Solved

How to secure the logged-in web pages from direct url access in ASP.NET

Posted on 2008-10-30
7
347 Views
Last Modified: 2013-12-17
I AM DEVELOPING A WEBSITE.
THERE is a default page. default.aspx from which user logs in by forms authentication
 (NOT using built in Login controls of ASP.NET 2.0
Inner pages are  say userprofile.aspx, changepassword .aspx.

I  want when a user types www.mydomian.aspx/ userprofile.aspx    or    www.mydomian.aspx/ changepassword .aspx they should be redirected to login page i.e. www.mydomian.aspx/ default.aspx    for obvious security reasons.

Please tell me a well secured way to do this
Thanks
0
Comment
Question by:dhiraj79
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 53

Expert Comment

by:Dhaest
ID: 22840747
protected void Page_Load(object sender, EventArgs e)
 {
        if (Session["Member_Id"] != null)
        {
            if (!Page.IsPostBack)
            {
            }
        }
        else
        {
            Response.Redirect("Register.aspx");
        }
 }
0
 
LVL 53

Accepted Solution

by:
Dhaest earned 200 total points
ID: 22840750
If you are using forms authentication, you should use the below code in web.config file.

 <authorization>
<deny users="?"/>

<allow users="*"/>
</authorization>

Which will deny the anonymous users to enter and all all other users (authenticated).

In this case, automatically the request will be transfered to the login page you specified in the <forms> tag

0
 

Author Comment

by:dhiraj79
ID: 22842228
Thanks Dhaest for reply.
I have still a problem after applying your solution.

I have to set of pages:
Pages which should not need authentication :
home.aspx, register.aspx and forgotpassword.aspx.
Pages which need authentication :
usertype1Home.aspx,usertype2Home.aspx, etc

by applying the above code register.aspx and forgotpassword.aspx are also not accessible wtihout authentication whose link are from home.aspx.
This should not happen.

Th C# code I am using for redirecting to usertype1Home.aspx,usertype2Home.aspx, etc
is(After checking credentials in database)
FormsAuthentication.RedirectFromLoginPage(username,false);
Response.redirect("usertype1Home.aspx);

Web.config code:
<Authentication mode "forms">
<forms  login url = "Home.aspx">
</Authentication >
<Authorization>
<deny users="?"/>

<allow users="*"/>

</Authorization>


The only problem is I want forgotpassword and Register pages to be accessible form home page without authentication.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Expert Comment

by:grogo21
ID: 22842352
I usually place the pages that require authentication in a separate directory.  I then place another web.cofig file in that directory with the following:

<configuration>
      <system.web>
                 <authorization>
                          <deny users="?" />
                  </authorization>
       </system.web>
</configuration>

This will require authentication for only the page contained in the directory.
0
 

Assisted Solution

by:grogo21
grogo21 earned 200 total points
ID: 22842388
Or, define each page which requires authentication in the web.config like so:

    <location path="MyPage.aspx">
        <system.web>
            <authorization>
                <deny users="?"/>
            </authorization>
        </system.web>
    </location>
    <location path="AnotherPage.aspx">
        <system.web>
            <authorization>
                <deny users="?"/>
            </authorization>
        </system.web>
    </location>
0
 
LVL 22

Assisted Solution

by:prairiedog
prairiedog earned 100 total points
ID: 22842434
Alternative way is to add <location> element in your current web.config like the attached code snippet.

<location path="home.aspx">

	<system.web>

		<authorization>

			<allow users="?" />

		</authorization>

	

	</system.web>

  </location>
 

<location path="register.aspx">

	<system.web>

		<authorization>

			<allow users="?" />

		</authorization>

	

	</system.web>

  </location>

Open in new window

0
 
LVL 22

Expert Comment

by:prairiedog
ID: 22842440
Bump, ignore my last post.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

In my previous article (http://www.experts-exchange.com/Programming/Languages/.NET/.NET_Framework_3.x/A_4362-Serialization-in-NET-1.html) we saw the basics of serialization and how types/objects can be serialized to Binary format. In this blog we wi…
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now