Login using the Web.config file ASP.NET
The web.config file can be used to restrict access to resources within
a directory forcing the user to login for authentication. This is
useful in that they can be restricted from access by directory rather
than validating the user through a session variable on every
page. This FAQ is based on a project which you can download
and install from here . Install the
project and open it in Visual Studio .NET from the menu File -> Open
-> Project From Web... then enter the URL http://localhost/Logon. If
you wish to do it from scratch just follow the example below
Create a web form called Default.aspx and LogingForm.aspx in the
main directory. Then create a subdirectory called secure with another
web form called SecureForm.aspx and also a file called Web.config so
that you have the structure as shown below
Web.config file setup
Inside the first web.config file located in the main directory scoll
down until you reach the authentication section as shown
below. By default the authentication mode is set to
"Windows", change this to "Forms" and add the forms tag with
loginUrl="LogingForm.aspx" timeout= "20".What thisdoes is sends the
user who is trying to gain access to a page to the LogingForm.aspx
page. The timeout acts just like a session timeout in that if
you don't access files within 20 minutes you need to login again.
The allow users specifies which users can be allowed access
to this directory. In this case the parent directory
allows everyone with the "*".
This section sets the authentication policies of the application. Possible modes are "Windows", "Forms",
"Passport" and "None"
<forms loginUrl="LogingForm.aspx" timeout="20"/>
This section sets the authorization policies of the application. You can allow or deny access
to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
Inside the second web.config file located in the secure directory copy
what you see below. Basically the way the way the web.config file works
is that it overrides any settings of the parent directory that you
specify to override. In this case it's the "autherization" tag. In the
above web.config file we allowed all users, in this web.config
file we allow users named "admin" and deny all other users.
<?xml version="1.0" encoding="utf-8" ?>
Note: There is also a machine.config file in the
"C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\CONFIG" directory where
all the default settings for web projects on your machine are.
Manipulating this changes all the settings for all web projects
Inside the Default.aspx page just put a hyperlink pointing to the
<form id="Form1" method="post" runat="server">
<asp:HyperLink id="secureHL" runat="server" NavigateUrl="Secure/SecureForm.aspx">Secure Form</asp:HyperLink>
Create the form with a Label at the top named loginLabel
the first Text Box named userNameTB, the second
Text Box named passwordTB and a Button named loginBtn
as shown below
Double click on the Login Button in the designer and in the code behind
page but the following in the loginBtn's event handler.
Private Sub loginBtn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles loginBtn.Click
If userNameTB.Text = "admin" And passwordTB.Text = "admin" Then
' System.Web.Security.FormsAuthentication.SetAuthCookie("admin", False)
loginLabel.Text = "Invalid Login"
Basically it checks the the two text boxes for the username and
password of "admin" and "admin" if you enter this a forms
authentication cookie is set. You can do two things at this stage.
In either technique you will notice that the username (first
parameter) is set to "admin" which corrisponds to the
web.config file's allow tag which is also "admin". The
seconds argument in the method determins wheather the
authentication cookie placed on the client should be persistant between
visits so I've set it to False in this case.
(commented out here) if you want to stay in the same Login page
after authentication. You could manually redirect to another page if
you wanted to. OR
False) " if you want to return them to the page they originally
requested. This second one is usefull if say they bookmarked a page and
went straight to that page next time they visited the site. Essentially
it takes them to the login page then once they enter the username and
password correctly returns them to the original page they requested.
This form is just some text and a button which allows you to log out
Double click on the Logout button in the designer and enter the
following code in the event handler
Private Sub logoutBtn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles logoutBtn.Click
You can use "System.Web.Security.FormsAuthentication.SignOut()" to
destroy the cookie manually as shown above.
Note: If you try to go to the SecureForm.aspx directly
when you run the web application you are in this case taken to the
login page then on sucessfull login taked directly back to the original
page you requested.
Written by Grant Tibbey