Login using the Web.config file ASP.NET


The web.config file can be used to restrict access to resources within a directory forcing the user to login for authentication. This is useful in that they can be restricted from access by directory rather than validating the user through a session variable on every page.  This FAQ is based on a project which you can download and install from here . Install the project and open it in Visual Studio .NET from the menu File -> Open -> Project From Web... then enter the URL http://localhost/Logon. If you wish to do it from scratch just follow the example below 

Project Setup 

Create a web form called Default.aspx and LogingForm.aspx in the main directory. Then create a subdirectory called secure with another web form called SecureForm.aspx and also a file called Web.config so that you have the structure as shown below

Web.config file setup

Inside the first web.config file located in the main directory scoll down until you reach the authentication section as shown below. By default the authentication mode is set to "Windows", change this to "Forms" and add the forms tag with loginUrl="LogingForm.aspx" timeout= "20".What thisdoes is sends the user who is trying to gain access to a page to the LogingForm.aspx page. The timeout acts just like a session timeout in that if you don't access files within 20 minutes you need to login again. The allow users specifies which users can be allowed access to this directory. In this case the parent directory allows everyone with the "*". 

This section sets the authentication policies of the application. Possible modes are "Windows", "Forms",
"Passport" and "None"
<authentication mode="Forms">
<forms loginUrl="LogingForm.aspx" timeout="20"/>

This section sets the authorization policies of the application. You can allow or deny access
to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
(unauthenticated) users.
<allow users="*" /> <!-- Allow all users -->

<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>

Inside the second web.config file located in the secure directory copy what you see below. Basically the way the way the web.config file works is that it overrides any settings of the parent directory that you specify to override. In this case it's the "autherization" tag. In the above web.config file we allowed all users, in this web.config file we allow users named "admin" and deny all other users.

<?xml version="1.0" encoding="utf-8" ?>


<allow users="admin"/>
<deny users="*"/>



There is also a machine.config file in the "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\CONFIG" directory where all the default settings for web projects on your machine are. Manipulating this changes all the settings for all web projects

Default.aspx page

Inside the Default.aspx page just put a hyperlink pointing to the SecureForm.aspx

<body MS_POSITIONING="GridLayout">
<form id="Form1" method="post" runat="server">
<asp:HyperLink id="secureHL" runat="server" NavigateUrl="Secure/SecureForm.aspx">Secure Form</asp:HyperLink>


Create the form with a Label at the top named loginLabel the first Text Box named userNameTB, the second Text Box named passwordTB and a Button named loginBtn as shown below

Double click on the Login Button in the designer and in the code behind page but the following in the loginBtn's event handler.

Private Sub loginBtn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles loginBtn.Click
If userNameTB.Text = "admin" And passwordTB.Text = "admin" Then
' System.Web.Security.FormsAuthentication.SetAuthCookie("admin", False)
System.Web.Security.FormsAuthentication.RedirectFromLoginPage("admin", False)
loginLabel.Text = "Invalid Login"
End If
End Sub

Basically it checks the the two text boxes for the username and password of "admin" and "admin" if you enter this a forms authentication cookie is set. You can do two things at this stage.
  1. Use "System.Web.Security.FormsAuthentication.SetAuthCookie("admin", False)" (commented out here) if you want to stay in the same Login page after authentication. You could manually redirect to another page if you wanted to. OR
  2. Use "System.Web.Security.FormsAuthentication.RedirectFromLoginPage("admin", False) " if you want to return them to the page they originally requested. This second one is usefull if say they bookmarked a page and went straight to that page next time they visited the site. Essentially it takes them to the login page then once they enter the username and password correctly returns them to the original page they requested.
In either technique you will notice that the username (first parameter) is set to "admin" which corrisponds to the web.config file's allow tag which is also "admin". The seconds argument in the method determins wheather the authentication cookie placed on the client should be persistant between visits so I've set it to False in this case. 


This form is just some text and a button which allows you to log out named logoutBtn.

Double click on the Logout button in the designer and enter the following code in the event handler

Private Sub logoutBtn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles logoutBtn.Click
End Sub

You can use "System.Web.Security.FormsAuthentication.SignOut()" to destroy the cookie manually as shown above.

Note: If you try to go to the SecureForm.aspx directly when you run the web application you are in this case taken to the login page then on sucessfull login taked directly back to the original page you requested.

Written by Grant Tibbey