使用ASP.NET中的角色登录 [英] Login using roles in ASP.NET

问题描述

嘿家伙我已经开发了一个网站

i有用户（管理员和用户）我也有两个数据库表即（tableUsers，tableAdmins）所以我想要的是检查当前是否记录在用户是管理员或学生，并重定向到他们自己的通讯员页面，如（对于管理员admin / admin.aspx，

用户home.aspx）

谢谢你.. < br $> b $ b

我尝试了什么：



只是尝试登录但仅限用户可以登录

  string  s = ConfigurationManager.ConnectionStrings [  RegistrationConnectionString2]。ConnectionString; 
 
 受保护  void  LoginButton_Click1（对象发​​件人，EventArgs e）{
 
  if （Page.IsValid）{
 
  using （SqlConnection con =  new  SqlConnection（s））{
 SqlCommand cmd =  new  SqlCommand（  spUserlogin，con）; 
 cmd.CommandType = CommandType.StoredProcedure; 
 cmd.Parameters.AddWithValue（  @ username，TextBoxUsername.Text）; 
 cmd.Parameters.AddWithValue（  @ password，TextBoxPassword.Text）; 
 
 SqlCommand cmd1 =  new  SqlCommand（  spAdminlogin）; 
 cmd1.CommandType = CommandType.StoredProcedure; 
 
 尝试 {
 con.Open（）; 
  int   value  =（ int ）cmd.ExecuteScalar（）; 
  if （ value  ==  1 ）{
 
  if （CheckBox1.Checked）{
 HttpCookie user = 新 HttpCookie（  user_cookies）;  //  创建cookie对象，其中user_cookies是cookie名称 
 user [  New] = TextBoxUsername.Text;  //   Cookie内容 
 user.Expires = DateTime.Now.AddYears（ 3 ）;  //  给出cookie的时间/持续时间 
 Response.Cookies.Add（user）;  //  它在浏览器中提供响应 
} 
  else  {
 Session [  New] = TextBoxUsername.Text; 
} 
 Response.Redirect（  home.aspx）; 
} 
 其他 {
 Label_Login.Visible =  true ; 
 Label_Login.Text =  使用正确的用户名和密码; 
 
} 
 
} 
 
  catch （Exception ex）{
 labelError.Visible =  true ; 
 labelError.Text =  出错了！联系你的开发者 + ex.Message; 
} 
} 
} 
 
} 
 

解决方案

< blockquote>快速和丑陋的事情是改变你正在调用的存储过程并让它引用第二个表，并返回一些有用的东西来区分它们是否在User或Admin表中找到。



我既不推荐也不宽恕这一点，我有一些建议和/或顾虑。



您应该有一个表供所有用户登录。该表应该有一个列来指定用户类型（例如Role，IsAdmin），或者由另一个表引用角色/权限。



你将密码以纯文本形式传递到存储过程中。表格中的密码也是纯文本吗？是否加密了与DB服务器的连接？

如果其中任何一个都是真的，我建议提高安全性......有很多例子可以用于例如BCrypt。



现在，您的存储过程看起来只返回一个整数值1，看起来这意味着它们被允许进入。您可以更改程序，以便不仅表明它们是否通过了身份验证，但他们的角色是什么。如果它们位于现在的用户表中，则继续返回1并遵循当前路径。但如果他们在现在的Admin表中，返回2并创建一个新的路径来创建他们的cookie并发送给他们Admin.aspx页面。



我如果用户名或密码错误，只会表示他们不正确，会给你一些荣誉 - 认证失败。

hey guys i have developed a website
i have to users (Admin and users) also i have two database tables namely(tableUsers,tableAdmins) so what i want is that to check whether the currently logged in user is admin or student and redirect to thier own correspondent pages like (for admin admin/admin.aspx,
for user home.aspx)
thank u..

What I have tried:

just tried to login in but only users can login

string s = ConfigurationManager.ConnectionStrings["RegistrationConnectionString2"].ConnectionString;

protected void LoginButton_Click1(object sender, EventArgs e) {

    if (Page.IsValid) {

        using (SqlConnection con = new SqlConnection(s)) {
            SqlCommand cmd = new SqlCommand("spUserlogin", con);
            cmd.CommandType = CommandType.StoredProcedure;
            cmd.Parameters.AddWithValue("@username", TextBoxUsername.Text);
            cmd.Parameters.AddWithValue("@password", TextBoxPassword.Text);

            SqlCommand cmd1 = new SqlCommand("spAdminlogin");
            cmd1.CommandType = CommandType.StoredProcedure;

            try {
                con.Open();
                int value = (int)cmd.ExecuteScalar();
                if (value == 1) {

                    if (CheckBox1.Checked) {
                        HttpCookie user = new HttpCookie("user_cookies");       //creating cookie object where user_cookies is cookie name
                        user["New"] = TextBoxUsername.Text;             //cookie content
                        user.Expires = DateTime.Now.AddYears(3);            // give the time/duration of cookie
                        Response.Cookies.Add(user);                     // it gives the response in browser
                    }
                    else {
                        Session["New"] = TextBoxUsername.Text;
                    }
                    Response.Redirect("home.aspx");
                }
                else {
                    Label_Login.Visible = true;
                    Label_Login.Text = "Use Correct username and password";

                }

            }

            catch (Exception ex) {
                labelError.Visible = true;
                labelError.Text = "Something went wrong! Contact your devloper " + ex.Message;
            }
        }
    }

}

解决方案

The quick and ugly thing to do would be to alter the Stored Procedure you are calling and have it reference the second table, and return something useful to differentiate if they were found in the User or Admin table.

I neither recommend nor condone this though, and I have a slew of recommendations and/or concerns.

You should have one table for all users to login against. That table should either have a column to specify a user-type(eg Role, IsAdmin) or be referenced by another table(s) for roles/permissions.

You are passing in the password into your stored procedure in plain text. Is the password in the table plain-text as well? Is the connection to the DB server encrypted?
If any of these are true, I would recommend bumping up the security... There is plenty of examples for routines such as BCrypt.

Right now it looks like your Stored Procedure is only returning an integer value of 1 which looks like it means they are allowed in. You could alter the procedure to signifify not only if they passed authentication, but what their role is. If they are in what is now the user table, keep returning 1 and follow the current path. But if they were in what is now the Admin table, return a 2 and make a new path for creating their cookie and send them the Admin.aspx page.

I will give you kudos as well- on authentication failure it does not specify if the username or password was wrong, just that they weren't right.

这篇关于使用ASP.NET中的角色登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！