1

i am doing a project in asp.net. it uses a login feature which i have implemented with 2 textboxes and a button. nothing fancy.

so now i have to distinguish which kind of user is logged in as there are different roles like admin, user, guest...

so what i need to know is what Session["UserAuthentication"] is and what it does...i think that i can add this data to an extra table to log all the sessions...is this a good approach?

here is my authentication method:

protected void Button1_Click(object sender, EventArgs e)
        {
            string username = tbUsername.Text;
            string pwd = tbPassword.Text;
            string s;
            s = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
            SqlConnection con = new SqlConnection(s);
            con.Open();
            string sqlUserName;
            sqlUserName = "SELECT Username, UserPassword FROM Benutzer WHERE Username ='" + username + "' AND UserPassword ='" + pwd + "'";
            SqlCommand cmd = new SqlCommand(sqlUserName, con);
            string CurrentName;
            CurrentName = (string)cmd.ExecuteScalar();
            if (CurrentName != null)
            {
                Session["UserAuthentication"] = username;
                Session.Timeout = 1;
                Response.Redirect("Default.aspx");
            }
            else
            {
                lblStatus.ForeColor = System.Drawing.Color.Red;
                lblStatus.Text = "Benuztername/Password ungültig!";                               
            }
        }
Improve this question
5
  • hi man. WTF? sqlUserName = "SELECT Username, UserPassword FROM Benutzer WHERE Username ='" + username + "' AND UserPassword ='" + pwd + "'"; -> so you wish someone to delete your DB right? Commented Mar 12, 2013 at 11:12
  • 1
    aside of your question, i'll suggest to encrypt you passwords to store in DB Commented Mar 12, 2013 at 11:17
  • is this code prone to sql injections? Commented Mar 12, 2013 at 11:43
  • It's like the best example of how to enable sql injections. Commented Mar 12, 2013 at 12:16
  • ok lol i am fairly new to databases...so i read that sanitizing input, using stored procedures and using parameters are good ways to prevent this...but is there like a class which checks for sql syntax or something like this? i am a little too lazy to do it with regular expressions or the like^^ Commented Mar 12, 2013 at 12:30

1 Answer 1

Reset to default
2

Session["UserAuthentication"] is a variable that will hold the value of username globally across all pages for that particular current user.

Yes, you can add the data in a SQL Table. For that you need to add this in your web.config file.

<sessionState mode="SQLServer" sqlConnectionString="data source=yourDataSource;user id=username;password=password" cookieless="false" timeout="20" />

Just in case if your are wondering where in Database does the SessionId of the variable is stored - for that you need to install the ASPState Database on your Server. And pass the connection string accordingly on the web.config file as described above.

How to add the Database ASPState??
1. Go to this path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
2. Here you will find a script named InstallSqlState.sql which you need to execute in your SQL server.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

does it matter what i write in the brackets? i cant seem to find a list of defined variables. so i can just create my own set of variables and store them in the db?
ok thanks for the tips. do i have to use the ASPState Database or can i store session variables within my existing database?
Correct you can store anything you want in Session and name it anything.
you will have to use ASPState DataBase...just run the script that i have mentioned above which will create a database for you automatically..its harmless...u can experiment with it and learn more...u dun have to do anything more...just run the script and add the sessionstate in web.config file. Also mark it as answered if you have got your answer so that it mite help others.
ok one more thing: how do i run the script? i have found it, but i cant seem to find out how to run it. i am using sql server epress, if that matters.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.