Need help in page authentication

Question

Hi all, I have set my login page with three roles,admin,employee,user.When i am log in as admin its redirecting to Admin/Default.aspx, when login as employee its redirecting to Employee/Default.aspx and when login as User its redirecting to User/Default.aspx, i mean all the functionality of these 3 roles are working fien. And suppose i have created new user say Sumit for him i have not given any role,in this case it shoud have been redirected to Default.aspx page rather its redirecting to User/Default.aspx page. Could somebody help me pls what is the reason??? Here is my entire code:

Login.aspx.cs:

 protected void Login1_LoggedIn(object sender, EventArgs e)
    {
        Session["UserName"] = Login1.UserName;
        Session["Password"] = Login1.Password;
        string username = Login1.UserName.Trim();
        string password = Login1.Password.Trim();
        LoginBusinessLayer LB = new LoginBusinessLayer();      
        try
        {          
            if (LB.GetLogin(username,password) == true)
            {
                 if (Session["RoleName"].Equals("admin"))
                 {
                     FormsAuthentication.RedirectFromLoginPage(Login1.UserName, false);
                     Response.Redirect("Admin/Default.aspx");
                 }
                 else if (Session["RoleName"].Equals("employee"))
                 {
                     FormsAuthentication.RedirectFromLoginPage(Login1.UserName, false);
                     Response.Redirect("Employee/Default.aspx");
                 }
                 else if (Session["RoleName"].Equals("user"))
                 {
                     FormsAuthentication.RedirectFromLoginPage(Login1.UserName, false);
                     Response.Redirect("User/Default.aspx");
                 }
                 else
                 {
                     Response.Redirect("Default.aspx");//Control is not coming in this else part
                 }
            }
        }
        catch(SqlException ex)
        {
            Response.Write(ex.Message);
        }
        finally
        {
            LB = null;
        }
    }

BusinessLayer.cs:

public class LoginBusinessLayer
{
        public bool GetLogin(string userid, string userrole)
        {
            LoginDataLayer LD = new LoginDataLayer();
            LD.GetUser(userid,userrole);
            return true;
        }
}

DataLayer.cs:

public class LoginDataLayer
{
        SqlConnection con;
        SqlCommand com;
        SqlDataReader dr;
        string check;    
        public bool GetUser(string userid, string rolename)
        {
            if (HttpContext.Current.Session["UserName"] != null)
            {
                con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
                con.Open();
                check = "Select ur.UserId,ur.UserName,rl.RoleName from aspnet_Users as ur,aspnet_Roles rl,aspnet_UsersInRoles as ir where ur.UserName = '"+HttpContext.Current.Session["UserName"] + "' and ur.UserId=ir.UserId and ir.RoleId=rl.RoleId";
                com = new SqlCommand(check, con);
                dr = com.ExecuteReader(CommandBehavior.CloseConnection);
                while (dr.Read())
                {
                    if (dr.HasRows)
                    {
                        HttpContext.Current.Session["UserId"] = dr["UserId"].ToString();
                        HttpContext.Current.Session["RoleName"] = dr["RoleName"].ToString();
                        return true;
                    }
                }
                con.Close();          
            }
            return false;
          }
}

Above red highligted code is not working.Your reply is highly appreciated. Thanks, Sumit

Answer 1

Oh crap! How come your Data Layer knows about HttpContext & stuff? Why do you keep user information in Session? Didn't you know about 'IPrincipal.IsInRole()`?

Answer 2

In else part try this one...("~/Default.aspx")

else

{

Response.Redirect("~/Default.aspx");//Control is not coming in this else part

}

Answer 3

There are mulitple issues with this code, none of which tell me why your role name is not being set. What value is in session["RoleName"]? My guess is User. :)

Now for some of the code. You shouldn't be using Session to pass down information to your business layer. You have method parameters, so use them. Currently you just ignore them.

You have a nice little SQL injection possiblity. You are taking untrusted user data (Login1.Text) and placing it directly into you SQL command. This is bad, bad, bad. Rewrite this using SQLParameters.

You don't close your SQL connection if you find the user. You just return. Use a using statment to wrap your connenction object so that the connection is closed properly.

You call GetLogin with username and password, although the method parameters are username and rolename. But thats ok, becuase you ignore them anyway. :) You should be using the user name and password to look up the rolename. You should be hashing the password and comparing against a stored hashed password. Your GetLogin Should return some user class or at the least the role name.

You are ignoring the return value from GetUser so even if you don't find the user you say you do.

So to answer your question, I don't know why your role name is set to user, most likely that is what is stored in the DB. However you really need to fix these other issue.