[dbrook007]

Hi

I have an asp.net 2.0 project and am experiencing a problem.

In the project, I am trying to make use of Membership.

I have one Role, called "Basic User" and two users - "admin" and "test".

"admin" is a member of the Role but "test" is not.

I have only a few pages in the project at the moment: -

• SecurePage.aspx - The page I want only authenticated users that are members of the Role to use.
• Login.aspx - Login page
• Unauthorized.aspx - Informs user that they cannot view the secure page because of a lack of permissions

SecurePage.aspx just contains a ChangePassword control.

Unauthorized.aspx has some text and a LoginStatus control.

So in the SecurePage.aspx, I have this code to handle this: -

Protected Sub form1_Load(ByVal sender As Object, ByVal e As System.EventArgs)

If User.Identity.IsAuthenticated = False Then
Server.Transfer("login.aspx")
End If

If Roles.IsUserInRole("Basic User") = False Then
Server.Transfer("unauthorized.aspx")
End If

End Sub

If I go to the SecurePage and am not authenticated, it transfers me to login.aspx.

If I then login with the user "admin", which is in the Role "Basic User", it works ok.

If I first login with "test", which is NOT in the Role, then I am transfered to the "unauthorized.aspx" page.

However, if I click "Logout" on the LoginStatus control on the "unauthorized" page it refreshes and changes to display "Login".

So, if I then click "Login", I am taken back to the login page. The URL in the address bar at this point is: -

http://localhost:1489/Lesson09/login...uthorized.aspx

If I then login with using "admin" - which is a member of the Role - this is where I get a problem.

Instead of being taken to the SecurePage.aspx as expected, I get taken back to the "unauthorized.aspx" page.

This is obviously wrong.

Now, I know that this should work but does anybody know why it is not working?

Is there some settings or something I need to change on my PC? Am I missing a step or not doing something?

I've checked the obvious things - like that the user was actually in the Role etc.

However, I just cannot get this to work.

I am new to ASP.Net and so I don't really know where to start to look for what the problem is?

I have gone through re-doing the project twice now and I still get the same problem.

For info, I am using: -

- Visual Studio .Net 2005 (Professional) (up to date)
- Latest .Net installed
- Windows XP Pro
- Internet Explorer 6 (version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519) SP2
- Training Video from www.asp.net (asp.net 2.0 - Lesson09 - Bob tabor)

I have tried using "Response.Redirect" but get the same problem.

I would very much appreciate any help or advice on this problem.

Thanks in advance.

Kind regards
Darren Brook
email: darrenbrook@btconnect.com

[koncept]

i am not familiar with this, but when i do logins, i use redirectfromlogin() which is an asp.net function taht i think does the setup...

[dbrook007]

This is an asp.net 2.0 thing.

I am totally new to asp.net and am learning asp.net from v2.0 onwards (so I am not familiar with previous versions).

I have not used the thing you mentioned but the problem I am having relates to a training video. It works in the video but not on my machine.

Any ideas?

thanks
Darren

[koncept]

i think this should help you out. i love their tutorials...
http://aspnet.4guysfromrolla.com/articles/120705-1.aspx (its a multipart series on asp.net authentication stuff)

[Shane]

After you are logging the user out, you are probably redirecting them to a page that blocks unauthorized users. As a result, ASP.NET is trying to send them back to the login page. When that happens it appends the last visited page as the ReturnURL. Once the user logins successfully, the user will be directed to that page (which is unauthorized). That's why you're getting it.

- After they logout, redirect them to a page everyone can see (maybe a login page).

[dbrook007]

Shane - thanks for the reply.

They Logout by clicking the "LoginStatus" control, which is located on the "unauthorized" page - this is the page that just informs the user that they cannot view the "securepage". The unauthorized page has no code or settings to prevent anyone seeing it.

Then, once logged out and the LoginStatus control on the authorized page changed to "Login", I click that and it takes me to the Login page. This is where you get the ReturnUrl in the querystring.

The thing is, this code is from a tutorial on www.asp.net. You can see it working fine in the video on there, and the "ReturnUrl" is passed in the QueryString just as it is on my PC - you can see it in the video. I have downloaded the code - it just does not work the same on my PC.

I think this is the important thing - if that is the same code (and given it's downloadable, there is good reason to believe that it is), why does it work in their video but not on my machine?

Also, if you look at: http://msdn2.microsoft.com/en-US/lib...onpageurl.aspx

There is part of it which says: -

The DestinationPageUrl property specifies the page that is displayed when a login attempt is successful.

The default behavior of the Login control is to return the user to the referring page, or to the page defined in the defaultUrl attribute of the forms element in the Web.config file.

The DestinationPageUrl property overrides the default behavior of the Login control, as well as the defaultUrl setting made in the configuration file.

So, from this, if by a referring page it means where there is a "ReturnUrl" present in the QueryString, you would assume that the project code is correct and SHOULD work.

I have noticed from the videos that the trainer, Bob Tabor, was using version 2.0.50215 of the .Net framework. However, the up-to-date version, which I believe is now in most common use and the one I am using, is version 2.0.50727.

I was wondering if there was some change that Microsoft made to the way the Login control behaves under this scenario between those two versions? It would seem an odd thing to do but... new to asp.net and clutching at straws..

Any ideas?

thanks
Darren

[koncept]

can you post the code of your login page??

[dbrook007]

There is no code on the login page. The only code is on the securepage.aspx

You can view the code at

http://download.microsoft.com/downlo...Lesson09VB.msi

Thanks - Darren

[koncept]

i havent had a lot of time to look at it yet, but it appears you need to "signup" first usng that page, then try thr login page

[dbrook007]

The project works in the training video in the way that I have been describing. The question to solve is why it does not work on my machine.

When the trainer logs in with a user that is in the role (after he has already tried a user that is NOT in the role and sent to the unauthorized.aspx page), he gets sent to the securepage.aspx - even though you can visibly see the ReturnUrl in the address bar pointing to the unauthorized.aspx page. So when he's logged in with the login control, it has put the destinationpageurl property before the returnurl. However, it does not do this on my PC.

Since other videos they have also employ this method for authentication and authorization, I need to know why this does not work in order for me to progress through subsequent training videos.

This is very frustrating.

Any help appreciated

thanks
darren