SimpleMembership with ASP.Net Web application (NO MVC, NO RAZOR. Just standard .net web project)

Question

I'm having problems to implemente SimpleMembership in my project. Basically, I've not been able to find any information about restricting access to pages. This is what I've done so far:

1. I have my login page called default.aspx. I've been able to configure SimpleMembership to recognized default.aspx as my login page by adding this to the web.config:

<appSettings>
    <add key="loginUrl" value="default.aspx" />
</appSettings>

1. I have a WebMethod in my default.aspx to validate the user credentials via WebSecurity.Login. I'm calling the WebMethod via jquery ajax:

[WebMethod, ScriptMethod]
public static bool Login(string userName, string password)
{
    return SecurityManager.Instance.Login(userName: userName, password: password);
}

1. In the ajax success handler of my jquery code I'm redirecting the user to another page that should be protected (home.aspx):

success: function (data, textStatus, jqXHR) {
    if (data.d) {
        window.location.href = "home.aspx";
    }
    else {
        $("#invalidCredentialsBox").css("visibility", "visible");
    }
},

The problem is that if I try to access home.aspx directly (from the browser) it acutally loads. So, what do I do to make SimpleMembership to restrict the access to home.aspx until the user has been successfully logged?

What I've had to do, don't know if it's the correct solution though, it's to create a base class in the app_code folder. The class inherits from System.Web.UI.Page and then I've changed my home.aspx to inherit from this base class. In the constructor of the base class I'm cheching the WebSecurity.IsAuthenticated property and if it's false then I do a Response.Redirect to my error.aspx page:

namespace MyProject
{
    public class BasePage : System.Web.UI.Page
    {
        public BasePage()
        {
            if (!SecurityManager.Instance.IsAuthenticated())
            {
                HttpContext.Current.Response.Redirect("error.aspx");
            }
        }
    }
}

In this way, it works, but I don't feel it's the correct way of implementing it. All the examples I've found uses MVC, but I'm not and actually I know almost nothing about MVC. Can please somebody give some ideas or point me out to same documentation/examples where SimpleMembership is used with a .net web project?

Also, what other attributes are valid for SimpleMembership that I can add to the appSettings section of the web.config? And, how to I set the authentication section of the web.config to work with SimpleMembership (I've seen in the MVC 4 template that even though it uses SimpleMembership it still sets the form authentication section in the web.config)

Thanks.

Answer 1

Do not confuse authorization with authentication.

Authorization decides who has access to what.

You can set it as follows

<authorization>
  <allow users="Kim"/>
  <allow roles="Admins"/>
  <deny users="John"/>
  <deny users="?"/>
</authorization>

Refer: Asp.net Authorization

A membership provider is responsible for authentication. Its responsibility is only to validate that the user is who he claims to be.

If a part of your website needs different authorization rules, like a login page, default page, or a public folder that everyone has access to, you can create a section for it using the location element.

This will allow all users to access Logon.aspx, even if the rest of the site is restricted.

   <location path="Logon.aspx">
      <system.web>
         <authorization>
            <allow users="*"/>
         </authorization>
      </system.web>
   </location>