ASP.NETs Forms Based Authentication

Websites that offer membership based services often require their important files to be secured from non-members. For this purpose, they need to implement form based authentication that ensures that only members can access the files and even if a non-member copies the exact location of the file on the server, he/she is denied access to the file and redirected back to the login page. Let’s check it out.

1. If you are using an IDE then you need to create a new project and add a LoginPage.aspx page. Switch to html view and add the following code inside the tag of you LoginPage.aspx page.

<h2> <font face="Times New Roman">Login Credentials</font> </h2>
<table> <tr>
<td>User Name :</td>
<td><input id="CUserName" type="text" runat="server" NAME="CUserName"></td>
<td><ASP:RequiredFieldValidator ControlToValidate="CUserName" Display="Static" ErrorMessage="*" runat="server" ID="VUserName" /></td></tr>
<tr>
<td>Password:</td>
<td><input id="CUserPass" type="password" runat="server" NAME="CUserPass"></td>
<td><ASP:RequiredFieldValidator ControlToValidate="CUserPass" Display="Static" ErrorMessage="*" runat="server" ID="VUserPass" /></td> </tr>
</table>
<input type="submit" Value="Login" runat="server" ID="cmdLogin" NAME="cmdLogin">
</p>
<asp:Label id="lblMsg" ForeColor="red" FontName="Times New Roman" FontSize="12" runat="server"/>

2. Now, change the authentication in your web.config file to and modify the authentication parameters as given below:

<authorization>
<allow users="*" />
<deny users="?" />
</authorization>

3. Now, browse the virtual directory in Internet Information Services (IIS), right click on it to access the properties. Move to security tab & click on edit to check Anonymous access option.

4. On your IDE change the view mode to code view for the LoginPage.aspx page and add the following code to it. Refer to Point 4 of Code Event Handler at http://support.microsoft.com/kb/308157

Provide your own coding for authenticating the username & password

if CUserName.Value = "AAAAAAA" and CUserPass.Value = "BBBBBBBB" Then
FormsAuthentication.RedirectFromLoginPage(CUserName.Value , True)
else
Response.Redirect("LoginPage.aspx" , True)
End if
End Sub

5. Create a new page and name it as DefaultPage.aspx and add the following to the html view of the page.

<table border="0">
<tr><-td>http://ServerName/FormsAuth/SecuredFolder/AnyFile.doc</td>
<td><-asp:Button id="SendFile" runat="server" Text="Send File"></asp:Button></td>
</tr>
</table>

Now, switch to code view for this page & add the following lines

Private Sub Button_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button.Click FormsAuthentication.SignOut()
Response.Redirect("LoginPage.aspx" , True)
End Sub
Private Sub SendFile_Click( ByVal sender As System.Object , ByVal e As System.EventArgs ) Handles SendFile.Click
Response.ContentType = "application/msword"
Response.Clear()
Response.TransmitFile("SecuredFolderAnyFile.doc") ‘Create a SecuredFolder in Virtual Directory & add “AnyFile.doc” to it
Response.End()
End Sub

Why I used a button instead of a hyperlink is because in case of hyperlink the file will be cached and even if you change the contents of the file, the old file will be displayed. A button will prevent this.

6. Protect the SecuredFolder and ensure that you have granted the READ permission to the Network service or ASPNET. Run your project and try what happens when you try to paste the url of the file and then access it. You will notice a Login page instead of the file.

No related posts.