[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Will forms authentication work if my web appliation lives in a / on a web farm?

if my web application will live in a "web farm" environment, is forms authentication the best way to go? or, should i simply force the user to authenticate on each page that i need them to? i ask this as i'm having trouble configuring / setting up my web application (ASP .NET 3.5 [C#]), that will live on a goDaddy server, so that for a certain sub set of pages, the user only has to authenticate once when they initially browse to one of the pages within that subset or when they logout of the site and try to come back. i came across this article:

http://msdn.microsoft.com/en-us/library/ff647070.aspx

which made me question whether or not it was even worth me continuing to research my problem.
0
Michael Sterling
Asked:
Michael Sterling
  • 16
  • 7
1 Solution
 
Paul MacDonaldDirector, Information SystemsCommented:
First off, you should be using ASP.Net 4, not 2 (or even 3.5).  The article you link to applies to ASP.Net 2.

Secondly, if you're running the application in a farm, the session information (including the login status of a visitor) should be available across all the servers.  In short, I wouldnt' expect you to have any problems using forms authentication.
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
ok. thanks. can you recommend a good "beginners" source for forms authentication in 3.5? I simply want to be able to force the authentication for certain pages. I'm having trouble doing that. Right now, any user, could potentially go to any of my pages and do what ever they wanted to. I'll give you full points come what may as you did answer my original question.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
This is an excellent resource:  http://www.asp.net/search?q=forms%20authentication and I would start there.  It's also worth noting there are login controls built into Visual Studio you can use.  You can read up on them in the help file or on Microsoft's web site.

Do post back if you need help with anything specific.  I use VB rather than C#, but the code translates easily.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Michael SterlingWeb Applications DeveloperAuthor Commented:
indeed it does and indeed i will,...thank you...i'll leave this open for now incase i need to post back...this way we don't have to "start over",...but as i stated i will award you full points come what may...
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
@paulmacd: I do have one question in regards to my "myLogin_Authenticate" routine that i'm currently having some trouble with. I'm including the code to help. The problem is that in my myLogin_Authenticate routine, after the user authenticates i attempt to manually redirect them to the page that the initially wanted to go to, but i never get the url to rewrite correctly...

I'm trying to pass that "role" variable along in the query string, which i attempt to assign to the query string parameter: "AccessLevel", so that when they go to other pages, based on that value, certain parts of the page are visible or invisible

things i've tried are:

Response.Redirect(redir + "?AccessLevel=" + role);
Response.Redirect(String.Format("{0}?AccessLevel={1}, redir, role);

and maybe a few other variations that i can't recall right now,...but in the end i wind up back at the login page, with a longer querystring in the URL than was originally there. What am I doin wrong here?
public string ReturnUrl
    {
        get
        {
            return ViewState["ReturnUrl"].ToString();
        }
    }


        if (Membership.ValidateUser(myLogin.UserName, myLogin.Password))
        {

            e.Authenticated = true;

            //I DO SOME PROCESSING TO GET THE ROLE OF THE USER HERE
            //AND PUT THAT VALUE IN A VARIABLE CALLED "role"
            
            role = SomeProcessingToGetRole();
            redir = Request.QueryString["ReturnUrl"];

            Response.Redirect(WHAT GOES HERE???);

        }
        else
        {
            // Username/password are not valid...
            e.Authenticated = false;
        }

Open in new window

0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
ok...so i think i just discovered that i don't have to do a Response.Redirect, but how do I add information to the URL string? In other words how do I add query string parameters and values so that when the page that it is being redirected to renders, i can access those query string parameters (values) to show / hide sections of my page?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
For a page that requires authentication, I check to see if the user is logged in first.  If not, kI send them to the login page, passing the originally requested page in a session variable.  If/when they successfully authenticate, I "Response.Redirect" them to the page they asked for.

You can certainly pass the destination page as a query string.  You'd end up with something like:
...login.aspx?destination=somepage.aspx
If you go that route, make sure you URLEncode the destination before you spend it to the URL.
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
still workin on this...
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
@paulmacd: i'm having trouble with the Respons.Redirect. above you say put the page they requested in a session variable. i do that but when ever i try and response.redirect them using the session variable it never works and i get sent back to my login page. are there some code examples, within a login control / page that do this that i can follow?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Can you walk through the code in debug mode?  Are you sure the session variable has a value?  

Are you sure you're not being sent to the destination page, but then being bounced back to the login page?
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
let me try that...to see if that's what's happening...
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
so below is some of the code that i have in my code behind for my login.aspx page. i will say this, from tracing through the code, once it hits the redirect it doesn't go anywhere else, and doesn't go anywhere before it either. i've also include a couple relevant snippets from my web.config file too...

by the way, i'm testing by trying to go to the AddEditStudent.aspx page 1st. it then redirects me to the login page with this in the url:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx

then after i authenticate with the right credentials, it sends me back to the login page with this in the url:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx%3fAccessLevel%3dQUSuperMan&AccessLevel=QUSuperMan

so it's tacking information onto the URL and then sending me back to my login page. not sure what to do or how to fix this...help please.
login.aspx code behind
----------------------------------------------
public partial class Login : System.Web.UI.Page
{
    public string ReturnUrl
    {
        get
        {
            return ViewState["ReturnUrl"].ToString();
        }
    }
    .
    .
    .
    protected void myLogin_Authenticate(object sender, AuthenticateEventArgs e)
    {
        string role = "";
        string roles = "";
        string redir = "";
        // Get the email address entered
        //TextBox EmailTextBox = myLogin.FindControl("Email") as TextBox;
        //string email = EmailTextBox.Text.Trim();

        // Verify that the username/password pair is valid
        if (Membership.ValidateUser(myLogin.UserName, myLogin.Password))
        {
            e.Authenticated = true;
            redir = Request.QueryString["ReturnUrl"]; 
            .
            .
            .
            string[] usersBelongingToRole = Roles.GetRolesForUser(myLogin.UserName);

            foreach (String s in usersBelongingToRole)
            {
                roles = String.Format(roles.ToString() + "{0}", s);
            }

            if (roles.IndexOf("QUSuperMan") != -1)
                role = "QUSuperMan";
            else if (roles.IndexOf("QUCoach") != -1)
                role = "coach";
            else
                role = "student";
           
            Response.Redirect(redir + "?AccessLevel=" + role);

           else
           {
                // Username/password are not valid...
                e.Authenticated = false;
           }
      }

web.config
--------------------------------------------
.
.
.
    <authentication mode="Forms">
      <forms loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx"/>
    </authentication>
.
.
.
  <location path="AddEditStudent.aspx" allowOverride="true">
    <system.web>
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Open in new window

0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
i think i may have made some progress...but now i have another question...how to i add querystring parameters to the original page, when it redirects? it's now redirecting correctly, but i want to add something to the url. i commented out my response.redirect line and that made it work, but i need to some how concatenate some querystring parameters into the URL. any ideas?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Sorry I haven't gotten back to you sooner.  Good job on sussing things out.

If I understand your question, something like:
Response.Redirect("page.aspx?qrystr1=" & strQueryString1 & "&qrystr2=" & strQueryString2)

0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
yes, when ever I try to alter the redirect,..that's when I have problems and get redirected back to the login page. I believe, above, in my code snippet, there is an example of my attempt to manually redirect. so what am I doin wrong with my response redirect?
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
yes, when ever I try to alter the redirect,..that's when I have problems and get redirected back to the login page. I believe, above, in my code snippet, there is an example of my attempt to manually redirect. so what am I doin wrong with my response redirect?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Are you sure that's the problem?  

When you step through the code, can you verify "ReturnUrl" has a value?  Is that value valid?  Can you post it?

You realize this code...
           if (roles.IndexOf("QUSuperMan") != -1)
                role = "QUSuperMan";
            else if (roles.IndexOf("QUCoach") != -1)
                role = "coach";
            else
                role = "student";
           
            Response.Redirect(redir + "?AccessLevel=" + role);

...willl only redirect you if your role is "student", right?
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
well, before i commented out the current Response.Redirect line:

Response.Redirect(redir + "?AccessLevel=" + role);

it was this:

Response.Redirect("/Default.aspx?AccessLevel=" + role);

and that worked fine, though it would only always redirect me to the Defautl.aspx page with what ever the role was as the querystring parameter, so it logic of the if / else above, as far as i could / can tell did work correctly whether role was QUSuperMan or student. i can / will test, right now, by remove that branching logic,..just to be sure.

as for the value of "redir", i'm seeing: "/AddEditStudent.aspx" so i think it's getting a correct value.
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
so i removed the branching and just assigned the value "QUSuperMan" to the role variable and got un-commented the Response.Redirect(redir + "?AccessLevel=" + role); line and got the same results. it just sent me back to the login.aspx page with this:

http://localhost/Login.aspx?ReturnUrl=%2fAddEditStudent.aspx%3fAccessLevel%3dQUSuperMan&AccessLevel=QUSuperMan

in the url...???
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
as stated before, when i comment out the response.redirect line, it sends me to the correct page, but i with no session variables, and i'd really like to be able to get a session variable in there...
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
thank you for your contributions
0
 
Paul MacDonaldDirector, Information SystemsCommented:
I'm happy to have helped.  Did you get it working properly?
0
 
Michael SterlingWeb Applications DeveloperAuthor Commented:
I did,...your help was instrumental. Also I had a cookies issue that I wasn't addressing. So between your help and what I found out about cookies I got my solution. Thanks again...
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 16
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now