I'm working through an example that shows how develop secure applications with sign in forms. I've created a simple page that a user first sees that has a Download file link, a log in link, and a log out link.
The first time a user clicks on the download file link, the user is redirected to the login page, which looks like this:Code:<%@ Page Language="vb" AutoEventWireup="false" Codebehind="default.aspx.vb" Inherits="LogIn9_1._default"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>default</title> <meta name="GENERATOR" content="Microsoft Visual Studio.NET 7.0"> <meta name="CODE_LANGUAGE" content="Visual Basic 7.0"> <meta name=vs_defaultClientScript content="JavaScript"> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> </head> <body MS_POSITIONING="GridLayout"> <form id="Form1" method="post" runat="server"> <a href= "./files/ProtectMe.txt">Download file</a> <br/> <br/> <a href="login.aspx">Log in</a> <br/> <br/> <a href="logout.aspx">Log out</a> </form> </body> </html>
Then, once the user logs in, they are able to view the text file. But if they go back to the default page and log out, and then click on the download page again, they can still see the file.Code:<%@ Page Language="VB" %> <%@ Import Namespace="System.Data" %> <%@ Import Namespace="System.Web.Security" %> <html> <head> <title>Login Page</title> <script runat="server"> Sub Login_Click(Sender As Object, e As EventArgs) Dim LoginDS as DataSet If Cache("LoginDS") Is Nothing Then LoginDS = New DataSet() LoginDS.ReadXml(Server.MapPath("Users.xml")) Cache.Insert("LoginDS", LoginDS, New CacheDependency(Server.MapPath("Users.xml"))) Else LoginDS = Cache("LoginDS") End If If LoginDS.Tables(0).Select("Email='" & Email.text & "'").Length > 0 Then Dim LoginRow() As DataRow = LoginDS.Tables(0).Select("Email='" & Email.text & "'") If LoginRow(0).Item("Password").ToString = _ FormsAuthentication.HashPasswordForStoringInConfigFile(Password.Text, "SHA1") Then FormsAuthentication.RedirectFromLoginPage(Email.Text, Persist.Checked) Else Message.Text = "Incorrect Password!" End If Else Message.Text = "Email not found. Have you <a href='register.aspx?page=" _ & Server.UrlEncode(Request.RawUrl) & "'>registered</a>?" End If End Sub </script> </head> <body> <form runat="server"> <table border="0"> <tr> <td>Email: </td> <td><asp:textbox id="Email" runat="server"/></td> </tr> <tr> <td>Password: </td> <td><asp:textbox id="Password" textmode="Password" runat="server"/></td> </tr> <tr> <td>Persist Authentication Cookie?</td> <td><asp:checkbox id="Persist" checked="False" runat="server"/></td> </tr> <tr> <td><asp:button text="Submit" onclick="Login_Click" runat="server"/></td> <td><input type="reset" value="Cancel" runat="server"/></td> </tr> </table> <asp:label id="Message" forecolor="Red" runat="server"/> </form> </body> </html>
Here's the logout page:
I know my flow of execution is screwy--this is just an example, but could that be part of the problem? The problem seems to ne my misunderstanding about what FormsAuthentication.RedirectFromLoginPage(Email.Text, Persist.Checked) and FormsAuthentication.SignOut() do. In my config file, I have set the timeout property to 5 min. in the form element, but the login seems to remain in effect for longer then 5 minutes. Can someone explain what's going on to me?Code:<%@ Page Language="VB" %> <%@ Import Namespace="System.Web.Security" %> <html> <head> <title>Logout Page</title> <script runat="server"> Sub Page_Load(Sender As Object, e As EventArgs) FormsAuthentication.SignOut() Message.Text = "You have been logged out." End Sub </script> </head> <body> <asp:label id="Message" runat="server"/> </body> </html>
Reply With Quote