Hi,
I am working with asp.net website project that some of pages need authentication. I am using asp.net membership.
I read some answers. e.g. make all of those pages in folder and create inner web.config that describe the privilege. This is one way solve the problem but I need way that is more fixable and effective.
If you don't want to hard code this in web.config(s) you will need to implement a "Base Page" type control.
Your base page class should inherit from System.Web.UI.Page, and would need to have a method you could call to say "User must be logged in" or "User must be in role x", and if the user isn't in that role, redirect to the login page (you can get this by calling FormsAuthentication.LoginUrl).
Your actual pages should inherit from this class rather than from System.Web.UI.Page directly. Then, in something like Init, or at the top of Page_Load, call
base.UserMustBeLoggedIn();
or
// Replace "AccessRole" with the name of your role
base.UserMustBeInRole("AccessRole");
And let the base page handle this.
If you would rather have the access rights stored in a database, then you could move all the processing to the base page, and in a suitable place in the page lifecycle, check the current URL against your database table, check the users role/authentication against the requirements and redirect as required.
Note that you can create page level security in the web config like so:
<configuration>
<location path="LockedPage.aspx">
<system.web>
<authorization>
<!-- Deny access to anonymous users -->
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
More information is available on MSDN: The Location Element and The Authorization Element.
You can try this code, In the master Page load event write this code, add a property
public bool m_bLoginRequired = true;
public bool IsLoginRequired
{
get { return m_bLoginRequired; }
set { m_bLoginRequired = value; }
}
try { // Response.Cache.SetCacheability(HttpCacheability.ServerAndNoCache); Response.Cache.SetNoStore(); if (IsLoginRequired==true) { if ( Session.IsNewSession || HttpContext.Current.Session["Username"] == null) { FormsAuthentication.SignOut(); FormsAuthentication.RedirectToLoginPage("Session Expired"); Response.End(); } } } catch (Exception ex) { throw (ex); }
now in Login page you need to write this code
FormsAuthentication.SetAuthCookie(this.txt_UserName.Text.Trim(), false); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, this.txt_UserName.Text.Trim(), DateTime.Now, DateTime.Now.AddMinutes(10), false, "HR"); HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket)); cookie.Name = "jay"; Session["UserName"] = txt_UserName.Text.Trim(); Response.Cookies.Add(cookie); txt_UserName.Text = ""; txt_Password.Text = ""; Response.Redirect("HomePage2.aspx");
now you ave to add pageinit event in the login page
protected void Page_PreInit(object sender, EventArgs e) { Master.IsLoginRequired = false; }
if you want that the user can access an un authorized page then in the pageinit event of that page
set the Master.IsLoginRequired=false;
also specify the loginurl in the web.config file.