Security in ASP.NET

[pulpfiction]

Hi I am looking for ideas to implement security in the website, i mean to redirect the user to the login page when trying to use the URL of some intermediate page. is there a nicer way in ASP.NET to handle other than checking normal sessions etc...Thanks a lot

[aspnetguy]

As a matter of fact, there is!I have struggled with Session variables for a long time. They are always timing out whne they shouldn't!I came across Forms Authentication. It stores the user info in an encrypted cookie which will only expire when you say so!It took me a while to get it to work and it was a bit frustrating at first but now that it is up and running it is great.web.config

      <authentication mode="Forms">        <forms name=".ASPXUSERDEMO" loginUrl="/login.aspx" protection="All" timeout="60">  <credentials passwordFormat="Clear" >          <user name="username" password="password"/>  </credentials>	</forms>      </authentication>  </system.web><location path="folder to protect"> <!--use / for all-->     <system.web>       <customErrors mode="Off"/>              <authorization>            <deny users="?" />        </authorization>    </system.web></location>

login.aspx

<%@ Page Language="C#" Debug="true" %><%@ Import Namespace="System" %><%@ Import Namespace="System.Security" %><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head> <title>Page Title</title> <link rel="stylesheet" href="style.css" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /></head><body><script language="C#" runat="server">	//--------------------------------------	//Page Load	//--------------------------------------	private void Page_Load()	{  if(IsPostBack)  { 	   }	}	//--------------------------------------	//Authenticate User	//--------------------------------------	private void AuthenticateUser(string User, string Ticket)	{  if (FormsAuthentication.Authenticate(User, Ticket))   {         FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(            	 1,             User,            	 DateTime.Now,            	 DateTime.Now.AddHours(3),            	 false,            	 "admin");          string encryptedTicket = FormsAuthentication.Encrypt(ticket);         HttpCookie authenticationCookie = new        HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket);          Response.Cookies.Add(authenticationCookie);          Response.Redirect(FormsAuthentication.GetRedirectUrl(User, false));   FormsAuthentication.RedirectFromLoginPage(User,false);  }   else  { 	 Response.Write("Error");  }	}	//--------------------------------------	//Login Button Click	//--------------------------------------	private void LoginButton_Click(object sender, System.EventArgs e)	{AuthenticateUser(Username.Value, Password.Value);	}</script>	<form runat="server">	<div style="padding:15px;height:1px">	<table cellpadding="0" cellspacing="0">   <tr>     <td>Username:</td>     <td><input type="text" id="Username" runat="server" class="InputField" /></td>   </tr>   <tr>     <td>Password:</td>     <td><input type="password" id="Password" runat="server" class="InputField" /></td>   </tr>   <tr>     <td colspan="2">  <input type="button" value="Login" id="LoginButton" runat="server" class="InputButton" OnServerClick="LoginButton_Click" />     </td>   </tr>	</table>	<div id="PostBack" runat="server" class="PostBack" />	</form>	</div></body></html>

That is a sample of my site and how I got it to work. This works for any files in the folder specified in the web.config. No more doing checks on every page manually!

[aspnetguy]

This should have been moved to .Net not ASP

is there a nicer way in ASP.NET to handle other than ...

[pulpfiction]

Thank you that is what I was looking for, it was very helpful...

[aspnetguy]

Your welcome. I am glad you found what you needed.