I am developing a large asp.net based application. Certain pages & links require user authentication. At some page, I have links and form submission for which I first need to authenticate the user. Here is an example:
In PageX I have a link L1. When user click, i check if user is authenticated or not. If not I redirect to login page. Once, the user is authenticated, I redirect back him to the PageX. But the problem is, I don't want the user to click L1 again! Instead, I want the L1 action to be executed once user is authenticated and its results displayed etc.
I am trying to have a good solution to this problem. Any idea on how to accomplish this?
ASP.NET's Forms Authentication addresses this scenario. You can deny all unauthenticated users to all pages or (more commonly) deny unauthenticated users to a proper subset of pages.
there are several way of doing it:
1, The build-in way of Form Authentication, correct me if i remembered wrong, you should be able to add your own login logic and integrate your login control with Form Authentication provider
2, assign L1 url link to query string or a session if user is not login, and add logic to your login control, redirect user when login is successful.
Use Forms Authentication.
It's baked into ASP.NET and does exactly what you're talking about.
The User will click on a link. If they're not authenticated, they will be redirected to a login page (one of the parameters to the page will be the destination URL they were trying to reach). After a successful login, the User will be redirected to the page they requested instead of having to click the link again.
You also need to make sure you have your web.config set up to properly allow/deny unauthorized access to your application as described here:
Setting authorization rules for a particular page or folder in Web.config
Related
Here I have simple chat blazor server app, where user login , add friend and can chat with added friends.
In app there is identity login, register etc which is created while creating project by selecting authentication type as Individual Accounts.Now, what I want is to make identity login page as my default starting page, after login redirect blazor dashboard and if user is already logged-in redirect that user to dashboard.
Any help to achieve these thing be grateful. Thank you
sudip chand, what is wrong with the current design of your app ? I wouldn't do what you ask, even if you are not the first user asking for this design. Your current design allow access to the chat page only if the user is authenticated. I think it's the correct design.
However, if you want to make the identity login page as your default starting page
you can add #attribute [Authorize] to the top of your _Host.cshtml file. This will ensure that, if the user is not authenticated, the Login page, which is not part of the Blazor App, would be displayed even before the Blazor App is completely rendered.
I've got an simple login system. Whenever a user is logged in, I want them to see a specific HTML div. Only if you've logged in. For the users that haven't logged in, I want this element to be hidden. I've read something about "roles" but I don't know if this was the right concept to apply in this situation. Could someone give me advice about how I could fix this problem.
This link should show you how to check authentication and roles in the Razor page.
Checking Login and Roles In Razor Page
If you are using Identity you could check utilize on this
User.Identity.Name;
User.Identity.IsAuthenticated;
If you are using custom (cookie) authentication, you can also leverage read/write the user inside the cookie. Put it on Viewbag or direct access it on the Razor page.
For more information and/or external login providers, you can check this out bro https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio
I have create a web application in Visual Studio 2010 using C#.
I have two web page and the web application is hosted on a machine that has joined a domain WATSON
The first web page is basically the login page. The end user will enter their username and password and select their domain and click submit.
Now, the problem is that although I use the following code to authenticated the user, but I do not know how should I store the authenticated result as.
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, txtboxDomain.Text))
{
// validate the credentials
bool isValid = pc.ValidateCredentials(txtboxUser.Text, txtboxPass.Text);
}
I thought of storing the authenticated result as a cookie but I run the risk that the end-user might disable the cookie setting or the end-user try something funny to the cookie.
Also, I can't be possible putting the login page on each of the web pages that my web application have.
Also, suppose I redirect the end-user who have successfully authenticated to another aspx page, the end-user might just bookmark that aspx page. So, next time, the end-user will just go straight to the aspx page without going to the Login page. Then the end-user will not need to login, which is what I don't want it to happen.
So, how should I go about to enable that only those correct and rightful user are able to access the another aspx page?
Take a look at one of my answers how you can set windows authentication on application level:
WindowsIdentity and Classic .Net App Pool
And here is another link how you can limit user access to specific pages, it might get you handy:
How to restrict unlogged/unauthorized users from viewing web pages in ASP.NET
I'm enabling an windows identity foundation on an existing webapp.
I want to mess as little as possile with the existing code so I would like to the login page which uses formsauthentication left in the application and I just connect with the STS if the user enters the application via a specific page e.g "im_comming_from_some_other_site.aspx".
in the "im_comming_from_some_other_site.aspx" the code would be like:
Page_Load(...)
{
if(verifyAgainstSTS()
{
FormsAuthentication.SetAuthCookie(<some_STS_Userid), ...)
Response.Redirect("default.aspx")
}
else
{
Response.Redirect("http://<STS_server_name/<STS_service...etc>")
}
}
Is there someone who knows if this may be done and how? Any links to example code (if available) deeply appreciated.
(Of course some code would be needed when to determine what to do when the authentication is timed out; either go to local login page or goto STS-login page)
I know this may seem like a bad design, not going all the way with STS, but I need to implement this ASAP and I want to keep the original site as untouched as possible.
It is not a bad design, it's your requirement and you try to fulfill it. We have working system built like that and it's not a rocket science. The only difference is that we switch it to forms/sam statically (via global settings), not dynamically.
Anyway, you keep your forms authentication in web.config so that when there's no authorization for current user, forms redirects the request to the login page.
In the login page you have two options. One creates the forms cookie somehow.
The other option involves WIF's FederatedPassiveSignIn control.
If a user follows forms authentication, the cookie is set and you are done.
If a user follows the STS login control, sooner or later he/she will come back with valid SAML token. The FederatedPassiveSignIn will pick it up automatically and you just handle the redirect in the SignedIn event.
You will even not need the if you mention in your question.
There's one caveat from what I remember. When a user is authenticated by STS, the WS-Federation cookie is created, you can read claims etc. Everything works.
However, if a user is authenticated by forms, the SAM (SessionAuthenticationModule) will REPLACE forms cookie by the WS-Federation cookie in ASP.NET pipeline upon EACH request (I guess it's because the SAM is later in the pipeline that forms authentication module).
This will NOT blow up your context.User.Identity.IsInRole(...) also authorization works correctly because SAM will copy user roles to corresponding claims.
However, if at any place in your code you try to extract information directly from the forms cookie (instead of using general APIs), you could find out that the forms cookie is not present even if the user was authenticated by forms in first place (and the cookie is not present because it will be replaced by the WS-Federation cookie).
I am working on asp.net web application with C#.net.
I have done form authentication, which works very well for the application.
Now, I have one more section admin folder where admin have pages to access.
My question is, When normal user comes to my site he access user/login.aspx where i have done
formauthentication.redirectFromloginpage(....)
It is working fine.
Now when admin section needs to access, admin will access
admin/login.aspx, I have simply redirect to inner page in this section and not done formauthentication.
I want to implement formauthentication if admin is validate by system, but that will be a other page, on which i need to redirect after login.
My question, is , any way to make two different loginURL or DefaultURL which works for my scenario.
Or any other way, (may be using two web.config????)
There is not really a need for a separate admin/login.aspx.
You can use the same login page for regular users and admins. Just use roles to separate admins and regular users. And deny access to the admin pages for users that do not have the admin role and you are all set.
Update: use the LogggedIn event of the Login control if you want to redirect them to a different page.
If ( Roles.IsUserInRole(User.Identity.Name, "Admin"))
{
Response.redirect(....);
}