472,334 Members | 2,512 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,334 software developers and data experts.

Custom login will not work

When I started a new ASP project I was eager to use the login facilities
offered in Framework 2.0/VS 2005.

I wanted:
- A custom principal that could hold my integer UserID from the database
- An easy way to classify different pages as either Admin, Member or Public,
where login is necessary for Admin and Member but not for Public. My idea was
to put the pages in different directories to easily keep my order.
- An easy menu system that would show only accesible pages

I carefully read the newsgroups and put together what I thought was a good
mix of working ideas. I think I am quite close but I don't really make it all

Hopefully someone can give me a hint by scanning through my code sample:


web.config content:
<authentication mode="Forms">
<forms loginUrl="Public/Login.aspx" defaultUrl="/Default.aspx"
name=".ASPXFORMSAUTH" path="\">
<deny users="?"/>
<allow users="*"/>

Global.asax content:
<script runat="server">

Protected Sub Application_AuthenticateRequest(ByVal sender As Object,
ByVal e As System.EventArgs)
Dim app As HttpApplication
Dim authTicket As FormsAuthenticationTicket
Dim authCookie As String = ""
Dim cookieName As String = FormsAuthentication.FormsCookieName
Dim userIdentity As FormsIdentity
Dim userData As String
Dim userDataGroups As String()
Dim PersonID As Integer
Dim roles As String()
Dim userPrincipal As CustomPrincipal
Dim AllowAccess as Boolean
app = DirectCast(sender, HttpApplication)

If app.Request.IsAuthenticated AndAlso
app.User.Identity.AuthenticationType = "Forms" Then
'Get authentication cookie
authCookie = app.Request.Cookies(cookieName).Value
Catch ex As Exception
'Cookie not found generates exception: Redirect to loginpage
End Try

'Decrypt the authentication ticket
authTicket = FormsAuthentication.Decrypt(authCookie)

'Create an Identity from the ticket
userIdentity = New FormsIdentity(authTicket)

'Retrieve the user data from the ticket
userData = authTicket.UserData

'Split user data in main sections
userDataGroups =

'Read out ID and roles
PersonID = CType(userDataGroups(0), Integer)
roles = userDataGroups(1).Split(CustomPrincipal.DELIMITER_ ROLES)

'Rebuild the custom principal
userPrincipal = New CustomPrincipal(userIdentity, PersonID, roles)

'Set the principal as the current user identity
app.Context.User = userPrincipal

End If
'If we already are heading for Login page then we don't need to
check anything more
If Request.Url.AbsolutePath.ToLower =
FormsAuthentication.LoginUrl.ToLower Then
Exit Sub
End If

'Evaluate if access is allowed
Select Case BaseDirectory(Request.Url)
Case "Member", "Admin"
'For all restricted pages we need to check user validity

If IsNothing(app.Context.User) Then
'User is not authenticated
AllowAccess = False

ElseIf IsNothing(SiteMap.CurrentNode) OrElse
(SiteMap.CurrentNode.Roles.Count = 0) Then
'Missing SiteMap means access is implicitly allowed
AllowAccess = True

AllowAccess = False
'Loop through each role and check to see if user is in
one of them
For Each Role As String In SiteMap.CurrentNode.Roles
If app.Context.User.IsInRole(Role) Then
AllowAccess = True
Exit For
End If
End If
Case Else
'Public folders are always OK
AllowAccess = True

End Select

If Not AllowAccess Then
End If

End Sub

Protected Function BaseDirectory(ByVal u As System.Uri) As String
Select Case u.Segments.Length
Case Is < 3
Throw New Exception("BaseDirectory expecting at least one
level of directories")
Case 3
Return ""
Case Else
Return u.Segments(2).Replace("/", "")
End Select
End Function


Public Class CustomPrincipal
Inherits System.Security.Principal.GenericPrincipal

Private _PersonID As Integer

Public Const DELIMITER_SECTIONS As String = ";"
Public Const DELIMITER_ROLES As String = ","

Public Enum Roles
Member = 1
Editor = 2
Admin = 3
End Enum

Public Sub New(ByVal identity As System.Security.Principal.IIdentity,
ByVal PersonID As Integer, ByVal roles As String())
MyBase.New(identity, roles)
_PersonID = PersonID
End Sub

Public ReadOnly Property UserName() As String
Return MyBase.Identity.Name
End Get
End Property

Public ReadOnly Property PersonID() As Integer
Return _PersonID
End Get
End Property

Public Shadows ReadOnly Property IsInRole(ByVal role As Roles) As Boolean
Return MyBase.IsInRole(role)
End Get
End Property

End Class

Partial Class Login
Inherits System.Web.UI.Page

Protected Sub cmdLogin_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles cmdLogin.Click
Dim p As Person
Dim RedirectUrl As String

p = New Person
p.Load(txtUserID.Text, txtPassword.Text)

If p.IsEmpty Then
Throw New Exception("Login failed. Please check your
username and password and try again.")
End If

'Create a ticket with validated user
CreateAuthenticationTicket(p, chkPersist.Checked)

'Redirect to requested page
RedirectUrl = GetReturnUrl
Catch ex As Exception
lblFailure.Text = ex.Message
End Try
End Sub

Public ReadOnly Property GetReturnUrl() As String
If IsNothing(Request.QueryString("ReturnUrl")) Then
'Default page
Return FormsAuthentication.DefaultUrl
'Requested page if present
Return Request.QueryString("ReturnUrl")
End If
End Get
End Property

Public Sub CreateAuthenticationTicket(ByVal p As Person, ByVal
Persistant As Boolean)
Dim authTicket As FormsAuthenticationTicket
Dim encTicket As String
Dim cookie As HttpCookie

'Create a ticket
authTicket = New FormsAuthenticationTicket(1, p.Name, _
DateTime.Now.AddMonths(1), _
Persistant, p.UserData)

'Encrypt the ticket into a string
encTicket = FormsAuthentication.Encrypt(authTicket)

'Create the cookie
cookie = New HttpCookie(FormsAuthentication.FormsCookieName,

If Persistant Then
'Specify expiration date
cookie.Expires = Now.AddMonths(1)
End If

'Save the cookie
Catch ex As Exception
Throw New Exception("CreateAuthenticationTicket: " & ex.Message)
End Try
End Sub
End Class

Sitemap content:
<siteMapNode title="Start" url="default.aspx" description="Return to start
page" roles="*">
<siteMapNode title="Activities">
<siteMapNode title="Calender" url="Public/Calendar.aspx" roles="*" />
<siteMapNode title="My Responsibility"
url="Member/MyResponsibility.aspx" roles="*" />
<siteMapNode title="Edit Activity" url="Member/ActivityEdit.aspx"
roles="1" />
<siteMapNode title="Add Activity" url="Member/ActivityAdd.aspx"
roles="2" />
Problems found with this code:
1) You need to click Logout twice to get out
2) You don't reach pages in the Public folder without logging in
3) After login some redirection doesn't work.
If the Login page itself is placed in a subdirectory, then it will not find
the defaultURL.
4) The TreeView control based on a sitemap always show all menus even if
they are mapped to different roles.
Sep 13 '06 #1
1 4887
Hello jaklithn,

From your description, you're wantting to build an ASP.NET web application
which is protected by forms authentication and you will also add some
addtional data like userID and roles associated with each user. Then,you'll
authorize the access to each page and the display links of navigation menu
according to these roles. You're wondering how to conveniently implement
this in ASP.NET 2.0,correct?

As for this scenario, based on my experience, here are some of my
understanding and suggestion:

For forms authentication, you do can use the global.asax or a custom
httpmodule to manually parse the authentication cookie and get additional
user data(roles) from it and assign them to our custom principal class
instance. However, the drawback of this is:

1. We can not use the built-in role-manager service in ASP.NET 2.0(new
feature), which can help us automatically handle role management(associate
role to a certain user after authentication)

2. If you want to customize our navigation controls(such as Treeview or
menu ) to display items according to current user's authorization roles,
you need to manually write code instead of using the built-in security
trimming feature.
I have another solution you can also consider here:

Instead of manually do the role management(through global.asax or
httpmodule), use the built-in membership and role management service:

#ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security

You just need to configure the membership provider and enable role manager
in web.config, by default it use SQL Express database file as persistent

And for the authorization on page url , it still is automatically managed
as long as you configure the <authorizationsettings correctly. For
navigation menu's displaying, you can have a look at the Site-Map security
trimming feature in ASP.NET 2.0:
#ASP.NET Site-Map Security Trimming

here is a live example provided by ASP.NET product manager ScottGu, the
example is using windows authentication , but it easier to change to forms

#Recipe: Implementing Role-Based Security with ASP.NET 2.0 using Windows
Authentication and SQL Server

and the only problem here is that how to store the additional userID
data(or any other additional data associated with each user). Here I
suggest you consider using the Profile service which can help store some
custom data(basic types or custom class type) that associate with each
user(mapping to forms authentication &membership service):

#ASP.NET Profile Properties Overview

Please have a look at these resources. If there is anything unclear, please
feel free to let me know.


Steven Cheng

Microsoft MSDN Online Support Lead


Get notification to my posts through email? Please refer to

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at


This posting is provided "AS IS" with no warranties, and confers no rights.

Oct 16 '06 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: Mark Aurit | last post by:
I have an intranet application that uses w2k Integrated Windows Authentication to authenticate users. We now have a situation where people will be...
by: anonymous | last post by:
Hi all, I've been searching the way to achieve the following task. But no luck so far. I have a web site(main site), which requires...
by: Nick | last post by:
the customError feature is not working. I have it setup as the help says in my web.config file. <customErrors defaultRedirect="DsAppError.aspx"...
by: John Lau | last post by:
Hi, I am looking at the MS KB Article 306355: HOW TO: Create Custom Error Reporting Pages in ASP.NET by Using Visual C# .NET This article...
by: Beren | last post by:
Hello With trial and error I'm attempting to create an extended identity to store some more data than just the Name, for example a Subscription...
by: Graham | last post by:
I have created a custom MembershipProvider called "LassieMembershipProvider" that derives from "MembershipProvider". This providor is located in a...
by: Klaus Jensen | last post by:
Hi I face this challenge: An existing site with 50000+ html-files needs to be protected by a custom login-system which has two goals: 1....
by: =?Utf-8?B?UGFyYWcgR2Fpa3dhZA==?= | last post by:
Hi All, We have a requirement where we have to develop a custom Login Page which will accept user's NT credentials ( Username , password, domain...
by: seanwalsh | last post by:
Hi I'm new to ASP.NET (from classic ASP) and wasn't aware of the Forms Authentication security when I started working on a website. So I built a...
by: Kemmylinns12 | last post by:
Blockchain technology has emerged as a transformative force in the business world, offering unprecedented opportunities for innovation and...
by: CD Tom | last post by:
This happens in runtime 2013 and 2016. When a report is run and then closed a toolbar shows up and the only way to get it to go away is to right...
by: CD Tom | last post by:
This only shows up in access runtime. When a user select a report from my report menu when they close the report they get a menu I've called Add-ins...
by: Naresh1 | last post by:
What is WebLogic Admin Training? WebLogic Admin Training is a specialized program designed to equip individuals with the skills and knowledge...
by: jalbright99669 | last post by:
Am having a bit of a time with URL Rewrite. I need to incorporate http to https redirect with a reverse proxy. I have the URL Rewrite rules made...
by: Matthew3360 | last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function. Here is my code. ...
by: AndyPSV | last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable...
by: Arjunsri | last post by:
I have a Redshift database that I need to use as an import data source. I have configured the DSN connection using the server, port, database, and...
by: WisdomUfot | last post by:
It's an interesting question you've got about how Gmail hides the HTTP referrer when a link in an email is clicked. While I don't have the specific...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.