Frog frog recommendation: Authentication in Asp.net

Frog frog recommendation: Authentication in Asp.net

I use form-based verification, which is also the most commonly used. I only write the abstract, the source code is too long, but it should not affect the understanding of the Code.

Modify web. config:
<Authentication mode = "forms"/>
User login verification method ,:
Here there are two input controls: user_tb for user input and psw_tb for password input.
Private void button#click (Object sender, system. eventargs E)
{
// User login verification
String IP = system. Web. httpcontext. Current. Request. userhostaddress;
String user_name = user_tb.text;
String user_psw = psw_tb.text;
User_name = user_name.replace ("<", "& lt ;"). replace (">", "& gt ;"). replace ("", "& nbsp ;"). replace ("'","'");
User_psw = user_ps1_replace ("<", "& lt ;"). replace (">", "& gt ;"). replace ("", "& nbsp ;"). replace ("'","'");
If (user_name! = "" | User_psw! = "")
{
Sqlconnection myconn = new

Sqlconnection (string) configurationsettings. appsettings ["connstring"]); // connect to the database
Myconn. open (); // open
String validate_ SQL = "select * From web_user where user_name = '" + user_name + "' and

User_psw = '"+ user_psw + "'";
Sqlcommand validate_com = new sqlcommand (validate_ SQL, myconn );
Sqldatareader validate = validate_com.executereader ();
String temp = "";
While (validate. Read ())
{
Session ["user_name"] = user_name;
Session ["user_flag"] = validate ["user_flag"]. tostring ();
Temp = "yes ";
}
Validate. Close ();
If (temp = "yes ")
{
User_tb.text = "";
Psw_tb.text = "";
System. Web. Security. formsauthentication. redirectfromloginpage (user_name, false );
Response. Redirect ("manage_index.aspx ");

}
Else
{
Response. Write ("<s response> alert ('your username or password is incorrect! '); </SCRIPT> ");
Return;
}
User_tb.text = "";
Psw_tb.text = "";
Myconn. Close ();
}

}
Determine whether the user has logged on:
Private void page_load (Object sender, system. eventargs E)
{
// Determine whether the user has logged on here
If (! System. Web. httpcontext. Current. User. Identity. isauthenticated)
{
Response. Write ("<SCRIPT> alert ('You have not logged on! '); History. Back () </SCRIPT> ");
}
String strusername;

Strusername = system. Web. httpcontext. Current. User. Identity. Name + "<br> + system. Web. httpcontext. Current. User. Identity. isauthentica

Ted ";
Lbiusername. Text = strusername;
// Place user code here to initialize the page
}
User Exit:
Private void linkbutton#click (Object sender, system. eventargs E)
{// Exit
Session ["user_name"] = NULL;
Session ["user_flag"] = NULL;
Session. Clear ();
System. Web. Security. formsauthentication. signout ();
Response. Redirect ("default. aspx ");
}
Supplement:

First, I found that my code has a few shortcomings.
First, this sentence is unnecessary, because the password will not be viewstate.
Psw_tb.text = "";
Secondly, My SQL statement is a dynamically constructed string. In fact, the correct method should be to use parameter-based queries. Although I have replaced the single quotes, the single quotation marks cannot prevent others from using the 8-in-Order Method for SQL injection.

Inbound attack;
There is also this sentence
Response. Redirect ("manage_index.aspx ");
In fact, it should not be switched here. To set the default login page, you should set it in Web. config.
Formsauthentication. redirectfromloginpage (user_name, false );
It means that the system automatically redirects to the page you want to access after logging on. If you want to create a redirection page, you should not use response. Redirect, but rewrite the class;
In addition, I used the ticket and session to verify the ticket at the same time. This is not very good. If you want to maintain user permissions, email and other fields, you should rewrite the user authentication ticket,

Instead of using session to maintain it, I am lazy here.