Avatar of Michael Sterling
Michael Sterling
Flag for United States of America asked on

Will forms authentication work if my web appliation lives in a / on a web farm?

if my web application will live in a "web farm" environment, is forms authentication the best way to go? or, should i simply force the user to authenticate on each page that i need them to? i ask this as i'm having trouble configuring / setting up my web application (ASP .NET 3.5 [C#]), that will live on a goDaddy server, so that for a certain sub set of pages, the user only has to authenticate once when they initially browse to one of the pages within that subset or when they logout of the site and try to come back. i came across this article:

http://msdn.microsoft.com/en-us/library/ff647070.aspx

which made me question whether or not it was even worth me continuing to research my problem.
ASPC#ASP.NET

Avatar of undefined
Last Comment
Michael Sterling

8/22/2022 - Mon
Paul MacDonald

First off, you should be using ASP.Net 4, not 2 (or even 3.5).  The article you link to applies to ASP.Net 2.

Secondly, if you're running the application in a farm, the session information (including the login status of a visitor) should be available across all the servers.  In short, I wouldnt' expect you to have any problems using forms authentication.
Michael Sterling

ASKER
ok. thanks. can you recommend a good "beginners" source for forms authentication in 3.5? I simply want to be able to force the authentication for certain pages. I'm having trouble doing that. Right now, any user, could potentially go to any of my pages and do what ever they wanted to. I'll give you full points come what may as you did answer my original question.
Paul MacDonald

This is an excellent resource:  http://www.asp.net/search?q=forms%20authentication and I would start there.  It's also worth noting there are login controls built into Visual Studio you can use.  You can read up on them in the help file or on Microsoft's web site.

Do post back if you need help with anything specific.  I use VB rather than C#, but the code translates easily.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Michael Sterling

ASKER
indeed it does and indeed i will,...thank you...i'll leave this open for now incase i need to post back...this way we don't have to "start over",...but as i stated i will award you full points come what may...
Michael Sterling

ASKER
@paulmacd: I do have one question in regards to my "myLogin_Authenticate" routine that i'm currently having some trouble with. I'm including the code to help. The problem is that in my myLogin_Authenticate routine, after the user authenticates i attempt to manually redirect them to the page that the initially wanted to go to, but i never get the url to rewrite correctly...

I'm trying to pass that "role" variable along in the query string, which i attempt to assign to the query string parameter: "AccessLevel", so that when they go to other pages, based on that value, certain parts of the page are visible or invisible

things i've tried are:

Response.Redirect(redir + "?AccessLevel=" + role);
Response.Redirect(String.Format("{0}?AccessLevel={1}, redir, role);

and maybe a few other variations that i can't recall right now,...but in the end i wind up back at the login page, with a longer querystring in the URL than was originally there. What am I doin wrong here?
public string ReturnUrl
    {
        get
        {
            return ViewState["ReturnUrl"].ToString();
        }
    }


        if (Membership.ValidateUser(myLogin.UserName, myLogin.Password))
        {

            e.Authenticated = true;

            //I DO SOME PROCESSING TO GET THE ROLE OF THE USER HERE
            //AND PUT THAT VALUE IN A VARIABLE CALLED "role"
            
            role = SomeProcessingToGetRole();
            redir = Request.QueryString["ReturnUrl"];

            Response.Redirect(WHAT GOES HERE???);

        }
        else
        {
            // Username/password are not valid...
            e.Authenticated = false;
        }

Open in new window

Michael Sterling

ASKER
ok...so i think i just discovered that i don't have to do a Response.Redirect, but how do I add information to the URL string? In other words how do I add query string parameters and values so that when the page that it is being redirected to renders, i can access those query string parameters (values) to show / hide sections of my page?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Paul MacDonald

For a page that requires authentication, I check to see if the user is logged in first.  If not, kI send them to the login page, passing the originally requested page in a session variable.  If/when they successfully authenticate, I "Response.Redirect" them to the page they asked for.

You can certainly pass the destination page as a query string.  You'd end up with something like:
...login.aspx?destination=somepage.aspx
If you go that route, make sure you URLEncode the destination before you spend it to the URL.
Michael Sterling

ASKER
still workin on this...
Michael Sterling

ASKER
@paulmacd: i'm having trouble with the Respons.Redirect. above you say put the page they requested in a session variable. i do that but when ever i try and response.redirect them using the session variable it never works and i get sent back to my login page. are there some code examples, within a login control / page that do this that i can follow?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Paul MacDonald

Can you walk through the code in debug mode?  Are you sure the session variable has a value?  

Are you sure you're not being sent to the destination page, but then being bounced back to the login page?
Michael Sterling

ASKER
let me try that...to see if that's what's happening...
Michael Sterling

ASKER
so below is some of the code that i have in my code behind for my login.aspx page. i will say this, from tracing through the code, once it hits the redirect it doesn't go anywhere else, and doesn't go anywhere before it either. i've also include a couple relevant snippets from my web.config file too...

by the way, i'm testing by trying to go to the AddEditStudent.aspx page 1st. it then redirects me to the login page with this in the url:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx

then after i authenticate with the right credentials, it sends me back to the login page with this in the url:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx%3fAccessLevel%3dQUSuperMan&AccessLevel=QUSuperMan

so it's tacking information onto the URL and then sending me back to my login page. not sure what to do or how to fix this...help please.
login.aspx code behind
----------------------------------------------
public partial class Login : System.Web.UI.Page
{
    public string ReturnUrl
    {
        get
        {
            return ViewState["ReturnUrl"].ToString();
        }
    }
    .
    .
    .
    protected void myLogin_Authenticate(object sender, AuthenticateEventArgs e)
    {
        string role = "";
        string roles = "";
        string redir = "";
        // Get the email address entered
        //TextBox EmailTextBox = myLogin.FindControl("Email") as TextBox;
        //string email = EmailTextBox.Text.Trim();

        // Verify that the username/password pair is valid
        if (Membership.ValidateUser(myLogin.UserName, myLogin.Password))
        {
            e.Authenticated = true;
            redir = Request.QueryString["ReturnUrl"]; 
            .
            .
            .
            string[] usersBelongingToRole = Roles.GetRolesForUser(myLogin.UserName);

            foreach (String s in usersBelongingToRole)
            {
                roles = String.Format(roles.ToString() + "{0}", s);
            }

            if (roles.IndexOf("QUSuperMan") != -1)
                role = "QUSuperMan";
            else if (roles.IndexOf("QUCoach") != -1)
                role = "coach";
            else
                role = "student";
           
            Response.Redirect(redir + "?AccessLevel=" + role);

           else
           {
                // Username/password are not valid...
                e.Authenticated = false;
           }
      }

web.config
--------------------------------------------
.
.
.
    <authentication mode="Forms">
      <forms loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx"/>
    </authentication>
.
.
.
  <location path="AddEditStudent.aspx" allowOverride="true">
    <system.web>
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Open in new window

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Michael Sterling

ASKER
i think i may have made some progress...but now i have another question...how to i add querystring parameters to the original page, when it redirects? it's now redirecting correctly, but i want to add something to the url. i commented out my response.redirect line and that made it work, but i need to some how concatenate some querystring parameters into the URL. any ideas?
Paul MacDonald

Sorry I haven't gotten back to you sooner.  Good job on sussing things out.

If I understand your question, something like:
Response.Redirect("page.aspx?qrystr1=" & strQueryString1 & "&qrystr2=" & strQueryString2)

Michael Sterling

ASKER
yes, when ever I try to alter the redirect,..that's when I have problems and get redirected back to the login page. I believe, above, in my code snippet, there is an example of my attempt to manually redirect. so what am I doin wrong with my response redirect?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Michael Sterling

ASKER
yes, when ever I try to alter the redirect,..that's when I have problems and get redirected back to the login page. I believe, above, in my code snippet, there is an example of my attempt to manually redirect. so what am I doin wrong with my response redirect?
ASKER CERTIFIED SOLUTION
Paul MacDonald

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Michael Sterling

ASKER
well, before i commented out the current Response.Redirect line:

Response.Redirect(redir + "?AccessLevel=" + role);

it was this:

Response.Redirect("/Default.aspx?AccessLevel=" + role);

and that worked fine, though it would only always redirect me to the Defautl.aspx page with what ever the role was as the querystring parameter, so it logic of the if / else above, as far as i could / can tell did work correctly whether role was QUSuperMan or student. i can / will test, right now, by remove that branching logic,..just to be sure.

as for the value of "redir", i'm seeing: "/AddEditStudent.aspx" so i think it's getting a correct value.
Michael Sterling

ASKER
so i removed the branching and just assigned the value "QUSuperMan" to the role variable and got un-commented the Response.Redirect(redir + "?AccessLevel=" + role); line and got the same results. it just sent me back to the login.aspx page with this:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx%3fAccessLevel%3dQUSuperMan&AccessLevel=QUSuperMan

in the url...???
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Michael Sterling

ASKER
as stated before, when i comment out the response.redirect line, it sends me to the correct page, but i with no session variables, and i'd really like to be able to get a session variable in there...
Michael Sterling

ASKER
thank you for your contributions
Paul MacDonald

I'm happy to have helped.  Did you get it working properly?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Michael Sterling

ASKER
I did,...your help was instrumental. Also I had a cookies issue that I wasn't addressing. So between your help and what I found out about cookies I got my solution. Thanks again...