Creating a Secure Base Page class for ASP.NET Pages

Every web application developed using .NET as application framework needs authentication as well as authorization. ASP.NET provides 2 types of authentication providers for the web applications, namely Windows Authentication Provider and Forms Authentication Provider. Am not going to discuss these types and various modes of authentication. But am going to write about how one can implement a code to secure their web pages. And specially if these pages require some kind of user login is a mandatory.

First, you create any page that is supposed to be secured, say for instance AccountDetails.aspx. This page by default takes the inheritance from System.Web.UI.Page class. Now that you have created the page, it is the time for you to induce the security for this page. So add a new class to your application and name that as SecureBasePage.CS. This class is now inherited from System.Web.UI.Page class. The code would look like below

public class SecureBasePage : System.Web.UI.Page
{
    public SecureBasePage()
    {
    }
}

So you have created a class that is similar to that of System.Web.UI.Page class. Now, all you have to do is implement the custom security for this page and inherit your AccountDetails.aspx from this SecureBasePage.. For the implementation of custom security, I take the help of Session Object. And I check that whether the current session has a variable called as LoggedInUser and that is associated with some value. So I have started testing for this value at the constructor of SecureBasePage.

if (Session[ApplicationConstants.SessionVariables.LoggedUserID] == null)
 {
    Response.Redirect("LoginPage.aspx");
 }

While working in this I’ve encountered a huge problem and the problem in terms of the SessionObject. When this session object is used in the SecuredBasePage class, I got the following exception

Exception Details: System.Web.HttpException: Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the <configuration> \ <system.web> \ <httpModules> section in the application configuration.

I’ve tried all the possibilities like

1) Adding the enableSession at PageDirective

2) Adding session tag at http Modules as mentioned below

<httpModules>
    <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
 </httpModules>

3) Adding page directive for the page section with the below code

<pages enableSessionState="true" enableViewState="true" enableViewStateMac="true" validateRequest="false" />

4) And many more when binged for this error

Finally, I realized that at the time of the constructor of this class, the session is not created. So we have to implement the session validation in any other events of the System.Web.UI.Page class. So I’ve written that in OnInit event

protected override void OnInit(EventArgs e)
 {
      base.OnInit(e);
     if (Session[ApplicationConstants.SessionVariables.LoggedUserID] == null)
     {
            Response.Redirect("LoginPage.aspx");
     }
 }

But here also there raised a problem because the session is still not instantiated with the passed variable. So all you have to do is just change session from generic to CurrentContext

protected override void OnInit(EventArgs e)
 {
      base.OnInit(e);
      if (HttpContext.Current.Session[ApplicationConstants.SessionVariables.LoggedUserID] == null)
      {
           Response.Redirect("LoginPage.aspx");
      }
 }

That is solved and your AccountDetails page is now ready for inheritance from this SecureBasePage.CS..

What do you say ?

Tools I’ve installed

 

Today, I'd to format my system. After successful installation, the following are the tools that are of my choice to install.

WinMail from Live.com

Windows LiveWriter from Live.com

msdnReader from this link

The Architecture Journal from this link. This link is not working, but if you go to the archives, you might find. If you fail to download there, then drop me a mail. I’ll try to upload that to some free upload source.

Xobni for Outlook

I started using Pidgin for multi chat client, but now moved to Digsby.

An RSS tool, FeedDemon from Newsgator

Baraha for local language typing.

Twhirl for following my tweets from Twitter as well as కువకువలు, a telugu twitter

Seven types of browsers. IE, FF, Opera, Flock, Apple Safari, Chrome and Wyzo ( liked it just because of pictures search tool)

Am a .NET Developer, so Visual Studio 2008 along with SQL Server 2005

Am also a community person, so to support or reach directly onto the systems away from me and the folks across the globe, I use Team Viewer.

Hope i’ve not missed any, i’ll keep posted if i missed any

FireFox file full path – Security Issue

when you use the file upload using either ASP:FileUpload or html input control which is a type of file, FireFox doesn’t give you the full path of the selected file. For this purpose i have used both the controls as mentioned below

    <asp:FileUpload ID="fleUpLd" runat="server" />
       
     <input type="button" id="btnDD" value="File - Upload " />

Now that I’ve used both, i tried to get the full path of the selected file. Well, you’ll get the full path of the selected file, when this page is viewed in IE, but not in FireFox. I did a full search on net for getting the full path of the file, but my search went in vain.

There are many snippets that did some attempt to show case the full file path. some thing like, using the onchange event with the help of this.value , but that would also show  you only the file name when fired in FF. The code is some thing like the below

<input type="file" name="upload1" id="upload" onchange="alert(this.value);" />

According to FireFox at this link, they are considering this requirement as a security breach and made it clear that their browser has over come the security breach by not showing the client-side full path of the file. In their words,

..the entire path of the file was available to the web application. This privacy concern has been resolved in FireFox 3 ..

Hence, there is no possibility of showing the entire path of the file what was ready for file upload. Honestly, I didn’t like this. To get the full path of the file that is ready for upload, the developer has to write a custom control, which is reinventing the wheel.

What do you say?

I just read from one of the blogs at weblogs.asp.net about this. Thought it is interesting to read the way the author presented the issue at this link. Did you like it? And here is the bug ticket for Mozilla. This has full details of why and how .. blah .. blah..