Database Storage with the ASP.NET Web Matrix: Update Page - Taking Care of Security
(Page 4 of 4 )
After your exhaustive testing, you may have noticed a pretty severe security issue that has cropped up with both of the pages in our private folder, namely the unsubscribe page from the previous article and the update page we have just created. Say you have two registered users, Bob and Bill. As our pages stand currently, once Bob has successfully logged in, he can then go on to update Bill’s password, effectively locking him out of the private folder, or unsubscribe and remove him from the database altogether. We need to have a way of ensuring that users can only update their own information, and this means that our pages need to know the identity of the current user. Fortunately, ASP.NET has a built in security infrastructure that you can use in your web applications to obtain details of the currently logged in user.
To make use of this feature, you need to add just a small bit of code to each of the pages in the private folder. On the current page, encapsulate the existing If statement with the following code:
If txtUsername.Text = HttpContext.Current.User.Identity.Name Then
‘rest of the statement block
Else
lblUsernameError.Text = "You are not authorized to perform
that action"
End If
This is an article about using the ASP.NET Matrix to produce dynamic web pages easily and quickly. It is not about the inner workings of ASP.NET and it is not a security white paper, so I won’t go into things in too great a detail, but basically, the HTTPContext class allows you to access properties that are set when a successful login occurs, one of those properties being the name of the user that has logged in. Testing this property against the value used in the database query (the Username), we can ensure that users can only update their own information in the database.
As this is a pretty useful piece of code that you may not want to manually add to an increasing number of pages, you can create a snippet to add to the snippets collection in the Web Matrix. To do this, you’ll need to highlight the above code (removing the commented line of course), and right-click it. From the menu that appears, select Add Snippet. Open the My Snippets tool set and you should see a button referring to the code. The name for this code is taken from the first line of the snippet so it may be wise to rename this to something more memorable like LoggedInUserName or similar.
To secure the unsubscribe page created in the last article, open the unsubscribe.aspx page and drag the snippet onto the page. Copy the existing If block in between the If and Else lines. Test the two pages again and you should find that if you login as Bob, you can’t change Bill’s password.
So you have now used the Web Matrix to facilitate the four basic database operations. Functions utilizing each of these operations have been quickly and easily added through the cunning use of the built-in code wizards. You should by this time have a fully operational web application offering encrypted database storage and a reasonable security process. It’s not bullet-proof, but if you’re new to ASP.NET, it’s not bad going. As you’ll have seen, there is one more code wizard that has not yet been explored –- the email message function generator. This requires more that just a database to make operational, but the code wizard helps make light work of building this facility into your application.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 16 
