Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14
  1. #1
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts

    ASP.NET login page authentication

    First off let me start by saying I am not an ASP guy, I know nothing about it I'm just trying to figure something out so I can work with it.

    I am trying to make a PHP page that log's into another system on another, the current system is a bit buggy but the backend is fine. So I need a login page.

    Problem is their current ASP login page I can't get head's or tails from, I need to figure out how they are authenticating their user has actually logged in or not, so I can duplicate this so that when someone logs in on their page through PHP it authenticates them on this page and system as well.

    I have checked Cookies and Session info in the browser during login but it doesn't show anything, so I don't think their using either, how in the heck do they keep track of logged in users

    Their login page source:
    Code:
    <%@ page language="VB" masterpagefile="~/MasterPage.master" autoeventwireup="false" inherits="Login, App_Web_l2q6gyma" title="..:: Web MSSchool ::.." %>
    <asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
        <asp:UpdatePanel ID="UpdatePanel1" runat="server">
            <ContentTemplate>
    <asp:Label style="Z-INDEX: 100; LEFT: 160px; POSITION: absolute; TOP: 208px" id="Label1" runat="server" Width="336px" Text="Ingreso al Sistema..." ForeColor="#3C55E3" Font-Size="Medium" Font-Names="Tahoma"></asp:Label> 
    <HR style="Z-INDEX: 100; LEFT: 160px; WIDTH: 592px; POSITION: absolute; TOP: 232px" />
    <asp:Button style="Z-INDEX: 109; LEFT: 500px; POSITION: absolute; TOP: 450px; width: 129px;" 
                    id="Button1" runat="server" Text="Solicitudes de inscripcion" 
                    BorderColor="Black" BorderStyle="Solid" CssClass="dxnbLargeItem_PlasticBlue"></asp:Button>
    <asp:RadioButton style="Z-INDEX: 101; LEFT: 256px; POSITION: absolute; TOP: 280px" id="optAlumno" runat="server" Width="72px" Text="Alumno(a)" Font-Size="8pt" Font-Names="Tahoma" GroupName="TipoUsuario"></asp:RadioButton> <asp:RadioButton style="Z-INDEX: 102; LEFT: 176px; POSITION: absolute; TOP: 280px" id="optFamilia" runat="server" Width="73px" Text="Familia" Font-Size="8pt" Font-Names="Tahoma" GroupName="TipoUsuario" Checked="True"></asp:RadioButton> <asp:RadioButton style="Z-INDEX: 102; LEFT: 336px; POSITION: absolute; TOP: 280px" id="optMaestro" runat="server" Width="73px" Text="Maestro" Font-Size="8pt" Font-Names="Tahoma" GroupName="TipoUsuario"></asp:RadioButton> 
                <asp:RadioButton style="Z-INDEX: 102; LEFT: 416px; POSITION: absolute; TOP: 280px" 
                    id="optCoordinador" runat="server" Width="83px" Text="Coordinador" 
                    Font-Size="8pt" Font-Names="Tahoma" GroupName="TipoUsuario"></asp:RadioButton> 
                <asp:RadioButton style="Z-INDEX: 102; LEFT: 506px; POSITION: absolute; TOP: 280px; width: 87px;" 
                    id="optAdministrador" runat="server" Text="Administrador" Font-Size="8pt" 
                    Font-Names="Tahoma" GroupName="TipoUsuario"></asp:RadioButton> <asp:Label style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 336px" id="Label2" runat="server" Width="64px" Text="Usuario:" Font-Size="Smaller" Font-Names="Tahoma" Height="16px"></asp:Label> <asp:Label style="Z-INDEX: 104; LEFT: 248px; POSITION: absolute; TOP: 368px" id="Label3" runat="server" Width="80px" Text="Contraseña:" Font-Size="Smaller" Font-Names="Tahoma"></asp:Label> <asp:TextBox style="Z-INDEX: 105; LEFT: 360px; POSITION: absolute; TOP: 328px" id="txtUsuario" runat="server" Width="144px"></asp:TextBox> <asp:TextBox style="Z-INDEX: 106; LEFT: 360px; POSITION: absolute; TOP: 360px" id="txtPassword" runat="server" Width="144px" TextMode="Password"></asp:TextBox> <asp:Label style="Z-INDEX: 107; LEFT: 256px; POSITION: absolute; TOP: 440px" id="lblMensajes" runat="server" Width="395px" ForeColor="Red" Font-Size="8pt" Font-Names="Tahoma" Font-Bold="True"></asp:Label> 
                <asp:Button style="Z-INDEX: 109; LEFT: 296px; POSITION: absolute; TOP: 408px" 
                    id="btnIngresar" onclick="btnIngresar_Click" runat="server" Width="100px" 
                    Text="Ingresar" BorderColor="Black" BorderStyle="Solid" 
                    CssClass="dxnbItem_PlasticBlue"></asp:Button> 
    </ContentTemplate>
        </asp:UpdatePanel>
    </asp:Content>
    And the final HTML:

    Code:
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head><title>
    
    </title></head>
    <body>
        <form name="form1" method="post" action="Login_sin_master.aspx" id="form1" target="_parent">
    <div>
    <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMTkwNjg1MTE4D2QWAgIDD2QWCAIFDxAPFgIeB1Zpc2libGVoZGRkZAIHDxAPFgIfAGhkZGRkAgkPEA8WAh8AaGRkZGQCFw8PFgIfAGhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUJb3B0QWx1bW5vBQlvcHRBbHVtbm8FCm9wdEZhbWlsaWE50W431PaG1nq2q4xsXh5kWqUhRw==" />
    </div>
    
        <div>
    <span style="display:inline-block;font-family:Tahoma;font-size:8pt;width:72px;"><input id="optAlumno" type="radio" name="TipoUsuario" value="optAlumno" /><label for="optAlumno">Alumno(a)</label></span> 
    <br />
    <span style="display:inline-block;font-family:Tahoma;font-size:8pt;width:73px;"><input id="optFamilia" type="radio" name="TipoUsuario" value="optFamilia" checked="checked" /><label for="optFamilia">Familia</label></span> 
    <br />
     
    <br />
     
    <br />
     
    <br />
    <span id="Label2" style="display:inline-block;font-family:Tahoma;font-size:Smaller;height:16px;width:64px;">Usuario:</span>
    <input name="txtUsuario" type="text" id="txtUsuario" style="width:144px;" /> 
    <br />
    <span id="Label3" style="display:inline-block;font-family:Tahoma;font-size:Smaller;width:80px;">Contraseña:</span> 
    <input name="txtPassword" type="password" id="txtPassword" style="width:144px;" /> 
    <br />
    <span id="lblMensajes" style="display:inline-block;color:Red;font-family:Tahoma;font-size:8pt;font-weight:bold;width:395px;"></span> 
    <input type="submit" name="btnIngresar" value="Ingresar" id="btnIngresar" class="dxnbItem_PlasticBlue" style="border-color:Black;border-style:Solid;width:100px;" />
    
        </div>
        
    <div>
    
    	<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBgK6x76FCgLu5vW8BAKpwZ6pAQKpwKPFCAK1qbSRCwK9t9X8DDcpGFrDbKg6t6JbcPY8RTP0mlMD" />
    </div></form>
    </body>
    </html>
    Now I'm no ASP guy but something tell's me that it's not using ASP to authenticate and it's not storing logged data in Session or Cookies, something tell's me that it's using the SQL db for authentication purposes and letting it keep track.

    Am I on the right track here?

    If so what are my option's to authenticating with PHP? If so the only thing I can think of is Curl and doing a POST to their already existing form to see what it respond's. Is this correct?

    Thanks for any help you can give me with this, I'm lost in this ASP stuff ha ha
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #2
    Senior Coder alykins's Avatar
    Join Date
    Apr 2011
    Posts
    1,776
    Thanks
    41
    Thanked 196 Times in 195 Posts
    could be wrong- bc I don't touch asp- but I am pretty sure asp header is <% text whereas aspx <%@ text which is aspx (which I do do :P)
    if that is the case- and you have the aspx source file, would you be willing to send me the code behind? I think the answer will be in there.

    I code C hash-tag .Net
    Reference: W3C W3CWiki .Net Lib
    Validate: html CSS
    Debug: Chrome FireFox IE

  • #3
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    Sorry, it is ASPX ha ha

    Yes I would, which file do you need to see? All I can find is the ASPX files, did you need the source to the DLL's in the bin directory?
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    26,198
    Thanks
    80
    Thanked 4,453 Times in 4,418 Posts
    FWIW, ASP.NET has *automatic* authentication available. A drag-and-drop control if you are using Visual Studio, for example.

    And, yes, it can keep session information in the DB rather than relying on cookies. That way they can even authenticate and keep track of users who have cookies turned off. If will even do that automatically (that is, detect if the user has cookies enabled and use the appropriate kind of session storage) if you ask it to.

    Scary, isn't it?
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    Senior Coder alykins's Avatar
    Join Date
    Apr 2011
    Posts
    1,776
    Thanks
    41
    Thanked 196 Times in 195 Posts
    yeah- I've been hittin back n forth w/ him via PM- they are using the drag-and drop login with sessions stored in DB...
    forgot to post in reply....
    aspnet_regsql
    login control... welcome to a world of convolution :P

    edit: your database will have a layout like so after the magical 'wizard' runs
    Attached Thumbnails Attached Thumbnails ASP.NET login page authentication-capture.png  

    I code C hash-tag .Net
    Reference: W3C W3CWiki .Net Lib
    Validate: html CSS
    Debug: Chrome FireFox IE

  • #6
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    So I stopped trying to build my own login page and am trying curl to connect to it. No go so far. On that page it has two generated codes, the __VIEWSTATE and the __EVENTVALIDATION. I've tried everything with curl and trying to set the cookie and session ID but still no go. I know this is an ASP thread but any clues what I'm missing?

    Code:
    <?
    $doc = new DomDocument;
    
    $headers = array (
            "Connection: keep-alive",
            "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19",
            "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Encoding: gzip,deflate,sdch",
            "Accept-Language: en-US,en;q=0.8",
            "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3" 
    );
    
    $handle = curl_init();
    curl_setopt($handle, CURLOPT_URL, "http://IP/Login_sin_master.aspx");
    curl_setopt($handle, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($handle, CURLOPT_HEADER, true);
    
    /* Get the HTML or whatever is linked in $url. */
    $response = curl_exec($handle);
    $doc->validateOnParse = true;
    $doc->loadHTML($response);
    preg_match('~^(Set-Cookie:.+?)$~ism', $response, $result);
    $result = str_replace('Set-Cookie: ', '', $result[0]);
    $result = str_replace(' HttpOnly', '', $result);
    //echo $result.'<br>';
    
    $vstate = $doc->getElementById('__VIEWSTATE')->getAttribute('value');
    $eval = $doc->getElementById('__EVENTVALIDATION')->getAttribute('value');
    curl_close($handle);
    
    $fields = array(
    			'__VIEWSTATE'=>$vstate,
                'TipoUsuario'=>'optFamilia',
                'txtUsuario'=>'user',
                'txtPassword'=>'pass',
                '__EVENTVALIDATION'=>$eval
            );
            
    $headers = array (
            "Connection: keep-alive",
            "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19",
            "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Encoding: gzip,deflate,sdch",
            "Accept-Language: en-US,en;q=0.8",
            "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3",
            "Set-Cookie: ".$result." HttpOnly" 
    );
    
    $handle = curl_init();
    curl_setopt($handle, CURLOPT_URL, "http://ip/Login_sin_master.aspx");
    curl_setopt($handle, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($handle, CURLOPT_HEADER, true);
    curl_setopt($handle, CURLOPT_VERBOSE, true);
    curl_setopt($handle, CURLOPT_POST, 1);
    curl_setopt($handle, CURLOPT_POSTFIELDS, $fields);
    curl_setopt($handle, CURLOPT_COOKIE, $result);
    curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
    
    /* Get the HTML or whatever is linked in $url. */
    $response = curl_exec($handle);
    
    /* Check for 404 (file not found). */
    $httpCode = curl_getinfo($handle, CURLINFO_HTTP_CODE);
    if($httpCode != 404 && $httpCode != 0) {
    	exit($response);
    }
    
    curl_close($handle);
    ?>
    As you can see I am doing an initial connection to the page to get those two code's, GREAT! It connect's and gets them.

    When I post back that login info it should login no problem's and redirect to Main.aspx page, it doesn't, it just comes back to the login page.

    When I try changing the username or pass to check if it's getting them and printing out wrong username or pass, it doesn't, it just print's login page as if normal. But I know it's getting my post data because the user field printed out on the login field has the username in it that I used!

    So what the heck am I missing? I'm no ASPX guy so I have no clue what it's looking for from me.

    Thanks for any help.
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #7
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    Any thoughts?
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #8
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    Ok, I have found the Login.vb file, all it does is check the entered credentials against plain text in the DB. Then it stores certain info as so:

    Code:
    Session("name of session code") = DBInfo
    So how on God's green earth ha ha, do I imitate this? I was thinking of screwing the curl thing and just creating a PHP page on the same server to do that same thing in the DB, sort of API like. But no where in the DB can I find where they are storing the session information for the logged in user. Anyone have an idea where I can look for that at?
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #9
    Senior Coder alykins's Avatar
    Join Date
    Apr 2011
    Posts
    1,776
    Thanks
    41
    Thanked 196 Times in 195 Posts
    I doubt it's just plain text- I would bet it is encrypted with a key

    I code C hash-tag .Net
    Reference: W3C W3CWiki .Net Lib
    Validate: html CSS
    Debug: Chrome FireFox IE

  • #10
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    Probably using those same two original key's when you go to the login page huh? Man ASP makes this a pain in the butt! ha ha
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #11
    Senior Coder alykins's Avatar
    Join Date
    Apr 2011
    Posts
    1,776
    Thanks
    41
    Thanked 196 Times in 195 Posts
    Quote Originally Posted by jfreak53 View Post
    Probably using those same two original key's when you go to the login page huh? Man ASP makes this a pain in the butt! ha ha
    maybe, but SQL has it's own encryption as well... it could be encrypted in both places. With security being a constant battle I would bet it is.

    I code C hash-tag .Net
    Reference: W3C W3CWiki .Net Lib
    Validate: html CSS
    Debug: Chrome FireFox IE

  • #12
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    Hmm, well back to the drawing board then, thanks.

    What I'm really curious about is why on this earth won't it accept a curl post to the page with the correct field's, since technically that's what it's doing also, posting back to itself.
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #13
    Senior Coder alykins's Avatar
    Join Date
    Apr 2011
    Posts
    1,776
    Thanks
    41
    Thanked 196 Times in 195 Posts
    no clue- I boldly assume php has a web.config file yes? I would think there is a way to establish your php site as an authenticated site and connect directly to the database. I am just assuming though. I know that you can take an asp.net and hok it up to an open source DB so I don't see why you couldn't reverse it- it might be a huge pain in the * and there are likely not too many ppl whom have done so either :/

    I code C hash-tag .Net
    Reference: W3C W3CWiki .Net Lib
    Validate: html CSS
    Debug: Chrome FireFox IE

  • #14
    New to the CF scene
    Join Date
    Jul 2012
    Location
    australia
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by alykins View Post
    no clue- I boldly assume php has a web.config file yes? I would think there is a way to establish your php site as an authenticated site and connect directly to the database. I am just assuming though. I know that you can take an asp.net and hok it up to an open source DB so I don't see why you couldn't reverse it- it might be a huge pain in the * and there are likely not too many ppl whom have done so either :/
    PHP doesn't have a web.config file
    if you mean the configuration file, the answer is yes but it is not named as web.config which is for .net application


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •