0

I've been working on getting a basic VB ASP.NET application put together that uses LDAP to login and I have it working. The login page has a form on it for login but the actual code for the login is inside my web.config file. When the user clicks login it runs a login validation on ldap from within my web.config.

What I also need to happen is have the users id number returned to a session variable for use throughout the site. I'm trying to reduce the number of times I have to call to the database for small things like User_ID, User_Rights, etc. With that said, I wrote some code for my LogingButton_Click event but it's not working. I'm posting my login page's .aspx and .aspx.vb code. If you need anything more to help me, please let me know and I will post it for you.

Also just to let you know. The only thing I use LDAP for is the login. All other queries are done to a MS SQL db.

Thanks in advance for any and all help.

Login.aspx.vb CODE

Imports UserInfo
Imports System.Data.SqlClient

Partial Class Account_Login
    Inherits System.Web.UI.Page

    Dim SQLStr As String = ""
    Private ConnString As String = ""

    Protected Sub LoginButton_Click(sender As Object, e As System.EventArgs)
        If Membership.GetUser.ToString Is Nothing Then
            Try
                ConnString = ConfigurationManager.ConnectionStrings("ProfileConnectionString").ConnectionString
                SQLStr = "SELECT ID FROM tbl_people WHERE username='" & Membership.GetUser.ToString & "'"

                Dim SQLConn As New SqlConnection
                Dim SQLCmd As New SqlCommand
                Dim SQLdr As SqlDataReader

                SQLConn.ConnectionString = ConnString
                SQLConn.Open()

                SQLCmd.Connection = SQLConn
                SQLCmd.CommandText = SQLStr
                SQLdr = SQLCmd.ExecuteReader

                While SQLdr.Read()
                    Session("UserID") = SQLdr("ID")
                End While

                SQLdr.Close()
                SQLConn.Close()
            Catch ex As Exception
                Session("UserID") = ""
            End Try
        Else
            Session("UserID") = ""
        End If

    End Sub
End Class

Login.aspx CODE

<%@ Page Title="Log In" Language="VB" MasterPageFile="~/Site.Master" AutoEventWireup="false"
    CodeFile="Login.aspx.vb" Inherits="Account_Login" %>

<asp:Content ID="HeaderContent" runat="server" ContentPlaceHolderID="HeadContent">
</asp:Content>
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
    <h2>
        Log In
    </h2>
    <asp:Login ID="LoginUser" runat="server" EnableViewState="false" RenderOuterTable="false">
        <LayoutTemplate>
            <span class="failureNotification">
                <asp:Literal ID="FailureText" runat="server"></asp:Literal>
            </span>
            <asp:ValidationSummary ID="LoginUserValidationSummary" runat="server" CssClass="failureNotification" 
                 ValidationGroup="LoginUserValidationGroup"/>
            <div class="accountInfo">
                <fieldset class="login">
                    <legend>Account Information</legend>
                    <p>
                        <asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName">Username:</asp:Label>
                        <asp:TextBox ID="UserName" runat="server" CssClass="textEntry" ></asp:TextBox>
                        <asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName" 
                             CssClass="failureNotification" ErrorMessage="User Name is required." ToolTip="User Name is required." 
                             ValidationGroup="LoginUserValidationGroup">*</asp:RequiredFieldValidator>
                    </p>
                    <p>
                        <asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password">Password:</asp:Label>
                        <asp:TextBox ID="Password" runat="server" CssClass="passwordEntry" TextMode="Password"></asp:TextBox>
                        <asp:RequiredFieldValidator ID="PasswordRequired" runat="server" ControlToValidate="Password" 
                             CssClass="failureNotification" ErrorMessage="Password is required." ToolTip="Password is required." 
                             ValidationGroup="LoginUserValidationGroup">*</asp:RequiredFieldValidator>
                    </p>
                    <p>
                        <asp:CheckBox ID="RememberMe" runat="server"/>
                        <asp:Label ID="RememberMeLabel" runat="server" AssociatedControlID="RememberMe" CssClass="inline">Keep me logged in</asp:Label>
                    </p>
                </fieldset>
                <p class="submitButton">
                    <asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log In" 
                        ValidationGroup="LoginUserValidationGroup" onclick="LoginButton_Click"/>
                </p>
            </div>
        </LayoutTemplate>
    </asp:Login>
</asp:Content>

Edited by MaddTechwf: forgot something

2
Contributors
1
Reply
3
Views
5 Years
Discussion Span
Last Post by hollystyles
0

Your login is vulnerable to SQL Injection attack, tut tut. Use parameters.

SQLStr = "SELECT ID FROM tbl_people WHERE username=@username"
SQLCmd.Parameters.AddWithValue("@username", Membership.GetUser.ToString);
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.