In a previous tutorial we introduced Forms Authentication and showed you how to use forms authentication to password protect your website from anonymous users.
In this tutorial we will learn how to secure certain folders within our website, again using a login page and the Web.config file.
In our example code below we will create a 'login.aspx' file that displays a textbox control for both the username and password. When the asp button 'LoginButton' is clicked the click event is raised and the event handler 'Login' is called.
This subroutine checks the text property of the Username and Password textbox controls to see if they match 'myAdmin' and 'myPassword' respectively. If the user enters the correct username and password then the FormsAuthenication.RedirectFromLoginPage method is called and passed 2 parameters. The first is the user name to be stored for the user, the second parameter is a Boolean value. Setting this to true creates a persistent cookie that allows the user to close their browser, come back to the site and be still logged in. Setting this value to false forces users to log in each time they close down their browser and revisit the site.
login.aspx
<%@ Page Language="VB" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
Public Sub Login(ByVal s As Object, ByVal e As EventArgs)
If UserName.Text = "myAdmin" And Password.Text = "myPassword" Then
FormsAuthentication.RedirectFromLoginPage(UserName.Text, True)
Else
LtlLogin.Text = "<p>Sorry you have provided incorrect login details.</p>"
End If
End Sub
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Admin Log In</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<h1>Admin Log In</h1>
Username:<br />
<asp:TextBox ID="UserName" Runat="server" /><br />
Password:<br />
<asp:TextBox ID="Password" TextMode="password" Runat="server" /><br />
<asp:Button ID="LoginButton" Text="Log In" OnClick="LogIn" Runat="server" /><br />
<asp:Literal ID="LtlLogin" Runat="server" />
</div>
</form>
</body>
</html>
The following Web.config allows access to all the files in our site to anonymous users except the Admin folder. The * in the line <allow users="*" /> tells our website to allow access to all anonymous users.
The location element with the path attribute i.e. <location path="Admin"> however tells our website to apply the following rule <deny users="?"> in the <authorization> element to the Admin folder. This line denies access to anonymous users to the Admin folder. In the code above only those that have entered the username 'myAdmin' and the password 'myPassword' will be allowed access to the Admin folder.
Notice that we have also changed the default login page to 'Admin/login.aspx' and the default page after a successful log to 'Admin/default.aspx'.
Web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="Admin/login.aspx" defaultUrl="Admin/default.aspx"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
To log in you'll need to go to admin/login.aspx. If you log in successfully you'll be redirected to admin/default.aspx. If you try to access admin/default.aspx without having logged in you'll be redirected back to the login page admin/login.aspx.
If you'd rather store the username and passwords in the Web.config rather than the login page then refer to our forms authentication page. We'll also cover how to store the username and password in a database.
Get the best asp web hosting provider now and save 30%
Plug and play ASP membership script that integrates with PayPal to let you charge recurring membership fees.
