Authenticating Users

Assuming you have gone through my previous article mentioned above, you have a login page. Now when user clicks Login button Authenticate method fires, lets see code for that method.

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
    string userName = Login1.UserName;
    string password = Login1.Password;
    bool rememberUserName = Login1.RememberMeSet;

    // for this demo purpose, I am storing user details into xml file
    string dataPath = Server.MapPath("~/App_Data/UserInformation.xml");
    DataSet dSet = new DataSet();
    dSet.ReadXml(dataPath);
    DataRow[] rows = dSet.Tables[0].Select(" UserName = '" + userName + "' AND Password = '" + password + "'");
    // record validated
    if (rows.Length > 0)
    {
        // get the role now
        string roles = rows[0]["Roles"].ToString();
        // Create forms authentication ticket
        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
        1, // Ticket version
        userName, // Username to be associated with this ticket
        DateTime.Now, // Date/time ticket was issued
        DateTime.Now.AddMinutes(50), // Date and time the cookie will expire
        rememberUserName, // if user has chcked rememebr me then create persistent cookie
        roles, // store the user data, in this case roles of the user 
        FormsAuthentication.FormsCookiePath); // Cookie path specified in the web.config file in <Forms> tag if any.

        // To give more security it is suggested to hash it
        string hashCookies = FormsAuthentication.Encrypt(ticket);
        HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies); // Hashed ticket

        // Add the cookie to the response, user browser
        Response.Cookies.Add(cookie);                // Get the requested page from the url
        string returnUrl = Request.QueryString["ReturnUrl"];

        // check if it exists, if not then redirect to default page
        if (returnUrl == null) returnUrl = "~/Default.aspx";
        Response.Redirect(returnUrl);
    }
    else // wrong username and password
    {
        // do nothing, Login control will automatically show the failure message
        // if you are not using Login control, show the failure message explicitely
    }
} 

you can check it by placing hard core role name or by fetching user roll from database. i have modified this for my entity framework.

TestEntities entities = new TestEntities();
            var user = (from s in entities.UserTables
                        where s.UserName == loginControl.UserName
                        && s.Password == loginControl.Password
                        select s).SingleOrDefault();

and placed the user role as:

user.Role

Along this you have do some changes in the Global.asax file Till now we have set the Forms Authentication ticket with required details even the user roles into the cookie, now how to retrive that information on every request and find that a request is coming from which role type? To do that we need to use Application_AuthenticateRequest event of the Global.asx file. See the code below.

protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {

        // look if any security information exists for this request

        if (HttpContext.Current.User != null)
        {

            // see if this user is authenticated, any authenticated cookie (ticket) exists for this user

            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {

                // see if the authentication is done using FormsAuthentication

                if (HttpContext.Current.User.Identity is FormsIdentity)
                {

                    // Get the roles stored for this request from the ticket

                    // get the identity of the user

                    FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;

                    // get the forms authetication ticket of the user

                    FormsAuthenticationTicket ticket = identity.Ticket;

                    // get the roles stored as UserData into the ticket

                    string[] roles = ticket.UserData.Split(',');

                    // create generic principal and assign it to the current request

                    HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);

                }

            }

        }

    }

In this even, after checking if user exists, he/she is authenticated and the identy type of th user is FormsIdentity, I am getting the current Identity of the user and getting the ticket I have set at the time of Authentiacting. Once I have the authenticated ticket, I just got the UserData from the ticket and split it to get roles (remember, we had stored the roles as comma separated values). Now, we have current users roles so we can pass the roles of the current user into the GenericPrincipal object along with the current identity and assign this to the curent user object. This will enable us to use the IsInRole method to check if a particular user belongs to a particular role or not.

How to Check if user has a particular role?

To check if a user belong to a particulr role, use below code. This code will return true if the current record is coming from the user who is authenticated and has role as admin.

HttpContext.Current.User.IsInRole( "admin" )

How to check if user is authenticated?

To check if the user is authenticated or not, use below code.

HttpContext.Current.User.Identity.IsAuthenticated

To get UserName of the Authenticated User

HttpContext.Current.User.Identity.Name

Remember on thing .. this code require some webconfig settings in the forms tag as:

Add following Authentication setting into your web.config file under .

<authentication mode="Forms">

    <forms defaultUrl="default.aspx" loginUrl="~/login.aspx" slidingExpiration="true" timeout="20" ></forms>

</authentication>

For every user if you want to secure a particular folder, you can place setting for them either in parent web.config file (root folder) or web.config file of that folder.

Specify Role settings for the folder in root web.config file (in this case for Admin)

<location path="Admin">

    <system.web>

        <authorization>

            <allow roles="admin"/>

            <deny users="*"/>

        </authorization>

    </system.web>

</location>

Write this code outside but under tag in the root's web.config file. Here, I am specifying that if the path contains the name of folder Admin then only user with "admin" roles are allowed and all other users are denied.

Specify Role settings for the folder in folder specific web.config file (in this case for User)

<system.web>

    <authorization>

        <allow roles="User"/>

        <deny users="*"/>

    </authorization>

</system.web>

Write this code into web.config file user folder. You can specify the setting for the user in root's web.config file too, the way I have done for the Admin above. This is just another way of specifying the settings. This settings should be placed under tag.

Specify setting for Authenticated user

<system.web>

    <authorization>

        <deny users="?"/>

    </authorization>

</system.web>

Write this code into web.config file of the Secure folder. This is specifying that all anonymous users are denied for this folder and only Authenticated users are allowed irrespective of their roles.

hope this will give you little idea to solve your problem. it is working fine for me. hope you will also solve your problem.

Try this, I think it's the closest you will get with a simple solution:

FormsAuthentication.SetAuthCookie(username, true);
Response.Redirect("mypage.aspx"); 

The default behavior is to redirect to the originally requested resource, so if a user tried to access 'admin.aspx' and isn't authenticated, the user is sent to the login page. After successfully authenticating, the user is sent to the originally requested url (admin.aspx).

user -> "admin.aspx" -> noauth -> login -> "admin.aspx"

So instead of manually trying to send users somewhere, is using this default behavior not going to work for you? The default behavior is actually "robust" (it can be "admin2.aspx", "admin3.aspx" and so on... you can have any number of "protected resources" and the built in process handles all of it....)

If you are using the ASP.NET MembershipProvider login control, you can write your logic in the LoggedIn event

<asp:Login id="Login1" runat="server" OnLoggedIn="OnLoggedIn"></asp:Login>


protecetd void OnLoggedIn(object sender, EventArgs e)
{

    if(Roles.IsUserInRole(User.Identity.Name, "Administrators"))
    {
       //Redirect to admin page
       Response.Redirect("~/Admin.aspx");
    }
}

Don't forget to put some protection on the admin.aspx page aswell, incase someone types in the url directly