Membership Security 403 - how to direct to Custom page instead of Login page

[jobs]

Hello.

If my users are logged in, and try to access restricted pages I want
to direct them to a custom 403 page. If they are not logged in, I
would like to continue to direct them to the login page as is
currently happening.

Curently, they always direct to the Login page in both cases, which i
think is confusing.

I have this in the web.config of the directory and the project
webconfig:

<customErrors defaultRedirect="~/ErrorPage.htm">
<error statusCode="403" redirect="~/NoAccess.htm"/>
<error statusCode="404" redirect="~/FileNotFound.htm"/>
</customErrors>

Thanks for any help or information!

 

[Guest]

There are a number of different ways to handle this, an easy one would be
something like so:

Page_Load ----

if(! User.IsInRole("whateverspecialRole")
Response.Redirect("yourcustompage.aspx")


This assumes your <location path= element specifies role-based permissions.
-- Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net

 

[Bjorn Sagbakken]

Hello.

If my users are logged in, and try to access restricted pages I want
to direct them to a custom 403 page. If they are not logged in, I
would like to continue to direct them to the login page as is
currently happening.

Curently, they always direct to the Login page in both cases, which i
think is confusing.

I have this in the web.config of the directory and the project
webconfig:

<customErrors defaultRedirect="~/ErrorPage.htm">
<error statusCode="403" redirect="~/NoAccess.htm"/>
<error statusCode="404" redirect="~/FileNotFound.htm"/>
</customErrors>

Thanks for any help or information!

As Peter said, there are many ways.

In my application, I keep the username from the login-form in a session var.
Next, on any form load, I check the username for access rights. If not
granted, the user is redirected to the login form.
This gives me even more options: On some forms I can give readonly right to
certain users, while other users can update the database. In my case I have
a user login table on a SQL server with more than granted access/not granted
access; I have about 10 properties for each user so I can set a lot of
individual settings in each form. It is very flexible and very functional.

Bjorn

 

[jobs]

Thanks for responses.

regarding:

In my application, I keep the username from the login-form in a session var.
Next, on any form load, I check the username for access rights. If not
granted, the user is redirected to the login form.

I believe this is the default behavior of membership security. (that
much is working fine for me with no code)

regarding:

if(! User.IsInRole("whateverspecialRole")
Response.Redirect("yourcustompage.aspx")

It think it is somewhat lacking (in .NET) that you have to code
security conditions. I have some 8 roles.

Also, I think I would to check if even a valid user to redirect to
Login Page as that condition would also be true for anonymous users.

I wonder ... what if I (somehow) test to see if already a valid user
in the Login page and redirect to NoAccess from there? and if a
user, just direct to default page. Not sure if this is possible.

 

[Guest]

You could certainly do it that way. Another way would be to override
Application_AuthenticateRequest in global.asax and put your test logic there.
Again, it all depends on the particular business logic of your app.

-- Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net