Role Based Forms Authentication in ASP.Net

Becoming a member of site alone will not entitle the user to access all the resources of a website. Different types of users are allowed to access different contents based on their roles. This method of access can be easily implemented if the authentication used is Windows and each and every user of the site has a windows login. But this is not the case in all scenarios. You are required to provide role based authentication for even users without a windows login. This is possible with role based forms authentication which can be done easily. The algorithm for achieving the role based forms authentication is given hereunder in this content.



For role based forms authentication you need to create a database for the users which will store the user’s password and their roles in the website. For example you might create a table named “members” with the userid, password, and roles as the fields in that table. While creating the roles you have to think over the types of roles that are required for your website and create accordingly. Once you create a table in a database the steps involved in achieving role based forms authentication would be:

1. Create the login page
2. In the click event of the login button write code for the following algorithm

a. Initialize FormsAuthentication
b. Create the connection and command objects
c. Add parameters to the command object.
d. Open the connection object
e. Use the command object’s ExecuteReader() method to execute the command.
f. If no exception, go to next step or else display error message and stop.
g. Create a new ticket used for authentication
h. Encrypt the cookie using the machine key for secure transport
i. Set the cookie's expiration time to the tickets expiration time
j. Add the cookie to the list for outgoing response
k. Redirect to requested URL, or homepage.

3. Modify the Application_AuthenticateRequest event handler in the Global.asax file to get the stored role value and generate a new principal.
4. Add the principal to the current context for the user so that you can retrieve the roles.
5. Modify the web.config file to control authorization.

The above steps are performed to complete the role based authentication in ASP.Net. You should have organized your website content in folders based on user roles which makes it easy for you to grant permissions for the users to access those contents. A web.config file must be present in the root of the web applications directory for the role based forms authentication to function properly. It is possible to override the authorization in the web.config files in the sub-directories.

A sample code for the web.config file in the root directory of the web application would look something like given below:

<configuration>
<system.web>
<authentication mode="Forms">
<forms name="FrmAuth"
loginUrl="login.aspx"
protection="All"
path="/"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="FMembers">
<system.web>
<authorization>
<allow roles="freeMember"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="PMembers">
<system.web>
<authorization>
<allow roles="paidMember"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>

This web.config file can be split so that you can delete some <location> block in the above code and have a separate web.config file for the sub-directories. In that case it is enough if you have only the <configuration>, <system.web>, <authorization>, <allow>, and <deny> elements in the web.config file in the sub-directory.


“Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.”

| Privacy Policy for www.dotnet-guide.com | Disclosure | Contact |

Copyright - © 2004 - 2024 - All Rights Reserved.