securing web forms using forms authentication

Question

i have two web pages(login.aspx and account.aspx)i want to secure my account.aspx from unauthorised access.i used forms authentication as modified the web.config as follows:
<configuration>
<authentication mode="Forms">
<forms name="AuthCookie" loginUrl="/login.aspx" />
</authentication>
</configuration>

in the login button click event the codes are as follows:
if username.text="pradip" and password.text="pkc" then
FormsAuthentication.RedirectFromLoginPage(username.text,false)
else
labelmsg.text="invalid user name or password"

now my problem is that when ever i am directly accesing accout.aspx(without logging in),it is not automatically redirecting to login.aspx..

suoopse i have 10 webforms in my project out of which i want to make 5 web forms secure so that if any unauthorised user wants to access them,they will be automatically redirected to login.aspx ..how can i do this(i think that i have to check the cookie value "AuthCookie" in the page load event of the secure pages..but i dont know how to do it..

if i write request.cookies("AuthCookie").value is nothing then response.redirect("login.aspx").. in the page load events of the secure pages then also it is not redirecting to login.aspx..plz help me out this..its urgent ..

thanks in advance

Pradip Kishore · Answer

hi thanks for your reply but when ever i am doing this all of my pages got secured(my requirement is few pages of my site not all)..(if i request a non secure page then it opens..but when i press the submit button in the non secure page to submit some data into database..then instead of submitting the data the login form is appearing...can you help me how to sort out this.. thanks in advance

PHANI NADIGADDA · Answer

I would suggest you to try this way FormsAuthentication.SetAuthCookie(userName false ); FormsAuthentication.RedirectFromLoginPage(userName false); try this in page_load of the pages where you want to check the user authentication. if (!User.Identity.IsAuthenticated) // Redirects to the login page if user is not authenticated Response.Redirect(Login.aspx);

siva · Answer

Setting Up Forms Authentication Let's take a look at the applicable settings to execute Forms Authentication. In general setting up Forms Authentication involves just a few simple steps. Enable anonymous access in IIS. By default anonymous users should be allowed to access your Web application. In rare cases however you may opt to layer an Integrated Windows OS security layer level with Forms authentication. We will discuss how to integrate this layer with anonymous access enabled in the article succeeding this one (Part 2 (Integration w/ Active Directory)). Configure your Web application's web.config file to use Forms Authentication. Start by setting the authentication mode attribute to Forms  and denying access to anonymous users. The following example shows how this can be done in the web.config file for your Web application: 3. 4. 5. 6. 7. 8. loginUrl=login.aspx 9. protection=All 10. timeout=30 11. path=//> 12. 13. 14. 15. 16. 17. Upon setting the authentication mode to Forms  you'll notice that we appended another child element. The Forms element has five attributes that implement your forms authentication configuration. The attributes and their descriptions are as follows : Attribute Description name This is the name of the HTTP cookie from which we will store our authentication ticket and information respectively. loginURL This is the URL from which your unauthenticated client will be redirected. In most scenarios this would be your login page where the client is required to provide their credentials for authentication. protection This is used to set the method from which to protect your cookie data. The following valid values can be supplied: All : Specifies to use both data validation and encryption to protect the cookie. Triple DES is used for encryption if it is available and if the key is long enough (48 bytes). The All value is the default (and suggested) value. None : Used for sites that are only using cookies for personalization and have weaker requirements for security. Both encryption and validation can be disabled. This is the most efficient performance wise but must be used with caution. Encryption : Specifies that the cookie is encrypted using Triple DES or DES but data validation is not done on the cookie. It's important to note that this type of cookie is subject to chosen plaintext attacks. Validation : Specifies to avoid encrypting the contents of the cookie but validate that the cookie data has not been altered in transit. To create the cookie the validation key is concatenated in a buffer with the cookie data and a MAC is computed/appended to the outgoing cookie. timeout This is the amount of time (in integer minutes) that the cookie has until it expires. The default value for this attribute is 30 (thus expiring the cookie in 30 minutes). The value specified is a sliding value meaning that the cookie will expire n minutes from the time the last request was received. path This is the path to use for the issued cookie. The default value is set to  /  to avoid issues with mismatched case in paths. This is because browsers are case-sensitive when returning cookies. In our web.config file it's also important to note the value we have for the deny child element of the authorization section (as highlighted below). Essentially we set that value of the users attribute to  ?  to deny all anonymous users thus redirecting unauthenticated clients to the loginURL . loginUrl=login.aspx protection=All timeout=30 path=//> Create your login page (as referenced in the loginURL attribute discussed above). In this case we should save our login page as login.aspx . This is the page to where clients without valid authentication cookie will be redirected. The client will complete the HTML form and submit the values to the server. You can use the example below as a prototype. 19. 20. 21. 22. 23. void Login_Click(Object sender EventArgs E) 24. { 25. 26. // authenticate user: this sample accepts only one user with 27. // a name of username@domain.com and a password of 'password' 28. if ((UserEmail.Value == username@domain.com) && 29. (UserPass.Value == password)) 30. { 31. FormsAuthentication.RedirectFromLoginPage(UserEmail.Value 32. PersistCookie.Checked); 33. } 34. else 35. { 36. lblResults.Text = Invalid Credentials: Please try again; 37. } 38. } 39. 40. 41. 42. Login Page 43. 44. Email: 45. 46. Display=Static 47. ErrorMessage=* 48. runat=server/> 49. Password: 50. type=password 51. runat=server/> 52. 53. Display=Static 54. ErrorMessage=* 55. runat=server/> 56. Persistent Cookie: 57. runat=server /> 58. 59. text=Login 60. OnClick=Login_Click 61. runat=server/> 62. 63. ForeColor=red 64. Font-Size=10 65. runat=server /> 66. 67. 68. It's important to note that the above page authenticates the client on the click event of the cmdLogin button. Upon clicking the logic determines if the username and password provided match those hard-coded in the logic. If so the client is redirected to the requested resource. If not the client is not authorized and thus receives a message depicting this. You can adjust the logic to fit your needs as it is very likely that you will not have your usernames and passwords hard-coded into the logic. It is here at the Login_Click function that you can substitute the logic with that of your own. It is common practice to substitute database logic to verify the credentials against a data table with a stored procedure. You can also provide authorized credentials in the web.config file. Inside the forms section you would append a user element(s) as follows : loginUrl=login.aspx protection=All timeout=30 path=/> Doing so allows you to authenticate against a list of users in your web.config file easily. You can append as many users as necessary. To authenticate against that list of users you would append the applicable logic in the click event of the cmdLogin button discussed above. Here is the code : void Login_Click(Object sender EventArgs E) { // authenticate user: this sample authenticates // against users in your app domain's web.config file if (FormsAuthentication.Authenticate(UserEmail.Value UserPass.Value)) { FormsAuthentication.RedirectFromLoginPage(UserEmail.Value PersistCookie.Checked); } else { lblResults.Text = Invalid Credentials: Please try again; } }