In this article i am explaining how to implement FormsAuthenticationTicket And Managing UserData Roles In Asp.Net 2.0,3.5,4.0 using C# And VB.NET
For implementing forms authentication without using formsauthentication ticket, read my previous article - Forms Authentication with C# and managing folder lavel access with multiple web.config files
Configuring web.config file in application root
<authentication mode="Forms">
<forms defaultUrl="Default.aspx" loginUrl="~/Login.aspx"
slidingExpiration="true" timeout="20"></forms>
</authentication>
<forms defaultUrl="Default.aspx" loginUrl="~/Login.aspx"
slidingExpiration="true" timeout="20"></forms>
</authentication>
Defining roles and accessibility in root web.config
<location path="Admin">
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Defining roles settings for folders and aspx within those folders in web.config file in those folders
<system.web>
<authorization>
<allow roles="user"/>
<deny users="*"/>
</authorization>
</system.web>
<authorization>
<allow roles="user"/>
<deny users="*"/>
</authorization>
</system.web>
settings for any logged in member
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<authorization>
<deny users="?"/>
</authorization>
Now after creating Login page we need to authenticate user
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
string userName = Login1.UserName;
string password = Login1.Password;
bool rememberUserName = Login1.RememberMeSet;
//Fetch User login information fromthe xml file into Dataset
string xmlFilePath = Server.MapPath("~/App_Data/LoginInfo.xml");
DataSet objDs = new DataSet();
objDs.ReadXml(xmlFilePath);
DataRow[] dRow = objDs.Tables[0].Select("UserName = '" + userName + "' and Password = '" + password + "'");
if (dRow.Length > 0)
{
//Fetch the role
string roles = dRow[0]["Roles"].ToString();
//Create Form Authentication ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(20), rememberUserName, roles, FormsAuthentication.FormsCookiePath);
// In the above parameters 1 is ticket version, username is the username associated with this ticket
//time when ticket was issued , time when ticket will expire, remember username is user has chekced it
//roles associted with the user, and path of cookie if any
//For security reasons we may hash the cookies
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);
// add the cookie to user browser
Response.Cookies.Add(cookie);
// get the requested page
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null)
returnUrl = "~/Default.aspx";
Response.Redirect(returnUrl);
}
{
string userName = Login1.UserName;
string password = Login1.Password;
bool rememberUserName = Login1.RememberMeSet;
//Fetch User login information fromthe xml file into Dataset
string xmlFilePath = Server.MapPath("~/App_Data/LoginInfo.xml");
DataSet objDs = new DataSet();
objDs.ReadXml(xmlFilePath);
DataRow[] dRow = objDs.Tables[0].Select("UserName = '" + userName + "' and Password = '" + password + "'");
if (dRow.Length > 0)
{
//Fetch the role
string roles = dRow[0]["Roles"].ToString();
//Create Form Authentication ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(20), rememberUserName, roles, FormsAuthentication.FormsCookiePath);
// In the above parameters 1 is ticket version, username is the username associated with this ticket
//time when ticket was issued , time when ticket will expire, remember username is user has chekced it
//roles associted with the user, and path of cookie if any
//For security reasons we may hash the cookies
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);
// add the cookie to user browser
Response.Cookies.Add(cookie);
// get the requested page
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null)
returnUrl = "~/Default.aspx";
Response.Redirect(returnUrl);
}
Now to retrieve the authentication and roles information on every request we need to write this code in Global.asax file
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// look if any security information exists for this request
if (HttpContext.Current.User != null)
{
// see if this user is authenticated, any authenticated cookie (ticket) exists for this user
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
// see if the authentication is done using FormsAuthentication
if (HttpContext.Current.User.Identity is FormsIdentity)
{
// Get the roles stored for this request from the ticket
// get the identity of the user
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
//Get the form authentication ticket of the user
FormsAuthenticationTicket ticket = identity.Ticket;
//Get the roles stored as UserData into ticket
string[] roles = ticket.UserData.Split(',');
//Create general prrincipal and assign it to current request
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);
}
}
}
}
{
// look if any security information exists for this request
if (HttpContext.Current.User != null)
{
// see if this user is authenticated, any authenticated cookie (ticket) exists for this user
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
// see if the authentication is done using FormsAuthentication
if (HttpContext.Current.User.Identity is FormsIdentity)
{
// Get the roles stored for this request from the ticket
// get the identity of the user
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
//Get the form authentication ticket of the user
FormsAuthenticationTicket ticket = identity.Ticket;
//Get the roles stored as UserData into ticket
string[] roles = ticket.UserData.Split(',');
//Create general prrincipal and assign it to current request
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);
}
}
}
}
To check whether user in in the role or not we need to write this code in every page which provide access on role basis
protected void Page_Load(object sender, EventArgs e)
{
if (HttpContext.Current.User.IsInRole("admin"))
{
lblMessage.Text = "Welcome Administrator";
}
}
{
if (HttpContext.Current.User.IsInRole("admin"))
{
lblMessage.Text = "Welcome Administrator";
}
}
Download sample code
Related Articles :
1. Forms Authentication with C# and managing
folder lavel access with multiple web.config files
2. User validation across pages using session
after login in ASP.NET using C sharp
3. Detecting Session Timeout
and Redirect to Login Page in ASP.NET
If you like this post than join us or share
18 comments:
Thanks - is there are place for FormsAuthentication.GetAuthCookie() here ?
Hi, thanks for this post... very intresting...however I am not able to download the code... can you please mail the code...?
my email id avicool08@gmail.com
thank you
@Avinash :
Hi, you can download the source code from the lin below
http://www.box.net/shared/ez1kqnqkkr
Do let me know if you are having further problems
Hi,thanks for the post..but unable to download the code as it says ,has been removed from the www.box.net....plz provide some other link to download the code..
thank you
@Ashwani:
Hi, i've fixed the download link
enjoy
i can't link
i used some other codes for role based authendication.. all r worked fine but if the user or admin click the signout works fine signouted but click the browser back button all the admin page visibled... how to rectify that..
This comment has been removed by a blog administrator.
Please upload the project again
Please upload the project again
This post has been removed by a blog administrator.
Please upload the project again
Hi i am not able to download this code.
left side add is very disturbing while reading your article fuck off....
Thanks
plz send me code on js.patidar007@gmail.com.
please send me code on info4gourav@gmail.com
where is the source code?
paryanh.admin@gmail.com
I think there are some errors in explaination and coding please submit the project again
Sir
Please Explain briefly
Post a Comment