|
-
Mar 18th, 2003, 09:42 AM
#1
Redirect to login security example
This is something often asked for. But say you need security to keep people from going to a page bypassing the login screen. In classic ASP you needed to use an include file or the same piece of code on every page and have it check a session varaible or something. No longer do you need this.
I am going to show the easy way first, then I will tell you how to customize it to verify the user from a database.
Step 1: In you web.config file
Code:
<authentication mode="Forms">
<forms loginUrl="webform1.aspx">
<credentials passwordFormat="Clear">
<user name="Chris" password="1234"/>
</credentials>
</forms>
</authentication>
That is the allowable users. I am not going to get into this, but you can encrypt the password with SHA1.
also in the web.config, you need this in the authorization node
Code:
<authorization>
<deny users="?" /> <!-- Allow all users -->
</authorization>
With the combination of those 2 sections, If someone has not logged in, the will be redirected to the page you specify here <forms loginUrl="webform1.aspx">
Now, on your login page, you just put your 2 textboxes for user and password and a button. In the button click code
Code:
If FormsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text) Then
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, False)
End If
That will verify the user and pass that you put into the web.config. If it is ok, then it will redirect automatically to default.aspx. Now, how do you use this with a databsae? Very simple. just replace the FormsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text) functiopn with your own function. The RedirectFromLoginpage part is where the actual magic happens and cookies are set. You can make your own REdirectFromLogin function too if you want to customize that , but I wont get into that now.
You may wonder what they False in FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, False)
is for. That lets you specify if you want to save the cookie as a persistant cookie. So what this will let you do is ou can put a checkbox on the login page that is used for 'Remember me' type functionality as seen on other sites, then you can replace the False with checkbox.Value.
I hope this is helpful to you guys in getting some login security easily on your website.
-
Mar 18th, 2003, 04:12 PM
#2
Frenzied Member
I've been reading up on forms authentication for the past 2 weeks. There are some good articles on MSDN dealing with this.
Dont gain the world and lose your soul
-
May 15th, 2003, 09:37 AM
#3
Lively Member
Any Idea on letting them into certain areas
I like the code but I would like to be able to let them go to certain pages but not others. Example: If they login they can go to A, B, and C pages but not D or E unless they login. Redirect D or E if they try to go there???
-
May 15th, 2003, 09:40 AM
#4
Tht is something you need to code on every page yourself. In the page_load event, just redirect the user if he isnt supposed to go there.
-
May 15th, 2003, 09:59 AM
#5
Lively Member
Is there a value I can Key off of
So in your code is there a value that gets saved somewhere that I can key off of or do I need to write code to hold a value. If so how do you save that value accross pages??
Thanks for any help
-
May 15th, 2003, 10:07 AM
#6
as stated, you can make your own Authenticate function, then save values that you may use to determine what pages a user can see, into Session variables. Like in a database store username, password, permissions. The value in permissions would be what to key off of.
-
May 15th, 2003, 11:17 AM
#7
PowerPoster
There is also a lot more you can do with forms based authentication. You can verify it against a db, insert your own roles....etc.
I posted the code I use on my site to do that in this thread:
http://www.vbforums.com/showthread.p...hreadid=244508
There are other ways by creating your own principle and context objects too.
-
Jul 22nd, 2004, 07:25 AM
#8
Hyperactive Member
Hi everybody,
I am trying to host my first ASP.NET website. I have created a virtual sub-folder named EAF in my virtual directory and uploaded 2 web pages QuotGen.aspx and Login.aspx in the sub-folder. I have configured Web.config for Forms based authentication just like Cander described, except that I don't have the credentials tag in authentication. So, on requesting the QuotGen.aspx page, the Login page is brought up for user authentication.
However after validating the user, RedirectFromLoginPage does not redirect to QuotGen.aspx and the Login page is reloaded.
I have seen many people asking the same question on the net, but I haven't found an answer to it so far. Please help me.
It is easy when you know it.
-
Jul 22nd, 2004, 12:09 PM
#9
I wonder how many charact
You can go anywhere you want to after you have attached the authentication ticket:
VB Code:
If AuthenticatedUser Then
Dim authTicket As FormsAuthenticationTicket = _
New FormsAuthenticationTicket(1, userguid, DateTime.Now, DateTime.Now.AddMinutes(60), False, "")
'encrypt ticket
Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)
'create a cookie and add the encrypted ticket to the cookie as data
Dim authcookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
'add cookie to outgoing cookies collection
Response.Cookies.Add(authcookie)
'go whereever
Response.Redirect("AppMain.aspx")
End If
Last edited by nemaroller; Jul 22nd, 2004 at 12:24 PM.
-
Jul 23rd, 2004, 12:52 AM
#10
Hyperactive Member
You can go anywhere you want to after you have attached the authentication ticket
I don't want to go where I want to but where the user wants to go. The redirect command should redirect the user to the web page which he requested for. In my case, being a sample application, there is only one web page other than the Login page which the user could request, but in a standard web application there are several such pages. That's the reason I want to use a command like RedirectFromLoginPage which should redirect him to the page he requested.
It is easy when you know it.
-
Jul 23rd, 2004, 05:33 AM
#11
I wonder how many charact
VB Code:
'go where you want to
Response.Redirect(FormsAuthentication.GetRedirectUrl(userguid,False))
-
Jul 24th, 2004, 12:30 AM
#12
Hyperactive Member
Response.Redirect(FormsAuthentication.GetRedirectUrl(userguid,False)) did not work.
It is easy when you know it.
-
Jul 24th, 2004, 06:39 AM
#13
I wonder how many charact
that surprises me, because it works for me...
post your web.config authorization section
-
Jul 24th, 2004, 07:19 AM
#14
Hyperactive Member
I found out why that was happening. It was happening because I had an underscore character in my user name using which I logged into the hosting site, which disables session variables. After selecting another user name without an underscore, RedirectFromLoginPage worked perfectly fine. I didn't check whether Response.Redirect works.
It is easy when you know it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|