如何使用 Session 设置该特定页面的管理员登录权限？

Posted 2023-05-07

【中文标题】如何使用 Session 设置该特定页面的管理员登录权限？

【英文标题】：How to set admin login rights to that specific page with Session?

【发布时间】：2014-01-17 03:00:02

【问题描述】：

我发现当我通过管理员登录时存在一些我不知道的小错误。它只是不断将我重定向到 Page404.aspx。任何人都可以纠正我的错误？感谢您的帮助！

背景信息：对于 MS Access 数据库 - 由于注册页面，可能是 CUsername, @eUsername

附加信息：帐户和登录以及更新客户页面的注册完全可以正常工作。除了 UpdateProductsAdmin 页面，我只希望它用于“admin”登录的用户名。

  cmd.paramters.add.withvalue
  string strSQLInsert = "INSERT INTO "
        + "myCustomer (CFirstName, CLastName, CAddressLine1, CAddressLine2, CCountry,  CState, CPostalCode, CContactNumber, CEmail, CConfirmEmail, CUserName, CPassword, CConfirmPassword)" 
        + "VALUES (@eFirstName, @eLastName, @eAddressLine1, @eAddressLine2, @eCountry, @eState, @ePostalCode, @eContactNumber, @eEmail, @eConfirmEmail, @eUserName, @ePassword, @eConfirmPassword)";

using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.OleDb;

public partial class UpdateProductsAdmin : System.Web.UI.Page

    protected void Page_Load(object sender, EventArgs e)
    
        OleDbConnection mDB = new OleDbConnection();
        mDB.ConnectionString = "Provider = Microsoft.ACE.OLEDB.12.0;Data Source=" + Server.MapPath("~/App_Data/webBase.accdb");
        mDB.Open();
        Type csType = this.GetType();
        OleDbCommand cmd;
        OleDbDataReader rdr;
        string strSQLSelect = "SELECT CUsername FROM myCustomer ORDER BY CUsername";
        cmd = new OleDbCommand(strSQLSelect, mDB);
        rdr = cmd.ExecuteReader();

        while (rdr.Read() == true) 
        
            if (Session["CUsername"] == "admin")
            
                DetailsView1.Visible = true;
            
            else
            
                Response.Redirect("Page404.aspx");
            
        
    

对于我的帐户页面，我尝试使用此处的逻辑

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.OleDb;

public partial class Account : System.Web.UI.Page

    public string UFlag = "F"; public string strUserName;
    static readonly string ScriptSuccessUpdate = "<script language=\"javascript\"\n" + "alert (\"Update successful - Please surf to other pages to shop\");\n </script>";

    protected void Page_Load(object sender, EventArgs e)
    
        LabelUserName.Text = (string)Session["sUserName"];
        LabelFirstName.Text = (string)Session["sFirstName"];
        LabelLastName.Text = (string)Session["sLastName"];
        LabelAddressLine1.Text = (string)Session["sAddressLine1"];
        LabelAddressLine2.Text = (string)Session["sAddressLine2"];
        LabelCountry.Text = (string)Session["sCountry"];
        LabelState.Text = (string)Session["sState"];
        LabelPostalCode.Text = (string)Session["sPostalCode"];
        LabelContactNumber.Text = Convert.ToInt32(Session["sContactNumber"]).ToString();
        LabelEmail.Text = (string)Session["sEmail"];
        LabelPassword.Text = (string)Session["sPassword"];

    
    protected void ImageButtonUpdate_Click(object sender, ImageClickEventArgs e)
    
        strUserName = (string)Session["sUserName"];
        if (TextBoxFirstName.Text!="")
        
            string StrFName = "CFirstName"; string strFValue = TextBoxFirstName.Text;
            UpdatemyCustomer(StrFName, strFValue);
            Session["sFirstName"] = TextBoxFirstName.Text;
        
        if (TextBoxLastName.Text!="")
        
            string strFName = "CLastName"; string strFValue = TextBoxLastName.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sLastName"] = TextBoxLastName.Text;
        
        if (TextBoxAddressLine1.Text != "")
        
            string strFName = "CAddressLine1"; string strFValue = TextBoxAddressLine1.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sAddressLine1"] = TextBoxAddressLine1.Text;
        
        if (TextBoxAddressLine2.Text != "")
        
            string strFName = "CAddressLine2"; string strFValue = TextBoxAddressLine2.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sAddressLine2"] = TextBoxAddressLine2.Text;
        
        if (TextBoxCountry.Text != "")
        
            string strFName = "CCountry"; string strFValue = TextBoxCountry.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sCountry"] = TextBoxCountry.Text;
        
        if (TextBoxState.Text != "")
        
            string strFName = "CState"; string strFValue = TextBoxState.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sState"] = TextBoxState.Text;
        
        if (TextBoxPostalCode.Text != "")
        
            string strFName = "CPostalCode"; string strFValue = TextBoxPostalCode.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sPostalCode"] = TextBoxPostalCode.Text;
        
        if (TextBoxContactNumber.Text != "")
        
            string strFName = "CContactNumber"; string strFValue = TextBoxContactNumber.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sContactNumber"] = TextBoxContactNumber.Text;
        
        if (TextBoxEmail.Text != "")
        
            string strFName = "CEmail"; string strFValue = TextBoxEmail.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sEmail"] = TextBoxEmail.Text;
        
        if (TextBoxPassword.Text != "")
        
            string strFName = "CPassword"; string strFValue = TextBoxPassword.Text;
            UpdatemyCustomer(strFName, strFValue);
            Session["sPassword"] = TextBoxPassword.Text;
        
        if (UFlag == "T")
        
            Type strType = this.GetType();
            ClientScript.RegisterStartupScript(strType, "Success", ScriptSuccessUpdate);
        
    
    public void UpdatemyCustomer(string strFName, string strFValue)
    
        OleDbConnection mDB = new OleDbConnection();
        mDB.ConnectionString = "Provider = Microsoft.ACE.OLEDB.12.0;Data source=" + Server.MapPath("~/App_Data/webBase.accdb");
        mDB.Open();
        OleDbCommand cmd;
        String strSQL = "UPDATE myCustomer SET " + strFName + "=@newValue WHERE cUserName = @eUserName";
        cmd = new OleDbCommand(strSQL, mDB);
        cmd.Parameters.Add("@newValue", OleDbType.Char).Value = strFValue;
        cmd.Parameters.Add("@eUserName", OleDbType.Char).Value = strUserName;
        cmd.ExecuteNonQuery();
        UFlag = "T";
        mDB.Close();
    

用于account.aspx的注册

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.OleDb;

public partial class Register : System.Web.UI.Page

    static readonly string scriptErrorUserId =
        "<script language=\"javascript\">\n" +
        "alert (\"Error - UserID you entered is taken up, please key in another UserID\");\n" +
    "</script>";

    static readonly string scriptSuccessNewAccount =
    "<script language=\"javascript\">\n" +
        "alert (\"Your account has been successfully created - Thank you!\");\n" +
    "</script>";

    protected void Page_Load(object sender, EventArgs e)
    

    
    protected void ImageButton1_Click(object sender, ImageClickEventArgs e)
    
        OleDbConnection mDB = new OleDbConnection();
        mDB.ConnectionString = "Provider = Microsoft.ACE.OLEDB.12.0;Data Source=" + Server.MapPath("~/App_Data/webBase.accdb");
        mDB.Open();
        Type csType = this.GetType();
        OleDbCommand cmd;
        OleDbDataReader rdr;
        string strSQLSelect = "SELECT CUsername FROM myCustomer ORDER BY CUsername";
        cmd = new OleDbCommand(strSQLSelect, mDB);
        rdr = cmd.ExecuteReader();

        while (rdr.Read()==true)
        
            if (TextBoxUserName.Text == (string)rdr["cUsername"]) 
            
                ClientScript.RegisterStartupScript(csType,"Error",scriptErrorUserId);
                mDB.Close();
                return;
            
        

        // Insert new records keyed by the user
        string strSQLInsert = "INSERT INTO "
            + "myCustomer (CFirstName, CLastName, CAddressLine1, CAddressLine2, CCountry, CState, CPostalCode, CContactNumber, CEmail, CConfirmEmail, CUserName, CPassword, CConfirmPassword)"
            + "VALUES (@eFirstName, @eLastName, @eAddressLine1, @eAddressLine2, @eCountry, @eState, @ePostalCode, @eContactNumber, @eEmail, @eConfirmEmail, @eUserName, @ePassword, @eConfirmPassword)";

        cmd = new OleDbCommand(strSQLInsert, mDB);
        cmd.Parameters.AddWithValue("@eFirstName", TextBoxFirstName.Text);
        cmd.Parameters.AddWithValue("@eLastName", TextBoxLastName.Text);
        cmd.Parameters.AddWithValue("@eAddressLine1", TextBoxAddressLine1.Text);
        cmd.Parameters.AddWithValue("@eAddressLine2", TextBoxAddressLine2.Text);
        cmd.Parameters.AddWithValue("@eCountry", TextBoxCountry.Text);
        cmd.Parameters.AddWithValue("@eState", TextBoxState.Text);
        cmd.Parameters.AddWithValue("@ePostalCode", TextBoxPostalCode.Text);
        cmd.Parameters.AddWithValue("@eContactNumber", TextBoxContactNumber.Text);
        cmd.Parameters.AddWithValue("@eEmail", TextBoxEmail.Text);
        cmd.Parameters.AddWithValue("@eConfirmEmail", TextBoxConfirmEmail.Text);
        cmd.Parameters.AddWithValue("@eUserName", TextBoxUserName.Text);
        cmd.Parameters.AddWithValue("@ePassword", TextBoxPassword.Text);
        cmd.Parameters.AddWithValue("@eConfirmPassword", TextBoxConfirmPassword.Text);

        cmd.ExecuteNonQuery();
        mDB.Close();
        ClientScript.RegisterStartupScript(csType, "Success", scriptSuccessNewAccount);
        Response.Redirect("Account.aspx");

        // prepare Session Variables for newly registered customer
        Session["sFlag"] = "T";
        Session["sFirstName"] = (string)TextBoxFirstName.Text;
        Session["sLastName"] = (string)TextBoxLastName.Text;
        Session["sAddressLine1"] = (string)TextBoxAddressLine1.Text;
        Session["sAddressLine2"] = (string)TextBoxAddressLine2.Text;
        Session["sCountry"] = (string)TextBoxCountry.Text;
        Session["sState"] = (string)TextBoxState.Text;
        Session["sPostalCode"] = (string)TextBoxPostalCode.Text;
        Session["sContactNumber"] = (string)TextBoxContactNumber.Text;
        Session["sEmail"] = (string)TextBoxEmail.Text;
        Session["sConfirmEmail"] = (string)TextBoxConfirmEmail.Text;
        Session["sUserName"] = (string)TextBoxUserName.Text;
        Session["sePassword"] = (string)TextBoxPassword.Text;
        Session["sConfirmPassword"] = (string)TextBoxConfirmPassword.Text;
    

【参考方案1】：

在您的代码中，我没有看到 Init Session["CUsername"] 的会话在哪里

并且在您的 SQL CMD 中，如果第一行 CUsername 不是 admin 。你总是会得到False

所以你会重定向到“Page404.aspx”

你可以写这个确保你能得到正确的 SQL 查询结果

使用系统； 使用 System.Collections.Generic； 使用 System.Linq；使用 System.Web； 使用 System.Web.UI； 使用 System.Web.UI.WebControls； 使用 System.Data.OleDb； 公共部分类 UpdateProductsAdmin : System.Web.UI.Page protected void Page_Load(object sender, EventArgs e) if ((string)Session["sUsername"] == "admin") DetailsView1.Visible = true; 别的 Response.Redirect("Page404.aspx");

【讨论】：

目的是什么？ cmd.Parameters.Add("@CuserName", [YourLoginID]); YourLoginID 是什么？

参数是你的 SQLCMD 变量。像这样 -> SELECT UserName FROM Customer WHERE UserName=@UserName 。如果你添加参数 cmd.Parameters.Add("@UserName", LoginTextBox.Text); LoginTextBox.Text ='John' 执行中的 CMD 将被替换 -> SELECT UserName FROM Customer WHERE UserName='John' 。它可以确保您始终在 SQLCMD 中获得 1 行（如果用户存在）或 0 行，如果 myCustomer 有 1000 个用户，您将始终获得 1000 行并执行 IF 表达式

但这不是母版页，所以我不能使用 textboxUsername.text 呃。还有其他环岛吗？我认为不需要 cmd.paramaters.add 呃。

其实我只是想要一个简单的也许我可以用 sFlag must be "T" // 代表用户登录，在我的代码中 Like if session["cUsername"] equal "admin, display detailsview , 否则响应重定向。有什么建议吗？

也许 if ((string)Session["sFlag"]!="T" && (String)Session["CUsername"]!="admin") display detailsview else response redirect跨度>