forms login for guest and administrator problem

Question

I have a web project GUI..

I was first working with administrator only.

So when the administrator logs in with his username and password i use forms authentication to redirect him to the default page "Default.aspx".

But now i have to work with Guests also... and on login

1. check the role if it is of a guest then redirect him to a guest page not the "Default.aspx"

2. with read only privileges... eg he should not be able to make any changes in data base even if there is an option

i was using this code:

 public partial class Login : System.Web.UI.Page
{
    public const int LOGON32_LOGON_INTERACTIVE = 2;
    public const int LOGON32_PROVIDER_DEFAULT = 0;

    WindowsImpersonationContext impersonationContext;

    [DllImport("advapi32.dll")]
    public static extern int LogonUserA(String lpszUserName,
        String lpszDomain,
        String lpszPassword,
        int dwLogonType,
        int dwLogonProvider,
        ref IntPtr phToken);
    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern int DuplicateToken(IntPtr hToken,
        int impersonationLevel,
        ref IntPtr hNewToken);

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool RevertToSelf();

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public static extern bool CloseHandle(IntPtr handle);
  }
 protected void LoginButton_Click(object sender, EventArgs e)
    {

        IntPtr token = IntPtr.Zero;
        IntPtr tokenDuplicate = IntPtr.Zero;
      if (LogonUserA(UserName.Text, Domain.Text, Password.Text, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
        {

            if (impersonateValidUser(UserName.Text, Domain.Text, Password.Text) == true)
            {
                Label1.Text = "impersonation";
            }
            else
            {
                Label2.Text = "not impersonating";
            }
            //impersonateValidUser(UserName.Text, Domain.Text, Password.Text);
            System.Security.Principal.WindowsIdentity wi = System.Security.Principal.WindowsIdentity.GetCurrent();
            System.Security.Principal.WindowsPrincipal wp = new System.Security.Principal.WindowsPrincipal(wi);
            if (wp.IsInRole("Administrators"))
            {

                BadCredentials.Visible = false;
                Session["userName"] = UserName.Text;
                Session["password"] = Password.Text;
                Session["domain"] = Domain.Text;
                FormsAuthentication.RedirectFromLoginPage(UserName.Text, false);
            }
            else if(wp.IsInRole("Guest"))
            {
                ?? I want to redirect it to the guestpage.aspx and not the default.aspx
            }

        }
        else
        {
            BadCredentials.Visible = true;
            Label4.Text = "not valid user";
        }
     }
private bool impersonateValidUser(String userName, String domain, String password)
    {
        WindowsIdentity tempWindowsIdentity;
        IntPtr token = IntPtr.Zero;
        IntPtr tokenDuplicate = IntPtr.Zero;

        if (RevertToSelf())
        {
            if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
            {
                if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
                {
                    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                    impersonationContext = tempWindowsIdentity.Impersonate();
                    if (impersonationContext != null)
                    {
                        CloseHandle(token);
                        CloseHandle(tokenDuplicate);
                        return true;
                    }
                }
            }
        }
        if (token != IntPtr.Zero)
            CloseHandle(token);
        if (tokenDuplicate != IntPtr.Zero)
            CloseHandle(tokenDuplicate);
        return false;
    }

This is very important to me... any suggestions will be appreciated.. thanks

is there some stiing in SQL or IIS for read only mode for Guest ????

i have used this in my webconfig

 <authentication mode="Forms">
    <forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="Cookie" timeout="120" path="/">
    </forms>
  </authentication>
  <authorization>
    <deny users="?"/>
    <allow users="*"/>
  </authorization>

and this works..

Answer 1

To handle the redirection issue, you simply need to create the forms authentication ticket yourself and then do a Response.Redirect instead of using the built in RedirectFromLoginPage method.

Look at steps 7 - 10 here: http://msdn.microsoft.com/en-us/library/aa302399.aspx

As far as the security authorization issue goes, you should use the User.IsInRole method to enable / disable functionality in the app to keep users from doing something they shouldn't. If that isn't enough security, then you can consider giving different Sql connections / Sql Users/Roles to each application roll. This is probably overkill however.

Answer 2

Are you doing forms authentication or Windows authentication? The above looks like windows authentication (i.e. the host machine is authenticating the user). Forms authentication can be done against anything you want (such as a DB, etc).

If you want to manage users (such as in a DB) you will need to design those mechanisms. Take a look at the Membership Provider. You could also attempt to log the user into the Windows machine (or Domain) and if that fails fall back to using your own DB etc.