Will forms authentication work if my web appliation lives in a / on a web farm?

First off, you should be using ASP.Net 4, not 2 (or even 3.5).  The article you link to applies to ASP.Net 2.

Secondly, if you're running the application in a farm, the session information (including the login status of a visitor) should be available across all the servers.  In short, I wouldnt' expect you to have any problems using forms authentication.

ok. thanks. can you recommend a good "beginners" source for forms authentication in 3.5? I simply want to be able to force the authentication for certain pages. I'm having trouble doing that. Right now, any user, could potentially go to any of my pages and do what ever they wanted to. I'll give you full points come what may as you did answer my original question.

This is an excellent resource:  http://www.asp.net/search?q=forms%20authentication and I would start there.  It's also worth noting there are login controls built into Visual Studio you can use.  You can read up on them in the help file or on Microsoft's web site.

Do post back if you need help with anything specific.  I use VB rather than C#, but the code translates easily.

indeed it does and indeed i will,...thank you...i'll leave this open for now incase i need to post back...this way we don't have to "start over",...but as i stated i will award you full points come what may...

@paulmacd: I do have one question in regards to my "myLogin_Authenticate" routine that i'm currently having some trouble with. I'm including the code to help. The problem is that in my myLogin_Authenticate routine, after the user authenticates i attempt to manually redirect them to the page that the initially wanted to go to, but i never get the url to rewrite correctly...

I'm trying to pass that "role" variable along in the query string, which i attempt to assign to the query string parameter: "AccessLevel", so that when they go to other pages, based on that value, certain parts of the page are visible or invisible

things i've tried are:

Response.Redirect(redir + "?AccessLevel=" + role);
Response.Redirect(String.Format("{0}?AccessLevel={1}, redir, role);

and maybe a few other variations that i can't recall right now,...but in the end i wind up back at the login page, with a longer querystring in the URL than was originally there. What am I doin wrong here?

public string ReturnUrl
    {
        get
        {
            return ViewState["ReturnUrl"].ToString();
        }
    }


        if (Membership.ValidateUser(myLogin.UserName, myLogin.Password))
        {

            e.Authenticated = true;

            //I DO SOME PROCESSING TO GET THE ROLE OF THE USER HERE
            //AND PUT THAT VALUE IN A VARIABLE CALLED "role"
            
            role = SomeProcessingToGetRole();
            redir = Request.QueryString["ReturnUrl"];

            Response.Redirect(WHAT GOES HERE???);

        }
        else
        {
            // Username/password are not valid...
            e.Authenticated = false;
        }

Select all Open in new window

ok...so i think i just discovered that i don't have to do a Response.Redirect, but how do I add information to the URL string? In other words how do I add query string parameters and values so that when the page that it is being redirected to renders, i can access those query string parameters (values) to show / hide sections of my page?

For a page that requires authentication, I check to see if the user is logged in first.  If not, kI send them to the login page, passing the originally requested page in a session variable.  If/when they successfully authenticate, I "Response.Redirect" them to the page they asked for.

You can certainly pass the destination page as a query string.  You'd end up with something like:
...login.aspx?destination=somepage.aspx
If you go that route, make sure you URLEncode the destination before you spend it to the URL.

still workin on this...

@paulmacd: i'm having trouble with the Respons.Redirect. above you say put the page they requested in a session variable. i do that but when ever i try and response.redirect them using the session variable it never works and i get sent back to my login page. are there some code examples, within a login control / page that do this that i can follow?

Can you walk through the code in debug mode?  Are you sure the session variable has a value?  

Are you sure you're not being sent to the destination page, but then being bounced back to the login page?

let me try that...to see if that's what's happening...

so below is some of the code that i have in my code behind for my login.aspx page. i will say this, from tracing through the code, once it hits the redirect it doesn't go anywhere else, and doesn't go anywhere before it either. i've also include a couple relevant snippets from my web.config file too...

by the way, i'm testing by trying to go to the AddEditStudent.aspx page 1st. it then redirects me to the login page with this in the url:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx

then after i authenticate with the right credentials, it sends me back to the login page with this in the url:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx%3fAccessLevel%3dQUSuperMan&AccessLevel=QUSuperMan

so it's tacking information onto the URL and then sending me back to my login page. not sure what to do or how to fix this...help please.

login.aspx code behind
----------------------------------------------
public partial class Login : System.Web.UI.Page
{
    public string ReturnUrl
    {
        get
        {
            return ViewState["ReturnUrl"].ToString();
        }
    }
    .
    .
    .
    protected void myLogin_Authenticate(object sender, AuthenticateEventArgs e)
    {
        string role = "";
        string roles = "";
        string redir = "";
        // Get the email address entered
        //TextBox EmailTextBox = myLogin.FindControl("Email") as TextBox;
        //string email = EmailTextBox.Text.Trim();

        // Verify that the username/password pair is valid
        if (Membership.ValidateUser(myLogin.UserName, myLogin.Password))
        {
            e.Authenticated = true;
            redir = Request.QueryString["ReturnUrl"]; 
            .
            .
            .
            string[] usersBelongingToRole = Roles.GetRolesForUser(myLogin.UserName);

            foreach (String s in usersBelongingToRole)
            {
                roles = String.Format(roles.ToString() + "{0}", s);
            }

            if (roles.IndexOf("QUSuperMan") != -1)
                role = "QUSuperMan";
            else if (roles.IndexOf("QUCoach") != -1)
                role = "coach";
            else
                role = "student";
           
            Response.Redirect(redir + "?AccessLevel=" + role);

           else
           {
                // Username/password are not valid...
                e.Authenticated = false;
           }
      }

web.config
--------------------------------------------
.
.
.
    <authentication mode="Forms">
      <forms loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx"/>
    </authentication>
.
.
.
  <location path="AddEditStudent.aspx" allowOverride="true">
    <system.web>
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Select all Open in new window

i think i may have made some progress...but now i have another question...how to i add querystring parameters to the original page, when it redirects? it's now redirecting correctly, but i want to add something to the url. i commented out my response.redirect line and that made it work, but i need to some how concatenate some querystring parameters into the URL. any ideas?

Sorry I haven't gotten back to you sooner.  Good job on sussing things out.

If I understand your question, something like:
Response.Redirect("page.aspx?qrystr1=" & strQueryString1 & "&qrystr2=" & strQueryString2)

yes, when ever I try to alter the redirect,..that's when I have problems and get redirected back to the login page. I believe, above, in my code snippet, there is an example of my attempt to manually redirect. so what am I doin wrong with my response redirect?

yes, when ever I try to alter the redirect,..that's when I have problems and get redirected back to the login page. I believe, above, in my code snippet, there is an example of my attempt to manually redirect. so what am I doin wrong with my response redirect?

well, before i commented out the current Response.Redirect line:

Response.Redirect(redir + "?AccessLevel=" + role);

it was this:

Response.Redirect("/Default.aspx?AccessLevel=" + role);

and that worked fine, though it would only always redirect me to the Defautl.aspx page with what ever the role was as the querystring parameter, so it logic of the if / else above, as far as i could / can tell did work correctly whether role was QUSuperMan or student. i can / will test, right now, by remove that branching logic,..just to be sure.

as for the value of "redir", i'm seeing: "/AddEditStudent.aspx" so i think it's getting a correct value.

so i removed the branching and just assigned the value "QUSuperMan" to the role variable and got un-commented the Response.Redirect(redir + "?AccessLevel=" + role); line and got the same results. it just sent me back to the login.aspx page with this:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx%3fAccessLevel%3dQUSuperMan&AccessLevel=QUSuperMan

in the url...???

as stated before, when i comment out the response.redirect line, it sends me to the correct page, but i with no session variables, and i'd really like to be able to get a session variable in there...

thank you for your contributions

I'm happy to have helped.  Did you get it working properly?

I did,...your help was instrumental. Also I had a cookies issue that I wasn't addressing. So between your help and what I found out about cookies I got my solution. Thanks again...