Sometimes we need to secure certain pages of the web application. These can be admin pages which should only be available to the admin of the website. The best way is to put all the pages that you want to be secured in a folder and secure the whole folder. In this article we will put a page in the Admin folder which will only be available to admin. In this article we will see how we can authenticate against the credentials stored in the Web.config file.
Protected the Folder:
In order to protect a certain folder you can add some settings in the Web.config file. Take a look at the code below which includes a location tag which has a path attribute denoting the folder to protect. Deny users = "?" means that all the unauthorized users are denied access to the folder.
<location path="Admin">
<system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> |
Credentials in Web.config file:
Let's see how we can authenticate against username and password stored in the Web.config file. If you have few users to authenticate than you can use the Web.config file to save the credentials. If you plan to store credentials in Web.config than always encrypt it. For encryption and decryption please check out my article Securing Connection Strings. Let's take a look at the Web.config file.
<authentication mode="Forms">
<forms loginUrl="login.aspx"> <credentials passwordFormat="Clear"> <!-- You can add any number of users you want --> <user name="azamsharp" password="password" /> <user name="John" password="Doe" /> </credentials> </forms> </authentication> |
As you can see I have stored two usernames and passwords in the Web.config. Now let's see the button click code that authenticate against Web.config file.
if(FormsAuthentication.Authenticate(txtName.Text,txtPassword.Text))
{ // This is redirect to the default.aspx page FormsAuthentication.RedirectFromLoginPage(txtName.Text,false); } |
If you use the code above than on successful login it will redirect to the "default.aspx" page. If you want your user to be redirected to page other than default.aspx than you can use the approach below:
if(FormsAuthentication.Authenticate(txtName.Text,txtPassword.Text))
{ FormsAuthentication.SetAuthCookie(txtName.Text,false); // We are doing a Redirect since we don't want to go to the default.aspx page Response.Redirect("Admin/SecurePage.aspx"); } |
In the next article we will see how we can authenticate against username and password stored in the database.
I hope you liked the article, happy coding!