Folder security and Redirection

Hi ,

I trying to implement folder based security based on roles and it is working fine for me locally, with the following code but when i upload it to the server which is using windows 2003, its not working fine.

I am enclosing my contents of web.config, login contents and global.asax file , can anyone help me out with this.

Thanks a lot in advance..


web.config
=============
My connection string is working fine.I have no included it here.


<configuration>
<!-- application specific settings -->
<appSettings>

<add key="ConnectionString" 7 />


</appSettings>

<system.web>
<compilation debug="true" />

<authentication mode="Forms">
<forms name="CommerceAuth" loginUrl="aa/alfa/wc_signin.aspx" protection="All" path="/" />

</authentication>

<customErrors mode="Off" defaultRedirect="bb/beta/wc_calendar.aspx" />
<sessionState mode="InProc" />
<globalization fileEncoding="utf-8" requestEncoding="utf-8" responseEncoding="utf-8"/>
</system.web>


<location path="aa/alfa">
<system.web>
<authorization>
<allow roles ="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

<location path="bb/beta">
<system.web>
<authorization>
<allow roles ="Users"/>

<deny users="*"/>
</authorization>
</system.web>
</location>

</configuration>



Sigin page
=================
Private Sub signinbtn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles signinbtn.Click

Dim accountSystem As New customerdb
Dim userId As Integer = accountSystem.Login(email.Text, accountSystem.Encrypt(password.Text))
Dim cart As New shoppingcart
Dim tempCartId As String = cart.GetShoppingCartId()
If Not userId = -1 Then
cart.MigrateCart(tempCartId, userId)

FormsAuthentication.Initialize()
Dim cmd As SqlCommand
'Create the Connection here
Dim conn As New SqlConnection(ConfigurationSettings.AppSettings("connectionString"))
cmd = conn.CreateCommand()
cmd.CommandText = "SELECT distinct Role FROM wc_customer WHERE eMailaddress='" &amp; Trim(email.Text) &amp; "' AND password='" &amp; accountSystem.Encrypt(password.Text) &amp; "'"
conn.Open()
Dim reader As SqlDataReader
reader = cmd.ExecuteReader()
If (reader.Read()) Then
'Create the Ticket Information here
Dim ticket As FormsAuthenticationTicket
'Create a new ticket used for authentication
ticket = New FormsAuthenticationTicket(1, Trim(email.Text), DateTime.Now, DateTime.Now.AddMinutes(30), True, reader.GetString(0), FormsAuthentication.FormsCookiePath)
'Hash the cookie for transport
Dim hash As String
hash = FormsAuthentication.Encrypt(ticket)
'Create the Cookie
Dim cookie As HttpCookie
cookie = New HttpCookie(FormsAuthentication.FormsCookieName, hash)
If ticket.IsPersistent Then
cookie.Expires = ticket.Expiration
End If
'Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie)
'Check whether UserRole is Admin/Users
If ticket.UserData = "Admin" Then 'Admin will have rights to login in Control Panel
Response.Redirect("http/www.aa.com/aa/alfa/cpa.aspx")

Else
Response.Redirect("http/www.aa.com/bb/beta/a.aspx")

End If
End If

Else
Message.Text = "<" &amp; "br" &amp; ">Login Failed!" &amp; "<" &amp; "br" &amp; ">"
End If
End Sub


Global.asax
==============

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)

If (Not (HttpContext.Current.User Is Nothing)) Then
If HttpContext.Current.User.Identity.AuthenticationType = "Forms" Then
Dim id As System.Web.Security.FormsIdentity
id = HttpContext.Current.User.Identity
Dim ticket As FormsAuthenticationTicket
ticket = id.Ticket
Dim userdata As String
userdata = ticket.UserData
Dim roles() As String
'Dim rol As String
'rol = Application("slogin")
roles = Split(userdata)
' roles = Split("" + )
'roles = Split(rol)
HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(id, roles)
End If
End If
End Sub

Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
' Fires when the session is started
''Application.Lock()
''Application("Sessions") = Int32.Parse(Application("Sessions") + 1)
''Application.UnLock()
Dim aCookie As HttpCookie
Dim i As Integer
Dim cookieName As String
Dim limit As Integer = Request.Cookies.Count - 1
For i = 0 To limit
aCookie = Request.Cookies(i)
aCookie.Expires = DateTime.Now.AddDays(-1)
Response.Cookies.Add(aCookie)
Next

End Sub



The following code is working fine in the local system, we are using windows 2000 but in server its 2003 can any shed some light to it...


Regards
Vinod

 

Hi,


I wanted to tell that if say i am having a signing page where i have my login infomation, based on my login information it should redirect me to the corresponding page.


I also want some one to check my code to see if anything is wrong.


My explanation is as follows





If i am an admin it should redirect me to say http://localhost/alfa/secure1/one.aspx


where secure1 is a folder which is accessable only for Admins.Now what i get is something like this


if i give my login and pwd in the following page


http://localhost/alfa/signin.aspx


if i give my correct logina nd pwd also it will attach the url like this and show up in the same page


http://localhost/alfa/sigin.asp?ReturnUrl=%2fsecure1%2signin.aspx


Paths are correct even though as example i might have specified it wrong.





Regards


Vinod

 

Hi Bruce.


secure1 and alfa are two different folders in the main application.

Login page is in
/secure1/signin.aspx

and if the user is validated it should be directed to the corresponding page based on his role

it might be alfa or some other folder.


Vinod