I have as ASP.Net 2.0 website with SQL Server as database and C# 2005 as the programming language. The website is almost complete and all the links are working fine. But I want to prevent normal users from opening a couple of pages. When any user clicks on those specific links, another page opens which contains a ASP Login control. The user has to supply a valid userid and password to display the links pointing to the restrictive pages. But being a newbie, I don't know how to leverage the full power of the ASP Login control. Because, if a user gets to know the exact url of the restricted pages, then he/she can bypass the login control and directly access those pages by typing the url into the address bar. I want to prevent this. If the user types the url directly in the address bar, I want that the page itself should check, whether the user has been validated through the Login control and either display the page or point the user to the Login page.

How do I implement this feature??

Thank You.

Lalit Kumar Barik

just add this

if (User.Identity.IsAuthenticated == false)
        { Response.Redirect("error.aspx"); }

to the Page_load event of all the pages that you want to restrict access to.. by adding this only the logged in users can see the content of the pages..all those who are not logged in will be redirected to "error.aspx"..

Can you explain a bit?
because User.Identity.IsAuthenticated has default value as true.

Also, User.Identity.IsAuthenticated is read-only. We cannot simply assign the value 'false' if the user enters a wrong password.

Lalit Kumar Barik

hi '=' is an assignment operator whereas '==' is used for comparing..

whenever a user logs in, the value of User.Identity.IsAuthenticated is set to true..

double click on the page to enter the code behind, paste the above mentioned code.. now try to get to this page by bypassing logging in..( copy the pages address and paste it to the address bar of your explorer ).. you will be directed to the error.aspx page.

@"bharatshivram", I tried the above code, but I am able to bypass the login page/process, if I directly paste the specific page's address in the address bar.

Any other suggestions?

Lalit Kumar Barik

Try using session.I am posting code for login page.Tell wether its useful or not.Its a "primitive" way to do it.But will work for sure.

using System;
using System.Data;
using System.Configuration;
using System;
using System.Data;
using System.Data.SqlClient;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        ValidateUserInfo(TextBox1.Text.Trim(), TextBox2.Text.Trim());

    }

    protected void ValidateUserInfo(string user, string pass)
    {

        SqlConnection connection = new SqlConnection("data source=power;initial catalog=DBS_BANK;user id=orange;password= orange");
        string sql = "SELECT * FROM login WHERE username = @username AND password = @password";
        SqlCommand cmd = new SqlCommand(sql, connection);
        cmd.Parameters.AddWithValue("@username", user);
        cmd.Parameters.AddWithValue("@password", pass);
        connection.Open();

        //DataTable dt = new DataTable();
        SqlDataAdapter ad = new SqlDataAdapter(cmd);
        DataSet dt = new DataSet();
        ad.Fill(dt, "login");
        if (dt.Tables[0].Rows.Count > 0)
        { //check if the query returns any data
            //Valid Username and Password
           /*add this code so  to store session data
            Session.Add("Username", TextBox1.Text);
            Session["Username"] = "Admin";

            Response.Redirect("Default2.aspx");

        }
        else
        {
            Response.Write("<script>alert('INVALID Username and Password, Try Again!')</script>");
        }
        connection.Close();
    }
    protected void Button2_Click(object sender, EventArgs e)
    {
        Response.Redirect("default.aspx", true);
    }
    protected void ImageButton1_Click(object sender, ImageClickEventArgs e)
    {
        ValidateUserInfo(TextBox1.Text.Trim(), TextBox2.Text.Trim());
    }
}

and put this code on all page load events....

if (Session["Username"] == null)
        {
            Response.Redirect("Default.aspx");//to login page
        }

@"Dhaneshnm", your solution worked. Now can I implement a feature so that the session variable is destroyed or becomes null when the user closes the restricted page? What I need is, if the user successfully logsin, opens the restricted page, presses back button and then tries to paste the url directly, he/she should be asked for the password again. Currently, the user is asked for password only if the browser window is closed totally. I want to ensure login is asked again, even if the user closes the single page.

Lalit Kumar Barik

Say you want to restrict access to 2 pages(say page1,page2):
when user logs in ,put Session.Add("page1","true")
Session.Add("page1","true")

and

on page load event Session["page1"] = null or "false" or something
like that.Check this variable on page load to allow page load.
This may block postback also.So put the whole thing inside a
if(!IsPostBack).

Like
if(!IsPostBack)
{
if(Session["Username"]==null||Session["page1"]==null)
{
Response.Redirect("Default.aspx");
}
else
{
Session["page1"] = null
}
}


}


this should work...

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.