As secure information is the key to efficient web programming, web application programmers always have security concerns. This article will explain how to secure your website using ASP.NET Form Authentication.
This article assume that the reader is already familiar with ASP.NET programming.
- web.config: Application configuration files contain settings specific to an application. This file contains the configuration settings that the common language runtime reads (such as the assembly binding policy, remoting objects, and so on), and settings that the application can read [MSDN].
- Authorization: The purpose of authorization is to determine whether an identity should be granted the requested type of access to a given resource [MSDN].
- Authentication: Authentication is the process of discovering and verifying the identity of a principal, by examining the user's credentials and validating those credentials against some authority. The information obtained during authentication is directly usable by your code. That is, once the identity of the principal is discovered, you can use the .NET Framework role-based security to determine whether to allow that principal to access your code [MSDN].
I’ve searched so many sites for a code that I can with the help of it, secure websites from unauthorized access. After searching C# books, I found some nice code that helped me to create this simple application. Hope it can help as a basic architecture.
There are three kinds of authentication in ASP.NET:
- Windows, and
This article will focus on the first type.
Form authentication is cookie based, as ASP.NET places a cookie in the client machine in order to track the user. If the user requests a secure page and has not logged in, then ASP.NET redirects him/her to the login page. Once the user is authenticated, he/she will be allowed to access the requested page.
Using the code
In the web.config, change the mode of authentication to
Forms, then add
loginUrl="your default page".
In this section, you will set the default page of the system. The default page is the page that the system will redirect the user to, whenever a fault happens while the user tries to access a secured page.
This section of the web.config determines the users who will be authorized to or denied from the website. The default value
<deny users="?" /> means to deny any anonymous (unauthenticated) user trying to access the website. However, this value can be changed. E.g.,
<deny users="john”, “smith”, “Ahmed” /> means to deny the users: john, smith and Ahmed from accessing this website - it is a black list- or you can say
<deny users="*" /> <allow users="john”, “smith”, “Ahmed” /> which means, deny all users except john, smith, and Ahmed.
<deny users="?" />
In some business websites, multiple employees would need access to a system in order to do specific tasks. However, each employee would have a specific role, and specific operations to do, according to the nature of his/her job or security level. E.g., an HR manager might not allowed to view the data of the seals department.
ASP.NET provides the concept of roles that gives each role a different view on specific pages.
<allow roles="HR" />
<deny users="*" />
<allow roles="sales" />
<deny users="*" />
location here means the folder name which holds the .aspx for some specific role. As the example shows,
<location path="HRpages"> means that all .aspx files under the HRpages folder are protected.
<allow roles="HR" /><deny users="*" /> mean deny every one from accessing pages under HRpages except those having the HR role.
This section will show the code that reads the password and the user name from login.aspx and redirects the user to a specific page according to his/her role.
private void Submit1_Click (object sender, System.EventArgs e)
&& this.TextBox_password.Text.Trim() == "password")
FormsAuthenticationTicket ticket1 =
HttpCookie cookie1 = new HttpCookie(
if (Request.QueryString["ReturnUrl"] == null)
returnUrl1 = "HRpages/HR_main.aspx";
returnUrl1 = Request.QueryString["ReturnUrl"];
ticket1 is of type
FormsAuthenticationTicket and provides a means of creating and reading the values of a forms authentication cookie. The previous code will redirect the user
HR_manager after checking his/her password. If the password is correct then it will create a cookie to track the user and encrypt the content of this cookie.
One of the
FormsAuthenticationTicket constructors takes the following parameters:
version - the version number.
name - the user name associated with the ticket.
issueDate - the time at which the cookie was issued.
expiration - the expiration date for the cookie.
true if the cookie is persistent; otherwise,
userData - user-defined data to be stored in the cookie [MSDN].
Ahmed J. Kattan Bachelor degree from Jordan University of Science and Technology computer science department, Master Degree from University of Essex and PhD student at University of Essex ”United Kingdom”, I have written several applications, designed multiple algorithms and several publications. My favorite languages are C++ and C#.
see www.ahmedkattan.com to view Ahmed Kattan's online CV.