views:

349

answers:

5

I have as ASP.Net 2.0 website with SQL Server as database and C# 2005 as the programming language. The website is almost complete and all the links are working fine. But I want to prevent normal users from opening a couple of pages. When any user clicks on those specific links, another page opens which contains a ASP Login control. The user has to supply a valid userid and password to display the links pointing to the restrictive pages. But being a newbie, I don't know how to leverage the full power of the ASP Login control. Because, if a user gets to know the exact url of the restricted pages, then he/she can bypass the login control and directly access those pages by typing the url into the address bar. I want to prevent this. If the user types the url directly in the address bar, I want that the page itself should check, whether the user has been validated through the Login control and either display the page or point the user to the Login page.

How do I implement this feature??

Thank You.

Lalit Kumar Barik

+1  A: 

You will need a way to manage login sessions for each user. The following are some tutorials that could help you:

http://www.codeproject.com/KB/session/NoCookieSessionLogin.aspx

http://www.dotnetspider.com/resources/5597-Handling-Session-for-Login-Logout.aspx

nan
+6  A: 

You'll want to take a look at the location secton of the web config.

In that section, you can define down to the page level the access rights, so it wouldn't matter if the users knew the URL of the secured pages, ASP.NET wouldn't let them in.

So you would add something like:

<location path="SecuredPage.aspx">
  <system.web>
     <authorization>
        <deny users="?"/>
     </authorization>
  </system.web>
</location>

The "deny users="?"" bit says "Deny all anonymous users".

You can also set it up to only allow certain roles, if you are using those.

More information on the Authorization section can be found here:

authorization Element

Zhaph - Ben Duguid
Zhaph, does this solution user ad user names? Can you specify your own list of users through a username//password combination?
Wadih M.
To be honest, this solution assumes that you are using the ASP.NET membership system - either through the built in SQL provider, or your own provider: http://bit.ly/w5yX. However, yes, you can provide username/password combinations in credentials/users element in the web.config: http://bit.ly/11sRQ3
Zhaph - Ben Duguid
This will also allow you to use things like if (Request.IsAuthenticated) to check if the user is logged in, rather than relying on session variables, etc: http://bit.ly/yJY9M
Zhaph - Ben Duguid
A: 

Hi Lalit,

You should verify the user's logged in state at every Page_Load() event on pages that must control permissions, or simply put the authentication code in a CS file that will be included in all other files.

Depending on the authentication architecture that you choose (simply use the session variable, or create a session id with cookies), you must adapt your code accordingly.

The simplest way would be to manage log-ins through the session object. When the user logs in properly with the right credentials, you can set Session["logged_in"] = true. And on every Page_Load() event of the pages you want to protect, you'd need to do the following check.

Add this code at the beginning of your Page_Load() function:

  if (Session["logged_in"] != null && (bool)Session["logged_in"] == true){
    Response.Write("I'm logged in!");
  }else{
    Response.Write("I'm not logged in.");
  }

Please keep in mind that this is okay for simple intranet applications, but if you want to get into more secure login architectures, read up more about the subject, as reloying solely on session variables isn't safe because sessions can be highjacked.

Wadih M.
Wadih M.
Zhaph - Ben Duguid
Thanks Zhaph, that's right. Fixed the post.
Wadih M.
@" Wadih M.", Use od cast solved the problem. Thank you.Lalit Kumar Barik
+2  A: 

This is food for the ASP.Net Membership services. Take a look at this article and also the great series over at 4GuysFromRolla.

Membership allows you to store user/password information which is used, among others, by the Login control. Coupled with the authorization configuration you will be able to directly narrow access to specific pages down to specific users or roles.

Peter Lillevold
A: 

I would make a role table for users. Everyone who logs in gets the 'normal' role. Special uses whom you designate by their credentials get assigned roles to access a page or section of your website. Certain users (like yourself) would get an administrator role that automatically allows them access to everything.

Fire off a function called CheckIsInRoles('Admin', 'Normal', 'WhateverRoleYouChoose') which returns a boolean. If true, load the page; if not, don't.

Even better don't display a link if not in the correct role.

This has the added benefit of everyone logging on once and then accessing all the pages they need to without having to log on each time.

Dining Philanderer
Thanks for your explanation on the topic of roles. I am sure to use the knowledge in my future web sites. Unfortunately, in the current website the normal users don't need to login. Login is required for only a few people to access the couple of restricted pages. I needed only a simple restriction.