Click here to Skip to main content
15,867,704 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
When I logged into the web and clicked on Login, it was navigating to the Login page, but it adds 'ReturnUrl=%2f' to the URL. For example, authentication.aspx?ReturnUrl=%2fAXERP-UAT%2fsubsystem%2fmain_menu.aspx.
After Login, it should point to this page subsystem/main_menu.aspx.

Can anyone help me? Thanks a lot.

What I have tried:

web.config
XML
<appSettings>
    <add key="ConnectionString" value="AX-UAT;Integrated Security=false;
    Initial Catalog=SBG_AX_2020;User ID=sbax;Password=sbax;
    Connection TimeOut=99999" />
  </appSettings>

<authentication mode="Forms">
      <forms name="AXERP-UAT" loginUrl="authentication.aspx" 
      protection="All" path="/" timeout="1500" />
    </authentication>
    <authorization>
      <deny users="*" />
    </authorization>

CODING C#
C#
protected void authenticate(object sender, EventArgs e)
    {
        if (txtUsername.Text == null | txtUsername.Text == string.Empty)
        {
            ClientScript.RegisterStartupScript(this.GetType(), 
            "alert", "alert('Error? Please enter email address');", true);
            return;
        }

        if (txtPassword.Text == null | txtPassword.Text == string.Empty)
        {
            ClientScript.RegisterStartupScript(this.GetType(), 
                  "alert", "alert('Error? Please enter password');", true);
            return;
        }

        SqlConnection con_Check_UserData = 
         new SqlConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
        SqlCommand cmd_Check_UserData = new SqlCommand();
        try
        {
            cmd_Check_UserData.CommandText = 
                "select * from VIEW_LOGIN where username = '" + 
                 txtUsername.Text + "' and password = '" + 
                 txtPassword.Text + "'";
            cmd_Check_UserData.Connection = con_Check_UserData;
            con_Check_UserData.Open();
            System.Data.SqlClient.SqlDataReader rd_Check_UserData = 
                                  cmd_Check_UserData.ExecuteReader
            (System.Data.CommandBehavior.CloseConnection);
            if (rd_Check_UserData.HasRows)
            {
                while (rd_Check_UserData.Read())
                {
                    rd_Check_UserData.Read();
                    ClientScript.RegisterStartupScript(this.GetType(), 
                    "alert", "alert('Login Successful');", true);
                    Response.Redirect("subsystem/main_menu.aspx");

                    FormsAuthentication.RedirectFromLoginPage
                              (txtUsername.Text.ToLower(), false);
                }
            }
            else
            {
                ClientScript.RegisterStartupScript(this.GetType(), 
                     "alert", "alert('Invalid Username/ Password');", true);
                return;
            }
        }
        catch (Exception ex)
        {
            con_Check_UserData.Close();
            Lbl_Message.Text = ex.Message;
            //Response.Redirect("main_menu.aspx");
            return;
        }
        finally
        {
            con_Check_UserData.Close();
        }

        con_Check_UserData.Dispose();
        cmd_Check_UserData.Dispose();
        con_Check_UserData = null;
        cmd_Check_UserData = null;
    }
Posted
Updated 26-Feb-22 5:40am
v3

That's exactly what the ReturnUrl is pointing to. It just has to be encoded to be used in a querystring parameter.

But you have more serious issues to deal with:

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

NEVER store passwords in plain text:
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

And why are you re-inventing the wheel? ASP.NET has several perfectly good authentication systems built-in - for example, ASP.NET Identity[^]


Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
 
Share this answer
 
Comments
Member 13318869 19-Mar-18 4:44am    
"That's exactly what the ReturnUrl is pointing to. It just has to be encoded to be used in a querystring parameter."
What do u mean by this? I dont understand. Sorry............
Richard Deeming 19-Mar-18 7:35am    
HTML URL Encoding Reference[^]

Decoded, your return URL is:
/AXERP-UAT/subsystem/main_menu.aspx
Member 13318869 19-Mar-18 21:48pm    
Done, but it still not working for me.
Richard Deeming 20-Mar-18 8:00am    
What do you mean by "not working"? The return URL you've shown is exactly what you said you want it to be. What's the problem?
C#
cmd_Check_UserData.CommandText = "select * from VIEW_LOGIN where username = '" + txtUsername.Text + "' and password = '" + txtPassword.Text + "'";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900