0

I created a custom login/authentication page. When the user authenticates and is valid, my site: Response.Redirects("destinationpage.aspx");

Because I'm not using Forms Authentication, I need another way to protect "destinationpage.aspx".

Is there a way to use urlRewrite in web.config to redirect users to "customlogin.aspx" to authenticate before being able to reach "destinationpage.aspx"?

terbubbs
  • 1,512
  • 2
  • 25
  • 48
  • 1
    If you look at [Best way to do authorization in webforms](http://stackoverflow.com/questions/28237869/best-way-to-do-authorization-in-webforms) it describes how to use the location and authorization configuration to prevent users from accessing a page that they aren't authorized to see. You should not rely on rewriting URL's to achieve this. – mason Feb 03 '15 at 21:22
  • that's a great resource, but i cannot authenticate through forms authentication, which is why i asked this question. could I, after authenticating user, create a custom role and add the user that was just authenticated into that custom role? then, i just set up a separate web.config and allow users from that custom role. – terbubbs Feb 03 '15 at 21:33
  • Authorization in ASP.NET isn't dependent on how you perform authentication, so Forms Authentication isn't necessary. Perhaps you should show us how you're performing custom authentication. – mason Feb 03 '15 at 21:35
  • I'm using PrincipalContext.ValidateCredentials(user, pass); and validating against AD. if (isValid) Response.Redirect("destinationpage.aspx"); – terbubbs Feb 03 '15 at 21:37
  • And how does the user enter their credentials? Do they enter their username and password into a form on your site? – mason Feb 03 '15 at 21:38
  • yes. i made a custom LoginForm.aspx where they enter credentials. – terbubbs Feb 03 '15 at 21:39
  • 1
    Then in this case we can avoid writing a custom membership provider. Have a look at [Forms Authentication and Active Directory](http://stackoverflow.com/questions/20572663), the question has a good example of using Active Directory with Forms Authentication (which is what you're doing, but he wired it up properly with `AspNetActiveDirectoryMembershipProvider`). Then for custom roles (instead of AD) look at [Custom Role Provider with ActiveDirectory Authentication](http://stackoverflow.com/questions/2307063). If roles aren't necessarily, see my first comment for how to deny unauthenticated – mason Feb 03 '15 at 21:42
  • thanks for the resources. it helped me come up with another way of doing this. – terbubbs Feb 06 '15 at 14:25

0 Answers0