C# .NET - How to create forms authentication - Asked By abinav shankar on 17-Jan-12 12:20 AM

Hi

I have a login page when the login credentials are correct it will redirect to a page applyleave.aspx if I copy and paste the url of applyleave.aspx it should redirect to the loginpage and not to the applyleave.aspx, how to do it

Thanks

Jitendra Faye replied to abinav shankar on 17-Jan-12 12:23 AM

Form Authentication using ASP.NET

In Web.Config File

Here we show you a basic example of what a web.config file looks like when it has be set to use form authentication. I will go in further detail and explain the tags.

<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" timeout="30">
<credentials passwordFormat="Clear">
<user name="admin" password="adminpwd"/>
<user name="coder" password="coderpwd"/>
</credentials>
</forms>
</authentication>
<authorization>
<!--After checking username and password ,Allow the user 'admin'and don't allow the user 'coder'-->
<allow users="admin"/>
<deny users="coder"/>
</authorization>
<compilation debug="true"/></system.web>

</configuration>

In web.config I use <authentication> tag.

<

authentication> tag

Here we come to our first tag for authentication, which is thence called <authentication>. We see that there is one attribute for this tag and it specifies the type of authentication that will be applied to this site. The choices are Windows|Forms|Passport|None.

For implementation follow this link-

http://www.dotnetspark.com/kb/648-formauthentication-using-asp-net.aspx

Hope this will help you.

Here we come to our first tag for authentication, which is thence called . We see that there is one attribute for this tag and it specifies the type of authentication that will be applied to this site. The choices are Windows|Forms|Passport|None.For implementation follow this link-http://www.dotnetspark.com/kb/648-formauthentication-using-asp-net.aspxHope this will help you.
Riley K replied to abinav shankar on 17-Jan-12 12:31 AM

When the FormsAuthenticationModule redirects an unauthorized visitor to the login page it appends the requested, unauthorized URL to the querystring with the name ReturnUrl. For example, if an unauthorized user attempted to visit OnlyTito.aspx, the FormsAuthenticationModule would redirect them to Login.aspx?ReturnUrl=OnlyTito.aspx. Therefore, if the login page is reached by an authenticated user with a querystring that includes the ReturnUrl parameter, then we know that this unauthenticated user just attempted to visit a page she is not authorized to view. In such a case, we want to redirect her to UnauthorizedAccess.aspx.

protected void Page_Load(object sender, EventArgs e)
{
 if (!Page.IsPostBack)
 {
 if (Request.IsAuthenticated && !string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
 // This is an unauthorized, authenticated request...
 Response.Redirect("~/UnauthorizedAccess.aspx");
 }
}


A good tutorial

http://www.asp.net/web-forms/tutorials/security/membership/user-based-authorization-cs


Regards

smr replied to Jitendra Faye on 17-Jan-12 12:31 AM
hi

Forms authentication is a cookie/URL based authentication where username and password are stored on client machines as cookie files or they are sent encrypted on the URL for every request if cookies are not supported.


The Forms Authentication Workflow:


http://i1.asp.net/asp.net/images/security/02/images/aspnet_tutorial02_FormsAuth_vb_figure01.png


Add following Authentication setting into your web.config file under <system.web>.

< authentication mode = " Forms " >

< forms defaultUrl = " default.aspx " loginUrl = " ~/login.aspx " slidingExpiration = " true " timeout = " 20 " ></ forms >

</ authentication >


refer links

http://www.asp.net/web-forms/tutorials/security/introduction/an-overview-of-forms-authentication-vb
http://www.dotnetfunda.com/articles/article141.aspx
http://www.codeproject.com/KB/aspnet/ASPDOTNETauthentication.aspx#Forms Authentication
Sreekumar P replied to abinav shankar on 17-Jan-12 01:33 AM
Hi,

Forms Authentication in ASP.NET is technique to decide how users can access your web application.
Using froms authentication we can decide certain users can access only certain pages or we can control the anonymous access, we can implement folder level access and access based on roles


we can manage the access through web.config file

Steps
1. First of all create a new website and add a new form , name it Login.aspx
Drag login control on it from the toolbox
Make sure you have a web.config file in root of your application

2. Right click on solution explorer and add new folder , name it membersArea
Add a new from and name it members.aspx
Add a web.config file in this folder.

Now to implement Forms Authentication we need to configure web.config file (in the application root)

For this we need to add Authentication and Authorization tags inside <system.web> tag of web.config

<system.web>
<authentication mode="Forms">
<forms defaultUrl="Default.aspx" loginUrl="~/Login.aspx"
slidingExpiration="true" timeout="20">
</forms>
</authentication>
</system.web>

Now To restrict access to the membersonly page which is inside membersonly folder so that only members can access this page we need to create a another web.config file inside this folder to provide it's access rules
In this web.config write this inside <system.web> tag

<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>


Now for login process and checking the username and password we need to write this code, double click on the login control placed on the Login.aspx page, it will generate Login1_Authenticate event

protected void Login1_Authenticate
(object sender, AuthenticateEventArgs e)
{
bool isMember = AuthenticateUser(Login1.UserName, Login1.Password,
Login1.RememberMeSet);
 
if (isMember)
{
FormsAuthentication.RedirectFromLoginPage(Login1.UserName,
Login1.RememberMeSet);
}
}


And this for checking username and password, i m using hard coded values

private bool AuthenticateUser(string userName, string password, bool rememberUserName)
{
string userName = "amiT";
string password = "password";
 
if (userName.Equals(userName) && password.Equals(password))
{
return true;
}
else
{
return false;
}
}