0

I want the user to be redirected to the login page if not logged in. The login credentials are "Admin" & "Password" always. When I log in, it redirects me to the protected files and that's exactly what I wanted. HOWEVER, I can also navigate to the Protected files without logging in. What would be the best solution? Is it something to do with my Web.Config? Beneath is my authorization control for my Account folder which has got the login.aspx and I want to protect files inside my folder /Private if the user can't log in.

<location path="Account">
  <system.web>
    <authorization>
        <allow users="?"/>
    </authorization>
 </system.web>
</location>

Looking forward to your help!

Here is my Login.aspx's event handler after Login button click:

protected void LogIn(object sender, EventArgs e)
    {


    if (FormsAuthentication.Authenticate(UserName.Text, Password.Text))
    {
        var persistCookie = false;
        FormsAuthentication.RedirectFromLoginPage(UserName.Text, persistCookie);
    }

    if (IsValid)
    {
        string uname = UserName.Text.ToString().Replace(" ", "").ToString();
        string password = Password.Text.ToString().Replace(" ", "").ToString();


        if (String.Equals(uname, "Admin") && String.Equals(password, "MG32015!"))

        {
            Session["user"] = uname;
            Response.Redirect("~/Private/ViewEnquiry.aspx");
            //IdentityHelper.RedirectToReturnUrl(Request.QueryString["ReturnUrl"], Response);
        }
        else
        {
            FailureText.Text = "Invalid username or password.";
            ErrorMessage.Visible = true;
        }


    }

And the Logout.aspx.cs has this:

public partial class Account_Login : Page
{
protected void Page_Load(object sender, EventArgs e)
{
    Session.Clear();
    FormsAuthentication.SignOut();
    //Response.Redirect("Login.aspx");
}



protected void Login_Click(object sender, EventArgs e)
{
    Response.Redirect("~/Account/Login.aspx");

}

}

Anoj
  • 117
  • 1
  • 1
  • 15
  • You are using MVC right? Have you tried using the Authorize flag class attribute on your controllers? http://stackoverflow.com/questions/1148312/asp-net-mvc-decorate-authorize-with-multiple-enums – James Apr 21 '16 at 00:23
  • No, actually it's Webform. – Anoj Apr 21 '16 at 00:26

1 Answers1

2

You can have different configuration for different paths. Make sure you deny unknown users to "Private".

Also, it's probably best to use the standard way of hard-coding credentials and authenticating if you're going to do things the way you are.

Here's what the config would look like:

<system.web>
  <authentication mode="Forms">
     <forms name=".ASPXFORMSAUTH" loginUrl="/login.aspx">
        <credentials passwordFormat = "Clear">
           <user 
              name="Admin" 
              password="Password"/>
        </credentials>
      </forms>
   </authentication>
</system.web>

<!-- Account -->
<location path="Account">
  <system.web>
    <authorization>
        <allow users="*"/>
    </authorization>
 </system.web>
</location>
<!-- Private -->
<location path="Private">
  <system.web>
    <authorization>
        <deny users="?"/>
    </authorization>
 </system.web>
</location>

...and here's the code (which includes the method that sets the authentication cookie):

protected void LogIn(Object sender, EventArgs E) 
{
  // authenticate user: this sample authenticates 
  // against users in your app domain's web.config file
  if (FormsAuthentication.Authenticate(UserName.Text,
                                       Password.Text))
  {
    var persistCookie = false;
    //this is what actually sets the auth cookie.
    FormsAuthentication.RedirectFromLoginPage(UserName.Value, persistCookie);
  } 
}

Also note that you can access the user name from the cookie without relying on session thusly:

HttpContext.Current.User.Identity.Name
Colin
  • 4,025
  • 21
  • 40
  • This helped me redirect everyone to the Login page but even after I do a successful login it redirects me back to Login.aspx. – Anoj Apr 21 '16 at 01:37
  • I have my Login.aspx.cs code added above! Please if you could take a look. – Anoj Apr 21 '16 at 01:41
  • @Anoj It's not working because you're never setting the auth cookie, thus the app never sees the user as actually being authenticated. I tweaked the code sample to show how you'd do it. – Colin Apr 21 '16 at 02:01
  • Thank you, its running. But still, I can directly navigate to my files under protected folder "Private". Do you think its because of Session timeout? Because in my Logout page, i have cleared the Session as well. – Anoj Apr 21 '16 at 02:19
  • In your Logout page, you need to call FormsAuthentication.SignOut() which will remove the auth cookie. See: https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout(v=vs.110).aspx – Colin Apr 21 '16 at 03:34
  • It keeps redirecting me to Login.aspx! Even after I log in with correct credentials! :( – Anoj Apr 21 '16 at 03:47
  • There's probably something else going on with your code. Can you post your tweaks for both the login and logout pages? – Colin Apr 21 '16 at 04:05
  • I just posted it. Can you please take a look? – Anoj Apr 21 '16 at 04:26
  • I noticed your "logout" page is named "Account_Login". Are you mixing your login and logout pages? – Colin Apr 21 '16 at 05:54