W
WhiskeyRomeo
Please ignore my previous post as I am way past that now.
Below is the code I am using in the login page. Below that are settings
within Web.config file. The procedure responsible for checking the password
just sets a session variable call "WebRoles" and returns True. In this case
I am setting a role that should be denied access to the requested page
eventhough the user is authenticated. But the code below always results in a
redirection to the protected page. In this website there is only one page in
the root directory (Login.aspx) and there is a Public subfolder which has two
pages RegUpdate.aspx and Appt.aspx.
For authenticated users the redirection happens just fine. But, somehow, I
thought the following line would fail for denied roles:
'Redirect the request
FormsAuthentication.RedirectFromLoginPage(Trim(sUserName), False)
What I am missing?
********************CODE************
Partial Class Login
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
End Sub
Private Function CheckPassWord(ByVal sUser As String, ByVal sPassword As
String) As Boolean
Session("WebRoles") = "Photog" 'THIS ROLE IS NOT ALLOWED ACCESSED TO
THE PUBLIC FOLDER PER WEB.CONFIG FILE.
Return True
End Function
Protected Sub btnLogIn_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles btnLogIn.Click
Try
If Not (Session("UserName")) Is Nothing Then
FormsAuthentication.SignOut()
End If
Select Case CheckPassWord(Trim(tbUserName.Text),
Trim(tbPassWord.Text))
Case True
Call RedirectUser(Trim(tbUserName.Text))
Case False
lblmsg.Text = "UserName or Password not found. Please
try again." + vbCrLf + lblmsg.Text
ViewState("tries") = ViewState("tries") + 1
If ViewState("tries") > 3 Then
Response.Redirect("Denied.aspx")
End If
End Select
Catch ex As Exception
End Try
End Sub
Private Sub RedirectUser(ByVal sUserName As String)
'create authentication ticket
Dim authTicket As New FormsAuthenticationTicket(1, sUserName,
DateTime.Now, DateTime.Now.AddMinutes(20), False, Session("WebRoles"))
'Create encrypted string representation of ticket
Dim sEncryptedTicket As String = ""
Try
sEncryptedTicket = FormsAuthentication.Encrypt(authTicket)
Catch ex As Exception
Session("StringEncrptFailed") = ex.Message
End Try
'Store it within a HttpCookie Object
Dim authCookie As New
HttpCookie(FormsAuthentication.FormsCookieName, sEncryptedTicket)
authCookie.Path = FormsAuthentication.FormsCookiePath
Dim strCookiePath As String = authCookie.Path
'Add it the cookie to the outgoing cookie collection
Try
Response.Cookies.Add(authCookie)
Catch ex As Exception
Session("CookieAddFailed") = ex.Message
End Try
'Redirect the request
FormsAuthentication.RedirectFromLoginPage(Trim(sUserName), False)
End Sub
End Class
*************WEB.CONFIG FILE*******
<?xml version="1.0"?>
..
..
..
<system.web>
..
..
..
<roleManager enabled ="true" />
<authentication mode="Forms">
<forms name="Appointment" loginUrl="Login.aspx" slidingExpiration="true"
protection="All" timeout="20" path="/">
<credentials passwordFormat="Clear"></credentials>
</forms>
</authentication>
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="Public">
<system.web>
<authorization>
<!-- Order and case are important below -->
<allow roles="Public"/>
<deny roles="Photog"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
..
..
..
Below is the code I am using in the login page. Below that are settings
within Web.config file. The procedure responsible for checking the password
just sets a session variable call "WebRoles" and returns True. In this case
I am setting a role that should be denied access to the requested page
eventhough the user is authenticated. But the code below always results in a
redirection to the protected page. In this website there is only one page in
the root directory (Login.aspx) and there is a Public subfolder which has two
pages RegUpdate.aspx and Appt.aspx.
For authenticated users the redirection happens just fine. But, somehow, I
thought the following line would fail for denied roles:
'Redirect the request
FormsAuthentication.RedirectFromLoginPage(Trim(sUserName), False)
What I am missing?
********************CODE************
Partial Class Login
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
End Sub
Private Function CheckPassWord(ByVal sUser As String, ByVal sPassword As
String) As Boolean
Session("WebRoles") = "Photog" 'THIS ROLE IS NOT ALLOWED ACCESSED TO
THE PUBLIC FOLDER PER WEB.CONFIG FILE.
Return True
End Function
Protected Sub btnLogIn_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles btnLogIn.Click
Try
If Not (Session("UserName")) Is Nothing Then
FormsAuthentication.SignOut()
End If
Select Case CheckPassWord(Trim(tbUserName.Text),
Trim(tbPassWord.Text))
Case True
Call RedirectUser(Trim(tbUserName.Text))
Case False
lblmsg.Text = "UserName or Password not found. Please
try again." + vbCrLf + lblmsg.Text
ViewState("tries") = ViewState("tries") + 1
If ViewState("tries") > 3 Then
Response.Redirect("Denied.aspx")
End If
End Select
Catch ex As Exception
End Try
End Sub
Private Sub RedirectUser(ByVal sUserName As String)
'create authentication ticket
Dim authTicket As New FormsAuthenticationTicket(1, sUserName,
DateTime.Now, DateTime.Now.AddMinutes(20), False, Session("WebRoles"))
'Create encrypted string representation of ticket
Dim sEncryptedTicket As String = ""
Try
sEncryptedTicket = FormsAuthentication.Encrypt(authTicket)
Catch ex As Exception
Session("StringEncrptFailed") = ex.Message
End Try
'Store it within a HttpCookie Object
Dim authCookie As New
HttpCookie(FormsAuthentication.FormsCookieName, sEncryptedTicket)
authCookie.Path = FormsAuthentication.FormsCookiePath
Dim strCookiePath As String = authCookie.Path
'Add it the cookie to the outgoing cookie collection
Try
Response.Cookies.Add(authCookie)
Catch ex As Exception
Session("CookieAddFailed") = ex.Message
End Try
'Redirect the request
FormsAuthentication.RedirectFromLoginPage(Trim(sUserName), False)
End Sub
End Class
*************WEB.CONFIG FILE*******
<?xml version="1.0"?>
..
..
..
<system.web>
..
..
..
<roleManager enabled ="true" />
<authentication mode="Forms">
<forms name="Appointment" loginUrl="Login.aspx" slidingExpiration="true"
protection="All" timeout="20" path="/">
<credentials passwordFormat="Clear"></credentials>
</forms>
</authentication>
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="Public">
<system.web>
<authorization>
<!-- Order and case are important below -->
<allow roles="Public"/>
<deny roles="Photog"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
..
..
..