ASP.Net Security

andy - 16 Jul, 2013 4723 Views 0 Comment

Why do you need security on your website? Well, sometimes you want to prevent access from unauthorized users to specific pages or path of your website. With the built in security in ASP.Net, you can achive this. In ASP.Net, there are two security models you can use to protect your website applications, those models are: Forms Authentication and Windows Authentication.

1. Forms Authentication

Forms Authentication model is ideal to use if you are using a database to check against the user credential login details. Once a user has been verified against the data found in the database, ASP.Net will create a security form cookie. This cookie can be configured in web.config, you can specify the name of this form cookie and also the session length access counted in minutes. This session length is used to automatically terminated the access if a user does not do any activity on the website and has passed the session time stated in web.config.

See below example on how to use Forms Authentication in ASP.Net. If you see carefully, we want to block the access for unauthorises users to access the path of My Account folder. The loginUrl attribute will the website application to automatically navigate the user to login.aspx if the users are not authorized to access.

    <system.web>
        <authentication mode="Forms">
            <forms name="MyFormCookie" loginUrl="~/Login.aspx" timeout="60" path="~/MyAccount" />
        </authentication>
    </system.web>

Additionally, you have another option to add authorization tags in web.config to give specific users to access the site. See below example for more details.

    <system.web>
        <authentication mode="Forms">
            <forms name="MyFormCookie" loginUrl="~/Login.aspx" timeout="60" path="~/MyAccount" />
        </authentication>
            
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>

The asterisk(*) symbol on above example is a wildcard that means apply to everyone. If you want to deny access for specific users, you can as well, what you have to do is add the username into the deny tag attribute. If you have more than one user, you can separate them with comma. Please note that this usernames are retrived from the database user login tables. These usernames have to be unique. Below example configuration will allows all users to access to the site except for john and angela.

    <system.web>
        <authentication mode="Forms">
            <forms name="MyFormCookie" loginUrl="~/Login.aspx" timeout="60" path="~/MyAccount" />
        </authentication>
        <authorization>
            <deny users="john, angela" />
            <allow users="*"/>
        </authorization>
    </system.web>

If you want to make all users that visit your site have to login first, you can use this configuration settings. The symbol of question mark (?) will deny the access for all unauthorized users and will force them to login first to the site.

    <system.web>
        <authentication mode="Forms">
            <forms name="MyFormCookie" loginUrl="~/Login.aspx" timeout="60" path="~/MyAccount" />
        </authentication>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>

How to check if a user has already login

You can use the following code to check if a user has already login to the site.

    protected void Page_Load(object sender, EventArgs e) {
        if (User.Identity.IsAuthenticated) {
            Response.Write("Your username is " + User.Identity.Name);
        }
    }

This is how you want to logout the user from the site access.

    private void btnLogout_Click(Object sender, EventArgs e){
        FormsAuthentication.SignOut();
        Response.Redirect("~/Login.aspx");
    }

2. Windows Authentication

To use Windows Authentication mode is more simple. You basically just need to set the authentication mode to Windows like below. This type of authentication is only best to use for Intranet or Company network purposes only. The user login information will be checked against IIS users credentials. See below configuration example. Below example will force all users to login first before can access the site.

<system.web>
    <authentication mode="Windows"/>
 </system.web>

Facebook Twitter

Comments

There are no comments available.

Write Comment

Name

Comment

0 characters entered. Maximum characters allowed are 1000 characters.

Related Blogs

How to convert string to char array in C#?

ASP.Net

02 Apr, 2021

If you need to convert string to char array you can use the built-in function in the string library called ToCharArray.

How to convert char array to string in C#?

ASP.Net

01 Apr, 2021

If you need to convert a char array to string in C#. You can use declare a new string and pass the char array in the string constructor.

How to shuffle list items in c#

ASP.Net

15 Oct, 2019

If you have a list of objects and want to shuffle the list. You can easily do that in C#. So why do you need to shuffle a list?

ASP.Net Input Validation Controls

ASP.Net

07 Jul, 2013

Learn how to use validation input control like CompareValidator and many more.

ASP.Net Master Page

ASP.Net

10 Jul, 2013

Learn what is ASP.Net Master Page and how to implement Master Page in ASP.Net

ASP.Net Server Controls

ASP.Net

11 Jul, 2013

Learn how to use server controls in ASP.Net.

ASP.Net State Management

ASP.Net

16 Jul, 2013

Learn what types of state management available in ASP.Net.

ASP.Net Caching

ASP.Net

14 Jul, 2013

Learn how to optimize your site using ASP.Net Caching features.

ASP.Net Security

1. Forms Authentication

How to check if a user has already login

2. Windows Authentication

Comments

Related Blogs

Related Tutorials