Coding error in login form

Feb 1, 2013 at 4:26 PM
Edited Feb 1, 2013 at 4:28 PM
Hi guys,

You've probably caught this by now, but those folks currently using the v2.0 product may not have seen this yet. There's a logic error in the login form (/Modules/Admin/LoginControl/Login.ascx/cs)

In LoginButton_Click, you're checking for the userID and password being filled in. The test is
if (!(string.IsNullOrEmpty(UserName.Text) && string.IsNullOrEmpty(Password.Text)))
This will allow execution if one of them is filled and the other empty, an obviously ugly scenario. And while the validators should prevent the button click, we all know that we can't rely on clientside validation to prevent an exception.

The correct logic is
if (!string.IsNullOrEmpty(UserName.Text) && !string.IsNullOrEmpty(Password.Text))
or, similarly
if (!(string.IsNullOrEmpty(UserName.Text) || string.IsNullOrEmpty(Password.Text)))
but better would be simply to check the validators, i.e.,
if (Page.IsValid)
Looking at the control in general, I've got to wonder why you did all the work for both it and the LoginStatus, since they really don't add much to the standard asp.net Login and LoginStatus controls. What they do add could be done in response to exposed events. Is this in preparation to moving away from the membership model altogether, or did some programmer just get carried away? :-)

Thanks, and keep up the good work!

-- Michael
Developer
Feb 3, 2013 at 6:10 AM
Hello msawczyn,

Thanks too much for informing your advise is taken and corrected the logical section. We are not using Page.IsValid but your part is taken in to code section.
Keep advising these type of info.

Thanks
--Alok Kumar Pandey