Hi all
I am new to asp.net. I want to implement authentication in all pages.
What i want to do is validate user from database table. So currently
what i am doing is on login page validating user and storing valid
user id in sesstion.
On every page i am checking userid from session.. But i don't want to
behavirour. what i want is to provide authentication to all pages
once not on every page .
So how will i do this. And if session expire in between what will
happen if user try to access the page after that.
Please correct me if i am wrong in any concept.
thanks in advance.
No need to keep checking the session. For example with forms
authentification:
(1) Include a forms authentification entry something like the one
below:
<authentication mode="Forms">
<forms name="mydomain" loginUrl="~/Default.aspx" defaultUrl="~/
News/News.aspx" protection="All" cookieless="AutoDetect"
slidingExpiration="true" timeout="30"/>
</authentication>
The forms authentification entry above allows users with a good cookie
set to go straight to the "~/News/News.aspx", the defaultUrl. Users
whose cookies fail authentification will land at the login page (see
(4) below).
(2) You may need to edit your machineKey entry too, so that you can
deal with encrypted cookies, etc.:
<machineKey decryption="AES" validation="SHA1"
decryptionKey="_____,IsolateApps" validationKey="_____,IsolateApps"/>
The underlined bits in the above code are where you put your keys.
These are big hexadecimal numbers.
(3) Each area of the site needs to be told what sorts of users are
allowed to visit those pages. In the entry below, all files inside the
Administration directory are being made available to users who are in
any one of 4 mwAdmin_ roles: Super,Editor,Demo,Full. These roles are
just some text which I store in the user's encrypted cookie.
<location path="Administration">
<system.web>
<authorization>
<allow
roles="mwAdmin_Super,mwAdmin_Editor,mwAdmin_Demo,mwAdmin_Full"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
You will need a separate entry like this for each individual page in
your root but only one entry is needed for directories containing
files provided that the files within a subdirectory have the same
security settings.
(4) The process of checking whether your visitors have their cookies
set is done in Global.asax, in the
FormsAuthentication_OnAuthenticate() event - which you may need to
add. In general, I (a) read their cookie and get their ticket. (b) I
get their userID from the ticket, (c) then look up the database to get
their roles and the period for which their cookie remains valid. (d)
make the user:
User user = new User(Ticket.Name, strRoles, PersistentCookieDays,
iLoginId);
I then write this information to a new ticket and store it back to
their cookie. (e) If they're an authentic user I add their userID to
the their security Context. Google to find some examples.
