3

I am using the code below to access a page base based upon user authentication

if (user.FirstOrDefault() == HashedPassword)
{
    string roles = "Member";

    // Create the authentication ticket
    FormsAuthenticationTicket authTicket = new
        FormsAuthenticationTicket(1,                          //  version
                                  loginName.Text,             // user name
                                  DateTime.Now,               //  creation 
                                  DateTime.Now.AddMinutes(60),// Expiration
                                  false,                      //  Persistent
                                  roles);                     // User data

    // Now encrypt the ticket.
    string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
    // Create a cookie and add the encrypted ticket to the
    // cookie as data.
    HttpCookie authCookie = 
                new HttpCookie(FormsAuthentication.FormsCookieName,
                               encryptedTicket);
    // Add the cookie to the outgoing cookies collection.
    Response.Cookies.Add(authCookie);

    Response.Redirect("/Members/ClientAccount.aspx");    
}
else
{
    Response.Redirect("signin.aspx");
}

}

The user is getting directed to ClientAccount.aspx if the login details are correct but I want that to happen only if his/her role is set as Admin as shown in the web.config file below .

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <location path="members.aspx">
        <system.web>
            <authorization>
                <allow roles="Member" />
                <allow roles="Admin" />
                <deny users="?" />
            </authorization>
        </system.web>
    </location>
    <location path="ClientAccount.aspx">
        <system.web>
            <authorization>                    
                <allow roles="Admin" />
                <deny roles="Member"/>
                <deny users="?" />
            </authorization>
        </system.web>
    </location>
</configuration>

How do I make this happen ?

I guess the web.config file is not looking at the cookie to do the authorization so I am doing something wrong there.

forsvarir
  • 10,749
  • 6
  • 46
  • 77
Mervin
  • 725
  • 2
  • 16
  • 37
  • Is it me or are you not checking to see if the user has the Admin role? Do a check and then just redirect depending on the role. – Gage Jul 28 '11 at 13:33

2 Answers2

2

Double check your location path relative to the web.config, my guess is that is the problem.

<location path="/Members/ClientAccount.aspx">
    ...
</location>

Of course you'll need to do something else instead of this line, you were just doing this for testing I'd assume?

 Response.Redirect("/Members/ClientAccount.aspx");

i.e. redirect them to a page you know they're not allowed to hit. I figure you're going to beef that part up once you're sure its not allowing members to access that page.

You should make sure your web.config has the following tag:

<authentication mode="Forms" />

You need to configure it right, there are lots of options:

<authentication mode="Forms">
    <forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name=".ASPXAUTH" 
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="default.aspx"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />
</authentication>

http://msdn.microsoft.com/en-us/library/ff647070.aspx

mikey
  • 5,090
  • 3
  • 24
  • 27
  • I am sorry thats not the case,I checked that as well and I always end up going to that page even though the access permissions are set as otherwise – Mervin May 25 '11 at 21:12
  • Checked what? Update your config snippet above then to reflect how it really is set, if your web.config is located at / and the page you're trying to protect is located at /Members/ClientAccount.aspx and you have a rule for ClientAccount.aspx that is actually /ClientAccount.aspx which doesn't exist. – mikey May 25 '11 at 23:14
  • Does your web.config have this tag: Check this link for all the options you can put in the "authentication" tag. http://msdn.microsoft.com/en-us/library/ff647070.aspx – mikey May 25 '11 at 23:15
  • This also looks very close to what you're trying to do: http://www.codeproject.com/KB/web-security/formsroleauth.aspx – mikey May 25 '11 at 23:26
0

hey there, did you mean to have

<deny roles="Member"/>

right now, the deny policy really doesn't need the member role listed. If you are wanting member to also be allowed to that page, you will need to swap out the deny, to allow:

<authorization>
  <allow roles="Admin" />
  <allow roles="Member"/>
  <deny users="?" />
</authorization>
Nathan Tregillus
  • 6,006
  • 3
  • 52
  • 91
  • Well I want only the admins to be able to access the page ClientAccount.aspx and hence the config file as above – Mervin May 25 '11 at 20:56
  • Hey Mervin, when or where are you assigning the Admin role to the formsAuthenticationTicket? – Nathan Tregillus May 25 '11 at 20:59
  • @N8 ,Ill be pulling in the roles for each logged in user from a database,for now I just hardcoded it to Member to test and see if a redirect would work even if the authentication should fail due to the permissions specified in the web.config file .Unfortunately the redirect still happens – Mervin May 25 '11 at 21:01