views:

332

answers:

4

I have two ASP.NET pages: site.com/foo/bar.aspx that should be world accessible and site.com/foo/baz.aspx that I want to password protect. I want any un-authenticated users to see a username/password page and then, once they pass that, I want them to see the real thing. I'm looking for the simplest possible solution (this looked good till it stated asking me to move things), even at the cost of flexibility.

What I'd love to see would be a control that does nothing if the user is authenticated and replaces "all" other controls with a login prompt if they aren't.

I'm currently the only user who will have an account so I can go with a hard coded password list for now (and I'm more or less stuck with that as I wouldn't have anywhere else to put it).


Using Greg's answer I was able to make individual pages password protected. Using Joel Coehoorn's Link I set it up to do Forms Authentication. From this page I'm using a custom Login logic that looks like this:

    Login1.Authenticate += new AuthenticateEventHandler(Login1_Authenticate);

    ...

    void Login1_Authenticate(object sender, AuthenticateEventArgs e)
    {
        e.Authenticated = (Login1.UserName == "user" && 
                           Login1.Password == "password");
    }

All of that put together seems to work fine. :)

+4  A: 

In that case, the easiest thing is probably forms authentication. You just hook everything up in your web.config file and build a simple login page using the pre-built controls.

Joel Coehoorn
Let me guess, that;s going to require me to make a new page... I really hope that's not the simplest solution.
BCS
The "username/password page" you're asking for has to come from somewhere. All you have to do is drop a login control on the form and you're done.
Joel Coehoorn
I was kinda hoping that my existing page could be both: a login page to unathenticated users, and the real thing afterwards.
BCS
That is an option, but it's actually _more_ code.
Joel Coehoorn
A: 

This is a followup to BCS's comment on Joel's answer:

You will need to create a Login.aspx form, but it is incredibly easy: How To: Create an ASP.NET Login Page

Chris Porter
I guess I might not get to be that lazy.
BCS
+1  A: 

Are you on a Windows network? You can just use windows authentication via the web.config if you are.

Something like this would work:

<system.web>
<authentication mode="Windows" />
</system.web>

  <location path="page.aspx">
    <system.web>
      <authorization>
        <allow roles="domain\role"/>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Edit: Ok, not using windows network. This might help you with a down&dirty single user method: http://www.codeproject.com/Messages/1772445/Setting-username-passwords-in-the-web-config-using-forms-authentication.aspx

Greg
I don't own the box and can't do anything with users.
BCS
OTOH that `<location>` stuff might answer some other questions...
BCS
A: 

If you really only have one page, use a multiview.

ASPX page

<asp:MultiView ID="mvSecretContent" runat="server">
    <asp:View ID="viewLogin" runat="server">
        <asp:Label AssociatedControlID="username" 
            runat="server">Username:</asp:Label>
        <asp:TextBox ID="username" runat="server"></asp:TextBox>
        <asp:Label AssociatedControlID="password"
            runat="server">Password:</asp:Label>
        <asp:TextBox ID="password" runat="server"></asp:TextBox>
        <br />
        <asp:Button ID="login" runat="server" OnClick="login_Click" 
            Text="Log In" />
    </asp:View>
    <asp:View ID="viewSecret" runat="server">
        <h1>This is secret information!</h1>
        <asp:Button ID="logout" runat="server" OnClick="logout_Click" 
            Text="Log Out" />
    </asp:View>
</asp:MultiView>

Code-behind:

protected void Page_PreRender(object sender, EventArgs e)
{
    if (ViewState["IsAuthenticated"] == null || 
        !(bool)ViewState["IsAuthenticated"])
    {
        mvSecretContent.SetActiveView(viewLogin);
    }
    else
    {
        mvSecretContent.SetActiveView(viewSecret);
    }
}

protected void login_Click(object sender, EventArgs e)
{
    // authenticate user/pass

    ViewState["IsAuthenticated"] = true;
}

protected void logout_Click(object sender, EventArgs e)
{
    ViewState["IsAuthenticated"] = false;
}

It's only stored in ViewState, so you'll have to re-authenticate every time you visit the page. If you change ViewState to Session it'll stick for however long your session is set up for (default is usually 20 minutes).

goldenratio