Changed the server's disabled username field to a readonly username field. And made a more explicit security precaution.

git-svn-id: https://dotnetopenid.googlecode.com/svn/trunk@75 01efa1a6-402a-0410-b0ae-47b76eba00f0
author: Andrew Arnott <andrewarnott@gmail.com> 2008-01-17 18:50:58 +0000
committer: Andrew <andrewarnott@gmail.com> 2008-01-17 18:50:58 +0000
commit: fd169ef57aa63a8768ac6f824ed7d244ffa2a97a (patch)
tree: 38b859d14a8e531feac13c1ff215397158491633
parent: d46123ce865b8b25f3ea6c541224d0edd1528305 (diff)
download: DotNetOpenAuth-fd169ef57aa63a8768ac6f824ed7d244ffa2a97a.zip
DotNetOpenAuth-fd169ef57aa63a8768ac6f824ed7d244ffa2a97a.tar.gz
DotNetOpenAuth-fd169ef57aa63a8768ac6f824ed7d244ffa2a97a.tar.bz2
2 files changed, 11 insertions, 10 deletions
diff --git a/source/JanRain.OpenID.ServerPortal/login.aspx b/source/JanRain.OpenID.ServerPortal/login.aspx
index 3eef2f8..601efd9 100644
--- a/source/JanRain.OpenID.ServerPortal/login.aspx
+++ b/source/JanRain.OpenID.ServerPortal/login.aspx
@@ -5,10 +5,10 @@
 </head>
 <body>
     <p class=title>Login</p> 
-    <span id="status" class="text"  runat="Server"/>
+    <span id="status" class="text" enableviewstate="false" runat="Server"/>
    <br />Try Bob/Test. Usernames are defined in the web.config 
     <form id="Form1" runat="server">
-    Username: <asp:textbox id=username cssclass="text" runat="Server"/><br/>
+    Username: <asp:textbox id=username ReadOnly=true cssclass="text" runat="Server"/><br/>
     Password: <asp:textbox id=password textmode=Password cssclass="text" runat="Server"/><br />
     <asp:button id=login_button onclick="Login_Click" text="  Login  " cssclass="button" runat="Server"/>
     </form>
diff --git a/source/JanRain.OpenID.ServerPortal/login.aspx.cs b/source/JanRain.OpenID.ServerPortal/login.aspx.cs
index 35d5d41..125a068 100644
--- a/source/JanRain.OpenID.ServerPortal/login.aspx.cs
+++ b/source/JanRain.OpenID.ServerPortal/login.aspx.cs
@@ -16,19 +16,20 @@ public partial class login : System.Web.UI.Page
 {
     protected void Page_Load(object src, EventArgs e)
     {
-            State.Session.CheckExpectedStateIsAvailable();
+        State.Session.CheckExpectedStateIsAvailable();
 
-            String s = Util.ExtractUserName(State.Session.LastRequest.IdentityUrl);
-            if (s != null)
-            {
-                username.Text = s;
-                username.Enabled = false;
-            }
+        if (!IsPostBack)
+        {
+            username.Text = Util.ExtractUserName(State.Session.LastRequest.IdentityUrl);
+            password.Focus();
+        }
     }
 
     protected void Login_Click(Object sender, EventArgs e)
     {
-        if (FormsAuthentication.Authenticate(username.Text, password.Text))
+        // Don't use username from text field because the user may have hijacked and changed it.
+        string challengedUsername = Util.ExtractUserName(State.Session.LastRequest.IdentityUrl);
+        if (FormsAuthentication.Authenticate(challengedUsername, password.Text))
             FormsAuthentication.RedirectFromLoginPage(username.Text, true);
         else
             status.InnerHtml += "Invalid Login";
author	Andrew Arnott <andrewarnott@gmail.com>	2008-01-17 18:50:58 +0000
committer	Andrew <andrewarnott@gmail.com>	2008-01-17 18:50:58 +0000
commit	fd169ef57aa63a8768ac6f824ed7d244ffa2a97a (patch)
tree	38b859d14a8e531feac13c1ff215397158491633
parent	d46123ce865b8b25f3ea6c541224d0edd1528305 (diff)
download	DotNetOpenAuth-fd169ef57aa63a8768ac6f824ed7d244ffa2a97a.zip DotNetOpenAuth-fd169ef57aa63a8768ac6f824ed7d244ffa2a97a.tar.gz DotNetOpenAuth-fd169ef57aa63a8768ac6f824ed7d244ffa2a97a.tar.bz2