Protect some pages from direct access in ASP.NET

Question

I have an ASP.NET page called admin.aspx that needs to be protected from direct access.

I want it to be accessed only when the user enter his name & password in another page called login.aspx.

I'm working in ASP.NET with Visual Basic .NET 2008, and I have no idea how to do it.

How can I do it?

Answer 1

You should check the user session first before loading your page:

protected void Page_Load(object sender, EventArgs e)
{
    if (session == null)
    {
        // Just redirect to login page or no access page warning.**
    }

    if (!Page.IsPostBack)
    {
       //If your were logged in then you will access this page
    }
}

Answer 2

The correct term for this behavior is Authorization

Some things I need to know beforehand:

• Do you have your own Login / Logout Logic?
• Are you using a custom User database / table?
• If both of the above were answered with a yes: Have you read / heard something about Membership- and RoleProviders?

---

.NET has great built in mechanisms for solving this problem. It doesn't just offer great configuration possibilities, it is also very easy to implement!

Here is a very very detailed walk trough on the ASP.NET Membership Provider:

ASP.NET 2.0 Membership and Roles Tutorial Series

Even though it is using ASP.NET 2.0 and C#, it shouldn't really be that different on .NET3.5/4.0 and VB.NET

Answer 3

I found it :

In the login page ("login.aspx") do this :

Session("Name") = "Yes"

Response.Redirect("admin.aspx")

In the admin page ("admin.aspx") this :

If Session("Name") = "Yes" Then
    'You can here display anything you want, or just leave it blank
Else
    Response.Redirect("ErrorPage.aspx")
End If

Answer 4

You can handle it via Forms authentication. In your case you want to make sure that you restrict the access of admin.aspx so you can do so by giving that entry in web .config by specifying the location tag. Check out this site:

http://www.dnzone.com/go?60

HTH