How do I tell if the user if logged in?

[Alan Silver]

Hello,

I am just planning a new ASP.NET site, and wondered about the best way
to handle the following common scenario...

The site has the option that registered users can log in and will have
access to extra features. The log in form is a simple username/password
affair that will appear in the margin of every page if they aren't yet
logged in. If they are logged in, their user name will be shown, along
with a button to log out.

Now, suppose they try to log in. The log on form is posted to the log in
page, which verifies their username and password. If correct, they are
now logged in. If not, they are told so and asked for the details again,
or asked to register.

How do I deal with this on the rest of the site? I need to alter the
display on some pages so that messages like "If you were logged in you
would be able to do..." will be replaced with links to the extra
features. Similarly, certain pages will be imply unavailable if they are
not logged in.

In Classic ASP this was just a matter of setting a Session variable, say
"Username" to be non-blank. You could have a small include file, pulled
in on every relevant page, that contained code to check the Session
variable, and then redirect them away from the page if they weren't
allowed there without logging in. If it was a page which they could see,
you would do something like...

<%If Session("Username")<>"" Then%>
<p>Click <a href="comment.asp">here</a> to add a comment.</p>
<%Else%>
<p>If you were logged in, you could add a comment.</p>
<%End If%>

Now I think that in-line coding like this isn't allowed in ASP.NET, so
how do I handle the situation?

TIA

 

[Guest]

Hi Alan,

In .NET page you can put a Hyperlink control and Label control in same
position. Then in codebehind switch them according to login or not

If Login Then
Hyperlink.Visible = True
Label.Visible = False
Else
Hyperlink.Visible = False
Label.Visible = True
End If


HTH

Elton Wang
(e-mail address removed)

 

[Alan Silver]

Hi Alan,

In .NET page you can put a Hyperlink control and Label control in same
position. Then in codebehind switch them according to login or not

Thanks, that makes sense. What's the best way to handle the actual log
in? You have a variable Login. Where is that set? Bear in mind the
logging in will be done on one page, and I then need to have the
information available to every page they visit afterwards. I could
understand a Session variable, but is there a better way?

Thanks for the reply.

 

[Nick Gilbert]

Why not use the built in FormsAuthentication system to handle your
logins? This way you could configure and limit access to pages quite
easily by just editing web.config. You could also check to see if your
users are logged in by checking Context.User.IsAuthenticated.

There are many tutorials on the web for how to setup Forms
Authentication. It would probably be more secure and quicker than
implementing your own system from scratch.

Nick...

 

[Guest]

In ASP.NET, there is a Forms Authentication mechanism, that can handle
userid/password validation and redirect to proper page. Please take look
following URL
http://msdn.microsoft.com/library/d...uide/html/cpconsimplecookieauthentication.asp

HTH

Elton Wang

 

[Alan Silver]

To Elton and Nick,

I have used Windows Forms Authentication, but was under the impression
that this was for restricting access to certain pages. I am not
restricting access at all, nor forcing people to log in, I'm just
offering extra features for those who do log in.

Is this also covered by WFA? If so, please could you elaborate a little,
as my reading of it wasn't like that.

Thanks for the replies.

 

[Brock Allen]

Request.IsAuthenticated

 

[Alan Silver]

Request.IsAuthenticated

Thanks.

 

[Nick Gilbert]

It is mainly for restricting access to pages, but if don't configure any
protected pages then you can still use the other features. Perhaps Forms
Authentication might be a little over the top for what you need, but it
is quite a nice system once you get to grips with it.

Nick...

 

[Alan Silver]

It is mainly for restricting access to pages, but if don't configure any

protected pages then you can still use the other features. Perhaps Forms
Authentication might be a little over the top for what you need, but it
is quite a nice system once you get to grips with it.

If it's OTT, what other way is there? I know about using a Session
variable, is there anything else?

As it happens, the site that this was for was pulled yesterday, so it's
a bit of an academic question, but I'm interested in the principle as it
may come up for other sites.

Thanks for the reply

 

[johntolen]

Alan,
I use session variables to know if a user is logged in, and what their
access level is (e.g. user, admin, etc.). Every page has a few lines
at the top of Page_Load that checks to see if the ID has been populated
(by the login page). If so, their access level is checked when
necessary to see if they should be able to see the page they requested,
or show/hide various components on the page. Although this adds about
6 lines of code, it helps to prevent people from directly accessing a
page before logging in.

If Session("UserID") = "" Then
Response.Redirect("Login.ASPX")
ElseIf Session("AccessLevel") < 100 Then
Session("Message") = "Not Authorized for this resource.")
Response.Redirect("SystemMessagePage.ASPX")
EndIf

The Login page looks up the user in a database and retrieves thier
access level upon successful login, then sets the two session variables
accordingly. This methods helps to prevent unauthorized access to a
page, and ensures that any user-based information can be loaded to
session variables for use on the subsequent pages.

 

[Alan Silver]

Alan,

Hello,

The method you show below is exactly how I used to do it in Classic ASP.
There you could put these lines in an include file, so all pages used
the same code. Can you do that in ASP.NET?

Thanks