Forms Authentication Ticket In Asp.Net 2.0 3.5

In this article i am explaining how to implement FormsAuthenticationTicket And Managing UserData Roles In Asp.Net 2.0,3.5,4.0 using C# And VB.NET



For implementing forms authentication without using formsauthentication ticket, read my previous article - Forms Authentication with C# and managing folder lavel access with multiple web.config files

Configuring web.config file in application root


<authentication mode="Forms">
<forms defaultUrl="Default.aspx" loginUrl="~/Login.aspx"
slidingExpiration="true" timeout="20"></forms>
</authentication>

Defining roles and accessibility in root web.config

<location path="Admin">
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>

</system.web>

</location>


Defining roles settings for folders and aspx within those folders in web.config file in those folders

<system.web>
<authorization>
<allow roles="user"/>
<deny users="*"/>
</authorization>
</system.web>

settings for any logged in member

<system.web>
<authorization>
<deny users="?"/>
</authorization>


Now after creating Login page we need to authenticate user

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
string userName = Login1.UserName;
string password = Login1.Password;
bool rememberUserName = Login1.RememberMeSet;

//Fetch User login information fromthe xml file into Dataset

string xmlFilePath = Server.MapPath("~/App_Data/LoginInfo.xml");
DataSet objDs = new DataSet();
objDs.ReadXml(xmlFilePath);
DataRow[] dRow = objDs.Tables[0].Select("UserName = '" + userName + "' and Password = '" + password + "'");
if (dRow.Length > 0)
{
//Fetch the role
string roles = dRow[0]["Roles"].ToString();

//Create Form Authentication ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(20), rememberUserName, roles, FormsAuthentication.FormsCookiePath);

// In the above parameters 1 is ticket version, username is the username associated with this ticket
//time when ticket was issued , time when ticket will expire, remember username is user has chekced it
//roles associted with the user, and path of cookie if any

//For security reasons we may hash the cookies
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);

// add the cookie to user browser

Response.Cookies.Add(cookie);

// get the requested page

string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null)
returnUrl = "~/Default.aspx";
Response.Redirect(returnUrl);
}


Now to retrieve the authentication and roles information on every request we need to write this code in Global.asax file

protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// look if any security information exists for this request

if (HttpContext.Current.User != null)
{

// see if this user is authenticated, any authenticated cookie (ticket) exists for this user

if (HttpContext.Current.User.Identity.IsAuthenticated)
{

// see if the authentication is done using FormsAuthentication

if (HttpContext.Current.User.Identity is FormsIdentity)
{

// Get the roles stored for this request from the ticket

// get the identity of the user

FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;

//Get the form authentication ticket of the user

FormsAuthenticationTicket ticket = identity.Ticket;

//Get the roles stored as UserData into ticket

string[] roles = ticket.UserData.Split(',');

//Create general prrincipal and assign it to current request

HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);
}
}
}
}


To check whether user in in the role or not we need to write this code in every page which provide access on role basis

protected void Page_Load(object sender, EventArgs e)
{
if (HttpContext.Current.User.IsInRole("admin"))
{
lblMessage.Text = "Welcome Administrator";
}
}


Download sample code


Related Articles :

1. Forms Authentication with C# and managing
folder lavel access with multiple web.config files


2. User validation across pages using session
after login in ASP.NET using C sharp


3. Detecting Session Timeout
and Redirect to Login Page in ASP.NET
If you like this post than join us or share

18 comments:

Unknown said...

Thanks - is there are place for FormsAuthentication.GetAuthCookie() here ?


Avinash Tumulu said...

Hi, thanks for this post... very intresting...however I am not able to download the code... can you please mail the code...?

my email id avicool08@gmail.com
thank you


Unknown said...

@Avinash :

Hi, you can download the source code from the lin below

http://www.box.net/shared/ez1kqnqkkr

Do let me know if you are having further problems


Ashwani said...

Hi,thanks for the post..but unable to download the code as it says ,has been removed from the www.box.net....plz provide some other link to download the code..
thank you


Unknown said...

@Ashwani:

Hi, i've fixed the download link

enjoy


PAtRoN (c) 1991 said...

i can't link


Unknown said...

i used some other codes for role based authendication.. all r worked fine but if the user or admin click the signout works fine signouted but click the browser back button all the admin page visibled... how to rectify that..


Anonymous said...

This comment has been removed by a blog administrator.


Anonymous said...

Please upload the project again


Anonymous said...

Please upload the project again


Anonymous said...

This post has been removed by a blog administrator.
Please upload the project again


varsha said...

Hi i am not able to download this code.


Anonymous said...

left side add is very disturbing while reading your article fuck off....


Trekon Technologies said...

Thanks
plz send me code on js.patidar007@gmail.com.


Gourav said...

please send me code on info4gourav@gmail.com


Unknown said...

where is the source code?
paryanh.admin@gmail.com


Anonymous said...

I think there are some errors in explaination and coding please submit the project again


Anonymous said...

Sir

Please Explain briefly


Find More Articles