Manual Access control in ASP .Net

Question

Is there a way I can restrict access to pages without the built in role based way?

Essentially if the user tries to access admin.aspx then it redirects to login.aspx&redirect_url=admin.aspx

\then, they will postback with their credentials and I will give them a session cookie and so forth.

Is there an example of this?

Thanks

Edit:

I cannot use the way ASP.NET does it because my database has employees with usernames and passwords. ASP creates its own with roles and such

what does it mean "without the built in role based way"? Form authentication does not support? — cuongle, Jan 31 '13 at 15:35
I cannot use the way ASP.NET does it because my database has employees with usernames and passwords. ASP creates its own with roles and such. — jmasterx, Jan 31 '13 at 15:39
You can use authorization by user name too; it's not only just roles. — Brian Mains, Jan 31 '13 at 15:45
So anyone who logs in can go to admin page? There is no custom roles, etc? — MikeSmithDev, Jan 31 '13 at 15:56
No, but a user is either admin or not, but admin depends on what group they are in. — jmasterx, Jan 31 '13 at 16:00
That sounds like a role. How do you know who is in what group? And where are you storing it? — MikeSmithDev, Jan 31 '13 at 16:06

MikeSmithDev · Accepted Answer · 2013-01-31T16:18:40.327

First, you should set a FormsAuthentication cookie on login. So, in your code, on successful login you can set the cookie with:

FormsAuthentication.SetAuthCookie(theUsername, true);

or better yet, you can use this to handle the cookie and the redirect:

FormsAuthentication.RedirectFromLoginPage(theUsername, true);

(true if you want to cookie to persist)

The you can secure the admin folder by putting a web.config file in that folder:

<?xml version="1.0"?>
<configuration>
    <system.web>
        <authorization>
            <allow users="adminusername1,adminusername2"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</configuration>

Now when someone hits that admin folder and they aren't logged in, it will automatically send them to login.aspx?ReturnUrl=admin.aspx

Another thing to consider would be to implement your own RoleProvider. It's a lot less daunting that you may think. If you need to put people into roles (like Admin), then this is a good idea.

rumburak · Answer 2 · 2013-01-31T16:39:43.107

You can use HttpContext.Session to keep session variables.

When You put something to session like:

HttpContext.Current.Session["IsAuthenticated"] = "true"

Asp.Net will create cookie for You, so You do not need to care about it. The cookie will expire at the end of the session. You can use Your custom login method and store in session variable that user is authenticated. Then on restricted page You just check session variable like:

string isAuthenticated = HttpContext.Current.Session["IsAuthenticated"]

Edit:

If You want to use Asp.Net authorization and restrict access base on user name then:

<authorization>
    <allow users="John"/>
    <deny users="*"/>
</authorization>

Take a look at Asp.Net site navigation as well where You can use same access rules for user.

Edit:

If You want to authenticate against Your credentials database then way suggested by MikeSmithDev is the way to go. Create custom MembershipProvider or use FormsAuthentication methods.

But I suppose I need cookies if I want a "Keep Me Logged In" feature right? — jmasterx, Jan 31 '13 at 15:52

Manual Access control in ASP .Net

2 Answers2

Linked