Results 1 to 14 of 14

Thread: Redirect to login security example

  1. #1

    Thread Starter
    Banished Cander's Avatar
    Join Date
    Dec 2000
    Location
    Why do you care?
    Posts
    6,913

    Redirect to login security example

    This is something often asked for. But say you need security to keep people from going to a page bypassing the login screen. In classic ASP you needed to use an include file or the same piece of code on every page and have it check a session varaible or something. No longer do you need this.

    I am going to show the easy way first, then I will tell you how to customize it to verify the user from a database.

    Step 1: In you web.config file

    Code:
        <authentication mode="Forms"> 
    		<forms loginUrl="webform1.aspx">
    			<credentials passwordFormat="Clear">
    				<user name="Chris" password="1234"/>
    			</credentials>
    		</forms>
        </authentication>
    That is the allowable users. I am not going to get into this, but you can encrypt the password with SHA1.
    also in the web.config, you need this in the authorization node
    Code:
        <authorization>
            <deny users="?" /> <!-- Allow all users -->
    
          </authorization>
    With the combination of those 2 sections, If someone has not logged in, the will be redirected to the page you specify here <forms loginUrl="webform1.aspx">

    Now, on your login page, you just put your 2 textboxes for user and password and a button. In the button click code

    Code:
            If FormsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text) Then
                FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, False)
            End If
    That will verify the user and pass that you put into the web.config. If it is ok, then it will redirect automatically to default.aspx. Now, how do you use this with a databsae? Very simple. just replace the FormsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text) functiopn with your own function. The RedirectFromLoginpage part is where the actual magic happens and cookies are set. You can make your own REdirectFromLogin function too if you want to customize that , but I wont get into that now.


    You may wonder what they False in FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, False)
    is for. That lets you specify if you want to save the cookie as a persistant cookie. So what this will let you do is ou can put a checkbox on the login page that is used for 'Remember me' type functionality as seen on other sites, then you can replace the False with checkbox.Value.

    I hope this is helpful to you guys in getting some login security easily on your website.
    Stack Overflow
    See the features of Visual Studio 2010 and C# 4.0: The 10-4 show on Channel9

  2. #2
    Frenzied Member DevGrp's Avatar
    Join Date
    Nov 2001
    Location
    Charlotte, NC
    Posts
    1,256
    I've been reading up on forms authentication for the past 2 weeks. There are some good articles on MSDN dealing with this.
    Dont gain the world and lose your soul

  3. #3
    Lively Member
    Join Date
    May 2001
    Posts
    95

    Any Idea on letting them into certain areas

    I like the code but I would like to be able to let them go to certain pages but not others. Example: If they login they can go to A, B, and C pages but not D or E unless they login. Redirect D or E if they try to go there???

  4. #4

    Thread Starter
    Banished Cander's Avatar
    Join Date
    Dec 2000
    Location
    Why do you care?
    Posts
    6,913
    Tht is something you need to code on every page yourself. In the page_load event, just redirect the user if he isnt supposed to go there.
    Stack Overflow
    See the features of Visual Studio 2010 and C# 4.0: The 10-4 show on Channel9

  5. #5
    Lively Member
    Join Date
    May 2001
    Posts
    95

    Is there a value I can Key off of

    So in your code is there a value that gets saved somewhere that I can key off of or do I need to write code to hold a value. If so how do you save that value accross pages??

    Thanks for any help

  6. #6

    Thread Starter
    Banished Cander's Avatar
    Join Date
    Dec 2000
    Location
    Why do you care?
    Posts
    6,913
    as stated, you can make your own Authenticate function, then save values that you may use to determine what pages a user can see, into Session variables. Like in a database store username, password, permissions. The value in permissions would be what to key off of.
    Stack Overflow
    See the features of Visual Studio 2010 and C# 4.0: The 10-4 show on Channel9

  7. #7
    PowerPoster hellswraith's Avatar
    Join Date
    Jul 2002
    Location
    Washington St.
    Posts
    2,464
    There is also a lot more you can do with forms based authentication. You can verify it against a db, insert your own roles....etc.

    I posted the code I use on my site to do that in this thread:
    http://www.vbforums.com/showthread.p...hreadid=244508

    There are other ways by creating your own principle and context objects too.

  8. #8
    Hyperactive Member Utpal's Avatar
    Join Date
    Feb 2002
    Location
    Mumbai, India
    Posts
    393
    Hi everybody,
    I am trying to host my first ASP.NET website. I have created a virtual sub-folder named EAF in my virtual directory and uploaded 2 web pages QuotGen.aspx and Login.aspx in the sub-folder. I have configured Web.config for Forms based authentication just like Cander described, except that I don't have the credentials tag in authentication. So, on requesting the QuotGen.aspx page, the Login page is brought up for user authentication.

    However after validating the user, RedirectFromLoginPage does not redirect to QuotGen.aspx and the Login page is reloaded.
    I have seen many people asking the same question on the net, but I haven't found an answer to it so far. Please help me.
    It is easy when you know it.

  9. #9
    I wonder how many charact
    Join Date
    Feb 2001
    Location
    Savage, MN, USA
    Posts
    3,704
    You can go anywhere you want to after you have attached the authentication ticket:

    VB Code:
    1. If AuthenticatedUser Then
    2.  Dim authTicket As FormsAuthenticationTicket = _
    3.             New FormsAuthenticationTicket(1, userguid, DateTime.Now, DateTime.Now.AddMinutes(60), False, "")
    4.  
    5.             'encrypt ticket
    6.             Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)
    7.  
    8.             'create a cookie and add the encrypted ticket to the cookie as data
    9.             Dim authcookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
    10.             'add cookie to outgoing cookies collection
    11.             Response.Cookies.Add(authcookie)
    12.  
    13. 'go whereever
    14. Response.Redirect("AppMain.aspx")
    15. End If
    Last edited by nemaroller; Jul 22nd, 2004 at 12:24 PM.

  10. #10
    Hyperactive Member Utpal's Avatar
    Join Date
    Feb 2002
    Location
    Mumbai, India
    Posts
    393
    You can go anywhere you want to after you have attached the authentication ticket
    I don't want to go where I want to but where the user wants to go. The redirect command should redirect the user to the web page which he requested for. In my case, being a sample application, there is only one web page other than the Login page which the user could request, but in a standard web application there are several such pages. That's the reason I want to use a command like RedirectFromLoginPage which should redirect him to the page he requested.
    It is easy when you know it.

  11. #11
    I wonder how many charact
    Join Date
    Feb 2001
    Location
    Savage, MN, USA
    Posts
    3,704
    VB Code:
    1. 'go where you want to
    2. Response.Redirect(FormsAuthentication.GetRedirectUrl(userguid,False))

  12. #12
    Hyperactive Member Utpal's Avatar
    Join Date
    Feb 2002
    Location
    Mumbai, India
    Posts
    393
    Response.Redirect(FormsAuthentication.GetRedirectUrl(userguid,False)) did not work.
    It is easy when you know it.

  13. #13
    I wonder how many charact
    Join Date
    Feb 2001
    Location
    Savage, MN, USA
    Posts
    3,704
    that surprises me, because it works for me...

    post your web.config authorization section

  14. #14
    Hyperactive Member Utpal's Avatar
    Join Date
    Feb 2002
    Location
    Mumbai, India
    Posts
    393
    I found out why that was happening. It was happening because I had an underscore character in my user name using which I logged into the hosting site, which disables session variables. After selecting another user name without an underscore, RedirectFromLoginPage worked perfectly fine. I didn't check whether Response.Redirect works.
    It is easy when you know it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width