Forms Authentication for folders with different login page

1
votes

enter image description here


The problem is as follows:
If a visitor try to access a page in Admin folder he must be redirected to login page located in Admin folder, here I will take his username and password and then I will check this in SQL Server table, if he is authenticated then he will be redirected to Default page and he can access any page in Admin folder, but not any page in User folder
Here is one thing is important and that is login page in Admin folder and login page in User folder are different
Same scenario is for User folder
Please tell me what is the right way to achieve this functionality
Please explain your answer

2
c#asp.netsecurityforms-authentication

2 Answers

1
votes

On each page within the Admin folder, as the first line in the C# code of the page - check for the presence of a "IsAllowedAdmin" variable in the session data. If it isn't there, then do a manual redirect to the Admin login page.

When logging into the Admin login page - if the users authenticates ok - then store the IsAllowedAdmin variable to be true in the session data.

And then have a similar thing in the user page....

So...in the admin pages you might have...

protected void Page_Load(object sender, EventArgs e)
{
    if (Session["AdminOk"] != null)
    {   
        bool bAdminOk = false;
        try
        {
            bAdminOk = (bool) Session["AdminOk"];
        }
        catch
        {
        }
        if (!bAdminOk)
        {   
            Response.Redirect("~/Admin/login.aspx");
        }

    }
}

And then similar (but with a different session variable name) for the user pages...

1
votes

If you are using Forms/Membership authentication there is no need to have two different login pages, I don't think this is even possible - instead use a single login page and redirect differently depending on whether your user is an "admin" or a regular user. Forms authentication provides a built in mechanism for this using Roles.

To enable roles you need to add a roleManager section to your web.config, i.e.:

<roleManager enabled="true" defaultProvider="SqlRoleManager">
    <providers>
        <add name="SqlRoleManager" type="System.Web.Security.SqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/"/>
    </providers>
</roleManager>

Then in your authentication sections you can protect pages from normal users, but allow admin users:

<authorization>
    <allow roles="Admin"/>
    <deny users="*"/>
</authorization>

It's very easy to test in code whether a user is in the admin role (i.e. when deciding where to redirect):

if (Membership.ValidateUser(user, pass) && Roles.IsUserInRole(user, "Admin"))
{
    //...
}