like the option of changing login validation methods ;) :thumb:

---

Only for demo purposes...:D

Woka

You mean the AD code? The original thread code was authenticating the actual windows authentication though,
or is it simulating the same?

The orginaly code was impersonating a windows user.
When you log into your web site IIS gives the active directory a windows username to use...in my case it's IUSR_BENDER for some reason, normall it's ASPUSR_COMPUTERNAME...this account gets installed and setup when you install IIS.
SO, say ISR_BENDER does not have permissions to access C:\Woof, any call to this dir in my code would result in a permissions error.
However, the user Admin, DOES have access to this. The original code you posted impersonates this user, which allows you to access C:\Woof. Make sense?

In the latest example I posted with code that validates against the Active Directory, function name ValidateActiveDirectoryLogin, this does not impersonate any user, so the user ISR_BENDER will be the windows account used when accessing resources on the server PC. The code I last posted ONLY validates if the domain, username and password exist.

To se what user the virtual directory is using...open up IIS...go to a VD properties.
Click on Directory Security tab...then click edit.

Personally I haven't come across a situation where I would want to impersonate a user.

Make sense?

WOka

Starting to. The IUSR_BENDER username comes from your machine name, I believe, so your system is named BENDER ?

Yup...all my PCs on my Domain are named after characters from Futurama :D

Woka

Our network admin has a thing for the new movie Dukes of Hazzard. :)
We have been upgrading and optimizing our network and
servers so they all are getting renamed. :lol:

OK. This one works.
This now encrypts the username into the cookie for a little extra protection.

I'm working on creating a security cookie class to make all that a little easier.

WOka

Thanks BadgerBoy. :thumb:

I'll check it out tonight when I get home. Getting ready to leave soon. ;)

Quick question BadgerBoy:

Instead of the username what if it encrypted some kind of serial number key that is generated upon the successful login in? Each time you
log in it generates a different #. This way its more secure and they wouldnt be able to get the username since it not being stored?

Ok, then.

Since the Users page inherits from the MyBasePage does that mean that all pages that inherit it will carry over the authentication or
security? So if I had other pages that I didnt need to be secure then they wouldnt inherit the MyBasePage and the ones that I
need secure would?


BadgerBoy Jr. in training. ;)

yup. spot on...or you can inhgerit it as it may use the query string function, but just don't call ValidateLogin in page load.

Quote:

---

Originally Posted by BadgerBoy Sr.

but just don't call ValidateLogin in page load.

---

Darn, just when I started to get it you throw that at me. Why not in page_load? Dont you want to validate upon page load?


Edit: Nevermind, I just realized its from the button click. Doh! Too many posts today. :(

eh? Validate Login should not be from the button click.
If you want a page to be ONLY viewed by logged in users then call MyBase.ValidateLogin(True) in Page_Load.

If you want do show different things on the page, but still show it to not logged in users then call call the following in Page_Load

VB Code:

If MyBase.ValidateLogin(False) Then
   'Show controls for login in users
Else
   'Show controls for not logged in users
End If

If you don't call this function in pgae_load then the page will load normally for logged in and not logged in users.

Woof

Ok, will do. I have to do allot of work today, at home, but hopefully I will have some time tofinish at least a few pages.
Functionality speaking anaways. Graphically is another story :(

Just adding a good link from MS in case anyone wants more or other info. ;)

http://support.microsoft.com/default...b;en-us;315736