i have an application and a user must log-in before he/she can access pages. now once the user logs in i keep the user details in a session variable (say Session["CurrentUser"]).
now if a user tries to jump to a page directly i will check if the Session["CurrentUser"] has a value or not...if not then the user will be directed to the login page...
my problem is that i have done this or rather say written this "Checking Code" on almost all the pages.
what i want is this code to stay on a particular location and i will just access that method all the time on all the pages...now where should i write this method ??
thank you.
You could create a class that inherits from System.Web.UI.Page and then have all your individual page classes inherit from that. Have you looked at the built in ASP.net forms authentication techniques?
You should take a look at ASP.NET Authentication. This will allow you to secure a section of your website, or individual pages via the web.config file and uses a cookie to handle authentication instead of you checking a session variable.
You could put it in a base class which extends Page, then have all your pages codebehinds extend this.
A better solution would be to use the
Application_AuthenticateRequest
pseudo event in the Global.asax. You really shouldn't be using the session either, have you looked at Forms Authentication?
Related
I'm trying to achieve FormAuthentication with multiple login pages by following this solution:
FormsAuthentication with multiple login pages
Basically the concept is to have a "middle page" that redirect you to the respective Login page of respective folder.
But I can't get this to work if I have friendly URL enabled in my application, I simply get a Redirection Loop error.
Please advise what should I do to achieve FormAuthentication with multiple login page.
P/S: I know FormAuthentication limit to have only one Login page, this is just how it being designed, a work around like the "middle page" is not a really good solution.
I been thinking to implement login myself without using FormAuthentication, but I do not have any idea how should I do it.
In one of the application I wrote previously, I store UserId in Session and use Session["LoggedIn"] = 1 to indicate the user are good to go, but I always have Session expiry issues. I know I should use Cookies but I not sure how.
if possible, just use one log-in form and use different web.config files in different directories, or one web.config with special s.
if not possible, web.config files might still help.
ex: https://support.microsoft.com/en-us/kb/316871
I had finally figure out a solution for this (perhaps a work around)
Instead of putting the Login Form inside each folder, put each Login Form in the root, then use the same concept of "middle page" and redirect them respectively.
In the Login page OnLoad function, just check if User is authenticated and have specific roles, then redirect them to the respective folder, so they wont need to signin again if they already signed in.
I am using C# Razor in order to make a social network. There are wepages that contain sensible data and I don't want someone to go to that url and see it. Not even by going to the Inspect Element and open it through there. So is there a way to warn the user that "This web page is not allowed"?
You have to implement authentication and authorization in order to control who can actually access any given route in an mvc application. I can only recommend that you start by reading the official site www.asp.net/mvc/overview/security about authorization and authentication.
With the proper authentication/authorization the server will simply not send any data, or you could redirect to a specific "not allowed page"
I agree with Louis, you should get this book here which helped me a ton. http://www.apress.com/9781430257523
The literal answer you are looking for concerns the use of authorization attributes you place above controller actions or controllers themselves. So an action might look like this
[Authorize]
public ActionResult UserAccount(Guid id){...}
By setting up authentication using ASP.Net Identity you will be able to automatically redirect visitors who are not logged in to another page etc.
Also if you need to make sure that the current logged in user is not going to (for example) another user's personal page (account settings?) you would do a simple check on the server side to prevent this. Something like so (Pseudo code)
if(User.Identity.GetUserId() != account.OwningUserId)
return RedirectToAction("404", "Shared");
I have a web application using Enterprise Web Library and I've found the need to have a custom log-in page. I see that EWL provides one for me, but I want to be able to have some custom elements on the page and control how the user is logged in. How can I achieve this in EWL?
First, create your custom log-in page. Let's call it MyLogIn.aspx.
The next step is to designate MyLogIn as the log-in page for some/all of the pages and shortcut URLs in your app. To do that for pages, override PageInfo.LogInPage and/or EntitySetupInfo.LogInPage and return a MyLogIn.Info reference. This setting is inherited from parent pages and entity setups. If you want all pages in your app to use MyLogIn, you only need to override the LogInPage property at the root of your page tree.
To use MyLogIn for your shortcut URLs, use the logInPageGetter optional parameter in the ShortcutUrlResolver constructor. Pass a function that returns a MyLogIn.Info reference.
The final step is to implement MyLogIn. You can design the page however you want and collect whatever credentials you want, but there are a few things you need, which depend on whether you still want to use EWL's UserManagement subsystem. If you do, you need to call UserManagementStatics.SetUpClientSideLogicForLogInPostBack during LoadData and call either UserManagementStatics.LogInUser or UserManagementStatics.LogInSpecifiedUser from a DataModification. If you are not using UserManagement, you're responsible for authenticating the user in your own fashion as part of a DataModification, before redirecting the user into the app.
I'm fairly new to web forms development, playing around with a project created using the ASP.NET Web Application template in VS 2010. After the user successfully logs in, I want the user redirected to a page I created. How do I modify my project to redirect the user after login? Any samples / tutorials / etc are greatly appreciated.
Thanks!
To simply redirect to a new page when your user has logged in, use the DestinationPageUrl property of your login control... assuming you're using the Login control that is.
If you need to do anything more advanced you can use the OnLoggedIn event handler for your Login control to perform a redirect manually, or add any code for event logging and such.
If you've rolled your own login control, and are just using things like text boxes and button controls, then in your Button_Click event, you can just use Response.Redirect("DestinationHere"); to take your users to a new page.
After you checked for login:
Response.Redirect("url");
I assume you're using ASP.NET Login control. There's a DestinationPageUrl property of that control that handles exactly that. If login was successfull user is redirected to URL provided in that property.
<asp:Login ID="Login1" runat="server" DestinationPageUrl="~/Admin/Default.aspx">
</asp:Login>
Go to Properties and Set DestinationPageUrl.
Server.Transfer( *url*) ?
(method on HttpServerUtility)
I know next to nothing about ASP.NET, but from my Java web developer daze, redirect is bad because it involves another network round trip to the browser and back when you really just want to continue processing in another page.
And Response.Redirect() really does issue a 302 response code ("try this other url instead") back to the browser. yuck. XP
Server.Transfer() looks like the java version of Response.Forward()
For Sharepoint farm solution development
Page.Response.Redirect("url");
The issue with Response.Redirect() is the 302. In some browsers (eg Chrome) this causes the new session cookie to be immediately invalidated.
In other words, using that method to redirect causes the user to no longer be logged in, so you did not accomplish your purpose!.
I have an existing community backend and I like to use Umbraco for my presentation layer. How can I implement login/logout with .Net forms authentication? (I don't want to use the Member functionality). I have different type of users that get's access to different type of pages. How can I control this? User control?
Umbraco uses the ASP.NET member / role provider model for it's membership system, and it's a pretty straightforward step to swap the default one out for your own implementation. I've done this in the past where I wanted to authenticate members against an Active Directory store but I can't imagine it being much more difficult to authenticate against a custom database.
The benefit from this is you get full integration with the Umbraco membership system, and by using a custom role provider, editors will be able to restrict pages using the built in page-editing facilities as opposed to you having to hook in your own security controls.
You should be able to create a simple membership provider by extending the UmbracoMembershipProvider class and overriding the ValidateUser method. I haven't done this myself, but I know of others who have.
To authenticate against a custom role provider, you'll need to create a class derived from RoleProvider. The methods you'll be interested in overriding are - IsUserInRole, FindUsersInRole, GetAllRoles and GetRolesForUser.
Here's a link to a Scott Guthrie blog post which has more information on the provider API than you'll ever need to know, including the source code for the default providers.
I've used two approaches on my umbraco sites. Both approaches include user controls for login and logout that are responsible for authenticating a user with a custom solution and clearing credentials respectively. I also add, for both approaches, an umbracoMembersOnly attribute to any document types that I want to protect.
In the first approach, I had each individual template check to see whether or not the user was restricted from access. To abstract this, I created a siteuser class with an isMember or isLoggedIn method that was available site-wide and could be called from either an XSLT or User Control macro. The benefit to this approach is that I could tailor custom messages on each template rather than merely providing the same access denied page.
The second approach - which is the one I favor now - if to create a Permissions macro that is responsible for checking the user's right to access any page (i.e. checks for an umbracoMembersOnly attribute and, if true, checks for a session variable). This macro gets included in the master template, and so executes on every template. If the user doesn't have permission to access the current page, I redirect to the same page but with an ?alttemplate=RestrictedPage or similar appended to the query string. (Make sure that your Permissions macro checks for an alttemplate=RestrictedPage in the query string, or you'll end up in an infinite loop of redirects.)
You can checkout http://osMemberControls.codeplex.com