Home/ Questions/Q 349333
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T11:26:55+00:00

Please refer to this post. I have become able to configure my web.config file

  • 0

Please refer to this post.

I have become able to configure my web.config file so that when an unauthenticated user requests a page, he is redirected to the Login.aspx page.

I have been able to do that by configuring web.config file and the following few lines of code:

protected void btnLogin_Click(object sender, EventArgs e)
        {
            string username = this.usernameTextBox.Text;
            string password = this.passwordTextBox.Text;

            bool success = Membership.ValidateUser(username.Trim(), password.Trim());

            if (success)
            {
                FormsAuthentication.SetAuthCookie(username, true);

                Ice_Web_Portal.BO.User user = Ice_Web_Portal.BO.User.GetUserByUserName(username);

                Ice_Web_Portal.BO.UserTypeEnum loginUserType = user.UserTypeEnum;

                if (loginUserType == UserTypeEnum.Student)
                {
                    Response.Redirect("~/Student/StudentControlPanel.aspx?username=" + username);
                }
                else if (loginUserType == UserTypeEnum.Teacher)
                {
                    Response.Redirect("~/Teacher/TeacherControlPanel.aspx?username=" + username);
                }
                else if(loginUserType == UserTypeEnum.Webmaster)
                {
                    Response.Redirect(@"~/Webmaster/WebmasterControlPanel.aspx");
                }
                else
                {
                    labLoginMessage.Text = "Sorry! Type of user couldn't be determined!";
                }
            }
            else
            {
                labLoginMessage.Text = Ice_Web_Portal.BO.User.LoginMessage;
            }
        }

But the problem I am having with this is that, once a user is Authenticated, he can access all pages in the entire web application.

But I need to restrict their area of page access according to their roles. I.e. when a user with a different role requests a page, he should be automatically redirected to the Login.aspx page.

There may be a technique in which I can check for specific user-roles in the Page_Load()-event and then redirect the user to the Login.aspx page if he is not in that role. But I don’t want to do it in that way. I want to happen that automatically. I need to use only Role Provider framework and web.config file (as that was in the case of membership. I.e. I don’t need to check membership in the Page_Load event. Web.config file is automatically blocking the access).

Can anyone tell me how can I incorporate Role feature in this so that specific users are confined within their specific Role-area?

What is the Code for generating the Authorization Ticket?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    add sections to web.config

      <location path="page-only-allowed-to-be-accessed-by-admin.aspx">
      <system.web>
         <authorization>
           <allow roles="admin"/>
           <deny users="*" />
         </authorization>
      </system.web>
   </location>

    You may find this article interesting – the web.config demystified

    EDIT:

    The code for generating the Authorization ticket is in your code.

    FormsAuthentication.SetAuthCookie(username, true);

    which is implemented like so (using Red Gate’s Reflector)

    public static void SetAuthCookie(string userName, bool createPersistentCookie, string strCookiePath)
{
    Initialize();
    HttpContext current = HttpContext.Current;
    if (!current.Request.IsSecureConnection && RequireSSL)
    {
        throw new HttpException(SR.GetString("Connection_not_secure_creating_secure_cookie"));
    }
    bool flag = CookielessHelperClass.UseCookieless(current, false, CookieMode);
    HttpCookie cookie = GetAuthCookie(userName, createPersistentCookie, flag ? "/" : strCookiePath, !flag);
    if (!flag)
    {
        HttpContext.Current.Response.Cookies.Add(cookie);
        current.CookielessHelper.SetCookieValue('F', null);
    }
    else
    {
        current.CookielessHelper.SetCookieValue('F', cookie.Value);
    }
}

    The RoleProvider will get the roles for a given user, so when the web.config is inspected for allowed or denied roles/users for a given section of your application, the RoleProvider will get the roles for the user and then check against the allowed/denied roles and authorize if appropriate.

    • 0