Posted: September 13th, 2017

iLab 6 of 8: Securing the Food Information Guide Database

iLab 6 of 8: Securing the Food Information Guide Database
Submit your assignment to the Dropbox located on the silver tab at the top of this page.
See Syllabus, Due Dates for Assignments & Exams, for due dates.

i L A B  O V E R V I E W
Scenario/Summary
You have been asked to secure the Maintain Food Information Web form added in the previous lab so that only an authorized administrator can make changes to the database.
You will begin by setting up a username and password for the administrator. You will then create a log-in page to allow the administrator to log in to the site. Finally, you will modify the Maintain Food Information form to deny access unless the user is logged in as an administrator.
Since this site has only one page with restricted access, and only one administrator who needs to log in to access that page, you will use a simple security scheme in which the log-in credentials are stored in the site’s configuration file. You will then be able to utilize a session variable to keep track of whether or not the administrator is logged in. It should be noted that more complex security schemes exist, which are appropriate for sites with more users and more restricted content. These security schemes are described in this week’s textbook readings and lecture.
Deliverables
1. Modified Web.config file on Healthy Eating site on the Web server.
2. Login.aspx Web form created on Healthy Eating site on the Web server, with associated code-behind file.
3. Modified Secure/Admin.aspx form on Healthy Eating site on the Web server.
4. Word document submitted to Dropbox with screenshots of:
•    Login page after unsuccessful log-in; and
•    Admin page after successful log-in displaying logout link.

Grading Rubric

Criteria    Points    %
Step 2: Modify Web.config File (Web.config).
•    appSettings section added to Web.config file on the Web server
•    appSettings contains AdminUsername and AdminPassword settings     5    20%
Step 3: Create Log-In Form (Login.aspx).
•    Login.aspx form created on the Web server
•    Has standard page header, navigation menu, and page footer
•    Log-in control added to form     6    24%
Step 4: Add Code to Authenticate and Redirect User (Login.aspx.vb).
•    Login1_Authenticate event handler authenticates log-in against credentials in Web.config file.
•    Login1_LoggedIn event handler saves username in session state and redirects to original destination page or to home page.     6    24%
Step 5: Add Logout Link and Authorization Check to Secure/Admin.aspx Form.
•    Logout LinkButton added to form
•    Click event handler for LinkButton abandons session and redirects to home page
•    Page Load event handler redirects to log-in page if UserName session variable not set.     5    20%
Step 6: Test, Capture Screenshots, and Submit (Student Name BIS450 Lab6 Screenshots.docx).
•    Word file submitted to Dropbox with the following screenshots:
o    Log-in form with invalid log-on message; and
o    Maintain Food Information form with logout link.     3    12%
Total    25    100%

i L A B  S T E P S
Preparation    1. Download the BIS450 Lab6 Code Snippets.txt file from Doc Sharing and save it in your working folder for this lab.
2. Using the Citrix remote lab:
a. Follow the log-in instructions located in the iLab tab in Course Home.
b. Upload the file that you downloaded from Doc Sharing into your BIS450Labs folder on your Citrix drive. (You created this folder in Week 1).
STEP 1: Open Website on the DeVry Web Server.    1. Launch Microsoft Visual Studio 2010.
You must use Visual Studio 2010 in the Citrix environment.
2. Pull down the File menu and select Open, then select Web Site. In the Open website dialog, select FTP Site in the left column. The connection information that you used in the previous lab should be displayed:
•    Server: bisweb.devry.edu
•    Port: 21
•    Directory: coursefolder/yourname, where coursefolder = folder on the Weblab server for your course (provided by your professor), and yourname = your first initial and last name, (e.g. jsmith for student, John Smith).
•    Passive Mode and Anonymous Login: both unchecked.
•    Username: acadDnnnnnnnn, where Dnnnnnnnn = your DSI number.
•    Password: Enter the same password that you use for Citrix iLab (must be re-entered each time).
Click Open.
STEP 2: Modify Web.config File.    1. Open the Web.config file for the Healthy Eating site.
2. Open the BIS450 Lab6 Code Snippets.txt file that you downloaded from Doc Sharing. Select and copy the block of XML code that begins with the <appSettings> tag and ends with </appSettings>. Paste this block of code into the Web.config file immediately before the </configuration> tag, as shown:

TIP: In this case, there is only one user who will be logging into the site (the administrator who will maintain the Healthy Eating database). Other visitors don’t need to log in. We will store the log-in name and password for this user in the Web.config file, because that’s the simplest solution for a single log-in. For a site with a large number of users, each with their own username and password, log-in information would most likely be stored in a database table.
3. Save the modified Web.config file.
STEP 3: Create Log-In Form.    1. In the Solution Explorer window, click on the website root (ftp://bisweb.devry.edu/coursefolder/yourname) to select it; then add a new Web form named Login.aspx to the site.
2. Set the Title property of the Document to Healthy Eating Login.
3. Attach StyleSheet.css to the Web form.
4. As you did when setting up the Web forms in the previous labs, open Default.htm and copy the contents of its <body> element (in HTML, everything in between the <body> and </body> tags, but not the <body> and </body> tags themselves). Paste these contents inside the div in Login.aspx (in HTML, in between the <div> and </div> tags). Delete the contents of the #main div after pasting.
5. Drag a Login control from the Login section of the Toolbox and drop it onto the form inside div#main. Click Auto Format on the Login control’s smart tag, select the Classic scheme, and click OK. In the Properties window, set the DisplayRememberMe property of the Login control to False. Your form should now look like the following:

6. Save the Login.aspx form.
STEP 4: Add Code to Authenticate and Redirect User.    1. Double-click the Login control to create a skeleton event handler for the control’s Authenticate event in the code-behind file for the form. This procedure will be executed whenever a user tries to log in, to determine if he or she is a valid user.

2. In the BIS450 Lab6 Code Snippets.txt file that you downloaded from Doc Sharing, select and copy the block of VB code that begins with the comment, “‘Authenticate user against credentials in Web.config”. Paste this code into the Login1_Authenticate event handler procedure, in between the Protected Sub Login1_Authenticate(. . . ) and the End Sub statements, as shown:

TIP: If log-in credentials were stored in a database table, this code would need to execute a SQL query to see if a record with the username and password exists, instead of comparing the username and password with the values from the Web.config file. Otherwise, the log-in process would be the same.
3. Now that the user is authenticated, you need to add code to redirect the user to the correct page following a successful log-in. At the top of the editing window, select Login1 in the left drop-down list (if not already selected) and select LoggedIn from the right drop-down list. This will create a skeleton event handler procedure for the LoggedIn event, which fires after a successful log-in:

4. In the BIS450 Lab6 Code Snippets.txt file that you downloaded from Doc Sharing, select and copy the block of VB code that begins with the comment, “‘Save user name in session state and redirect user”. Paste this into the LoggedIn event handler, in between the Protected Sub Login1_LoggedIn(. . .) and End Sub” statements:

TIP: This code does two things:
a. It stores the username in a session variable so that other forms can determine whether the user is logged in; and
b. it sends the user to a different page following a successful log-in.
If the user tried to access a restricted page on the site before logging in, and was redirected to the log-in page, the URL of the page that he or she originally tried to access will be in a URL parameter called ReturnURL; so the log-in code will send the user back to that page. If there is no ReturnURL (which may happen if the user goes directly to the log-in form), then the log-in code will send the user to the site’s home page.
5. Save your changes to the code-behind file.
STEP 5: Add Logout Link and Authorization Check to Secure/Admin.aspx Form.    1. Open the Admin.aspx Web form, which is located in the Secure folder. If necessary, switch to the Design view.
2. Drag a LinkButton control from the Standard section of the Toolbox and drop it onto the form to the right of the Find Food Info Button. Type several spaces to create some separation between the button and the LinkButton control. Set the (ID) property of the LinkButton to btnLogout and the Text property to Logout.

3. Double-click on the Logout LinkButton to create a skeleton event handler for its click event in the code-behind file. From the BIS450 Lab6 Code Snippets.txt file, copy the block of VB code that begins with the comment, “‘Log out of session and redirect to home page”, and paste it into the click event handler in between the Sub btnLogout_Click(. . .) and End Sub statements, as shown:

4. Set the left drop-down list at the top of the editing window to (Page Events) and set the right drop-down list to Load. This will create a skeleton event handler for the Page Load event for this page. From the BIS450 Lab 6 Code Snippets.txt file, copy the block of VB code that begins with the comment, “Redirect to log-in page if user is not currently logged in”, and paste it into the event handler in between the Sub Page_Load(. . .) and End Sub statements, as shown:

TIP: Notice that in this code, the URL in the Response.Redirect command that sends the user to the log-in form includes the URL parameter string “?ReturnURL=Secure/Admin.aspx”. The code that you inserted earlier on the log-in form will use this parameter to return the user to the Admin.aspx form after they have logged in.
5. Save your changes to the Admin.aspx form and its code-behind file by selecting File, then Save All, or by pressing CRTL + Shift + S.
STEP 6: Test, Capture Screenshot, and Submit.     1. To test your security setup, in the Solution Explorer window, right-click on Default.htm (the home page) and select View in Browser. The home page should display as usual, demonstrating that users can still view the home page without logging in.
2. Click on some of the other links on the navigation bar (BMI Calculator, Calorie Needs, Food Info) to verify that these pages also display as usual.
3. Click on the Admin link. Instead of seeing the Maintain Food Information form, you should be redirected to your new log-in page, as shown:

4. Enter the user name, admin, and an invalid password, such as wrong, and click the Login button. You should be returned to the log-in page, and an error message should be displayed.

5. Capture a screenshot of the Login form with the invalid log-in error message displayed, and paste it into a Word document.
6. Enter the user name admin and the correct password, which is 2Health! (Remember that this was defined in the Web.config file). Click the Login button. You should now be redirected to the Maintain Food Information form, which should include a Logout link as shown:

7. Capture a screenshot of this form with the Logout link visible, and paste it into the same Word document.
8. Click the Logout link. You should be returned to the home page.
9. Save the Word document containing your two screenshots as Your Name BIS450 Lab6 Screenshot.docx. (Make sure that the browser URL is visible in both screen shots). Submit this file to the Week 6 iLab Dropbox.