Web developer follows the approach described in the article, when he/she has to restrict access to the pages of his/her application to authorized users only. In this case Web developer should change the web.config settings of his/her application to specify Forms authentication, and then create an .aspx login page to collect user credentials and complete the authentication check.Web developer should modify web.config as follows:
  • Set the mode attribute of the <authentication> element to Forms.
  • Add a <forms> child element to the <authentication> element to specify key aspects of the Forms implementation:

<authentication mode=”Forms”>

<forms name=”.MyFormName”







 The next table presents different elements and their descriptions 
Element nameDescription
nameDefines the name of the HTTP cookie used by ASP.NET to maintain the user authentication information. Care should be taken when naming the cookie, because if two applications on the same server use the same cookie name, “cross authentication” could occur.
loginUrlDefines the page to which ASP.NET will redirect users when they attempt to access pages in your application without being logged in. The login page should provide the fields required to authenticate the user, typically a login ID and password or whatever else the  application requires.
protectionDefines the protection method used for the cookie. Possible values are:-All- specifies that data validation and encryption will be used-Encryption- specifies that the cookie is encrypted-None- specifies no protection will be provided for the cookie information.-Validation- specifies that the cookie data will be validated to ensure it was not altered in transitThe default is All and is highly recommended because it offers the highest level of protection for this authentication cookie.
timeout Defines the amount of time in minutes before the cookie expires. The value provided here should be at least as long at the timeout for the session. Making the value shorter than the session timeout can result in a user being redirected to the page defined by the loginUrl before the session times out.
pathDefines the path of cookies issued by the application. Be aware that most browsers treat the path as case-sensitive and will not return the cookie for a request that does not match the value provided for the path attribute. The result will be having the users redirected as if they were not logged in. Unless your application requires specifying the path, we recommend that you leave the path as “/”.
  • Add <deny> and <allow> child elements to the <authorization> element to deny access to anonymous users and allow access to all who have been authenticated:

    <deny users=”?” />  <!– Deny anonymous users –>

    <allow users=”*” /> <!– Allow all authenticated users –>

    In the .aspx file for the login page Web develop should:
    1. Add the fields required to collect the data the application needs to authenticate the user. Most applications require, at a minimum, a user login ID and password, but Web developer can specify whatever his/her application requires.
    2. Add a Login button
    3. (Optional) Include a checkbox for users to indicate that they want to be remembered between sessions. (Web developer will need to add some code to the code-behind class to persist the authentication cookie on the client machine.)
    In the code-behind class for the login page, use the .NET language of Web developer choices to:
    1. Use the Login button click event to verify the user credentials
    2. If the user credentials are valid, create a Forms authentication cookie and add it to the cookie collection returned to the browser by calling the SetAuthCookie method of the FormsAuthentication class
    3. (Optional) Set the Forms authentication cookie to be persisted on the client machine.
    4. Redirect the user to the appropriate application start page using Response.Redirect.
     The next code illustrates the idea:Web.config file
    <?xml version=”1.0″?> <!–For more information on how to configure your ASP.NET application, please visithttps://go.microsoft.com/fwlink/?LinkId=169433–> <configuration><connectionStrings><add name=”ApplicationServices”connectionString=”data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User Instance=true”providerName=”System.Data.SqlClient” /><add name=”DBConnectionString” connectionString=”LocalSqlServer: data source=;Integrated Security=SSPI;Initial Catalog=AspNetDB”providerName=”System.Data.SqlClient” /></connectionStrings> <system.web><compilation debug=”true” strict=”false” explicit=”true” targetFramework=”4.0″ /> <authentication mode=”Forms”><forms name=”.RestrictAccessToAllPages”loginUrl=”LoginPage.aspx”protection=”All”timeout=”30″path=”/”></forms></authentication><authorization><deny users=”?” /><!– Deny anonymous user –><allow users=”*” /><!– Allow all authenticated users –></authorization><membership><providers><clear/><add name=”AspNetSqlMembershipProvider” type=”System.Web.Security.SqlMembershipProvider” connectionStringName=”ApplicationServices”enablePasswordRetrieval=”false” enablePasswordReset=”true” requiresQuestionAndAnswer=”false” requiresUniqueEmail=”false”maxInvalidPasswordAttempts=”5″ minRequiredPasswordLength=”6″ minRequiredNonalphanumericCharacters=”0″ passwordAttemptWindow=”10″applicationName=”/” /></providers></membership> <profile><providers><clear/><add name=”AspNetSqlProfileProvider” type=”System.Web.Profile.SqlProfileProvider” connectionStringName=”ApplicationServices” applicationName=”/”/></providers></profile> <roleManager enabled=”false”><providers><clear/><add name=”AspNetSqlRoleProvider” type=”System.Web.Security.SqlRoleProvider” connectionStringName=”ApplicationServices” applicationName=”/” /><add name=”AspNetWindowsTokenRoleProvider” type=”System.Web.Security.WindowsTokenRoleProvider” applicationName=”/” /></providers></roleManager> </system.web> <system.webServer><modules runAllManagedModulesForAllRequests=”true”/></system.webServer></configuration>
    LoginPage.apsx Page
    <%@ Page Language=”vb” AutoEventWireup=”false” CodeBehind=”LoginPage.aspx.vb” Inherits=”RestrictAccessToAllPagesVB.LoginPage” %> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”><html xmlns=”https://www.w3.org/1999/xhtml”><head runat=”server”><title></title></head><body><form id=”frmSecurity” method=”post” runat=”server”><table width=”100%” cellpadding=”0″ cellspacing=”0″ border=”0″><tr><td align=”center”></td></tr><tr><td></td></tr></table><table width=”90%” align=”center” border=”0″><tr><td></td></tr><tr><td align=”center” class=”PageHeading”>Block Access To All Pages (C#)</td></tr><tr><td></td></tr><tr><td align=”center”><table><tr><td class=”LabelText”>Login ID:</td><td><asp:TextBox ID=”txtLoginID” runat=”server” /></td></tr><tr><td class=”LabelText”>Password:</td><td><asp:TextBox ID=”txtPassword” runat=”server” TextMode=”Password” /></td></tr><tr><td colspan=”2″ align=”center”><asp:CheckBox ID=”chkRememberMe” runat=”server” Text=”Remember Me” /></td></tr><tr><td colspan=”2″ align=”center”><br /><input id=”btnLogin” runat=”server” type=”button” value=”Login” /></td></tr><tr><td colspan=”2″ align=”center”><br /><input type=”button” value=”Attempt Access without Login” onclick=”document.location=’Default.aspx'” /></td></tr></table></td></tr></table></form></body></html>
    Code behind (.vb)
    Imports SystemImports System.Collections.GenericImports System.LinqImports System.WebImports System.Web.UIImports System.ConfigurationImports System.DataImports System.Data.OleDbImports System.Web.SecurityImports System.Web.UI.WebControlsImports System.Web.UI.HtmlControlsNamespace RestrictAccessToAllPagesPublic Class LoginPageInherits System.Web.UI.Page‘controls on the formProtected txtLoginID As TextBoxProtected txtPassword As TextBoxProtected chkRememberMe As CheckBoxProtected WithEvents btnLogin As HtmlInputButtonProtected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.LoadEnd Sub‘ Retrieves a connection string by name.‘ Returns null if the name is not found.Private Function GetConnectionStringByName(ByVal name As String) As String ‘ Assume failure.Dim returnValue As String = Nothing ‘ Look for the name in the connectionStrings section.Dim settings As ConnectionStringSettings =ConfigurationManager.ConnectionStrings(name) ‘ If found, return the connection string.If Not IsNothing(settings) ThenreturnValue = settings.ConnectionStringEnd If GetConnectionStringByName = returnValueEnd Function Private Sub btnLogin_ServerClick(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.ServerClick‘name of querystring parameter containing return URLConst QS_RETURN_URL As String = “ReturnURL”Dim dbConn As OleDbConnectionDim dCmd As OleDbCommandDim dr As OleDbDataReaderDim strConnection As StringDim strSQL As StringDim nextPage As StringTry‘get the connection string from web.config‘and open a connection to the databasestrConnection = GetConnectionStringByName(“DBConnectionString”)dbConn = New OleDb.OleDbConnection(strConnection)dbConn.Open()‘check to see if the user exists in the databasestrSQL = “SELECT (FirstName + ‘ ‘ + LastName) AS UserName ” & _“FROM AppUser ” & _“WHERE LoginID=? AND ” & _“Password=?”dCmd = New OleDbCommand(strSQL, dbConn)dCmd.Parameters.Add(New OleDbParameter(“LoginID”, txtLoginID.Text))dCmd.Parameters.Add(New OleDbParameter(“Password”, txtPassword.Text))dr = dCmd.ExecuteReader()If (dr.Read()) Then‘user credentials were found in the database so notify‘the(System) that the user is authenticatedFormsAuthentication.SetAuthCookie(CStr(dr.Item(“UserName”)), chkRememberMe.Checked)‘get the next page for the userIf (Not IsNothing(Request.QueryString(QS_RETURN_URL))) Then‘user attempted to access a page without logging in‘so(redirect) them to their originally requested pagenextPage = Request.QueryString(QS_RETURN_URL)Else‘user came straight to the login page so just send them to the‘home pagenextPage = “Default.aspx”End If‘Redirect user to the next page‘NOTE: This must be a Response.Redirect to write the cookie to the‘      user’s browser.  Do NOT change to Server.Transfer which‘      does not cause around trip to the client browser and thus‘      will not write the authentication cookie to the client‘      browser.Response.Redirect(nextPage, True)Else‘user credentials do not exist in the database – in a production‘application this should output an error message telling the user‘that the login ID or password was incorrectEnd IfFinally‘cleanupIf (Not IsNothing(dr)) Thendr.Close()End IfIf (Not IsNothing(dbConn)) ThendbConn.Close()End IfEnd TryEnd SubEnd ClassEnd Namespace