tags:

views:

336

answers:

2
Q: 

No login error text for role based authentication in ASP.NET

I have an ASP.NET Role/Membership based forms authentication site. There's a subfolder and its pages which can be accessed only by a certain role. The problem is, login page does not display any error message if any user from non-allowed role group logins in login page. I mean, when a user from AllowedRole logins, the login page redirects the user correctly to the protected page, but when a user from NonAllowedRole tries to login, he/she correctly logs in but there are no error messages displayed, the user is back to the login page without any information. I do have a FailureText set in Login form but it's not displayed. loginForm.LoginError event is also doesn't get raised. I tried this code but it doesn't display either:

protected void frmLogin_LoggedIn(object sender, EventArgs e)
        {
            if (!User.IsInRole("AllowedRole"))
                frmLogin.FailureText = "Access denied.";
                //Label1.Text = "Access denied."; //doesn't work either
        }

What am I doing wrong?

+1  A: 

I don't know where to find the documentation to support this. This answer is based on observation of the behavior I've seen io apps I've written.

The login page is exluded from the allowed access rules. It needs to be. Say you have a site where the whole site disallows anonymous users, even at the root level. The users need to be able to access the login page to be able to log in.

To resolve your dilemma you would need to add a label (I would call it lblError) and in your Page_Load, add the following (C# example code):

if(User.IsLoggedIn)
{
   If(!User.IsInRole("AllowedRole")
   {
      lblError.Text = "Access denied.";
   }


}

Added

Gving this more thought, the reason there is no error in the login page is that the error is happening when the user attempts to access the protected page, not within the login page.

However, I believe my suggestion will work for your situation as well.

David Stratton  2009-08-30 13:17:50
+2  A: 

On thing you can do is check the ReturnUrl query string parameter and if it's you "denied" folder, redirect the user to either an error page or an allowed login page. Like this:

protected void frmLogin_LoggedIn(object sender, EventArgs e)
{
    if (!User.IsInRole("AllowedRole") && 
        InRestrictedArea(Request.QueryString["ReturnUrl"]))
    {
        Response.Redirect("Not-Allowed-Here.aspx");
    }
}

Define InRestrictedArea to check if the requested area is where they aren't allowed.

Keltex  2009-08-30 13:23:36
+1 Good idea. That would work, too, althought I still think he should check the User.IsLoggedIn as well. I think a combination of our answers would be better than eaither on their own.
David Stratton  2009-08-30 13:35:51

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps