I am testing ASP.NET 2.0 Forms athentication with user credentials in
SQL Server 2005. I don't want to put user credentials in web.config,
so the credentials section is commented out. The following is the
relevant part in my web.config.
<authentication mode="Forms">
<forms name=".MyWebAppAuth"
path="/"
loginUrl="Default.aspx"
protection="All"
timeout="30">
<!-- I will get username
and password from SQL Server.
<credentials>
<user name="myusername" password="mypassword"/>
</credentials>
-->
</forms>
</authentication>
<!-- keep out anonymous users -->
<authorization>
<deny users="?"/>
</authorization>
My login page is Default.aspx as you see from above. The code-behind
of Default.aspx, i.e., Default.aspx.cs, calls a stored procedure in
SQL Server 2005, which takes the user name and password as its
parameters. It returns 1 if the username/password pair is found,
otherwise, it returns 0.
In Default.aspx.cs, I say:
if (validateUser(name, password) == 1)
{
Response.Redirect("UserProfile.aspx");
}
else
{
// authentication failed. show a message
lblMessage.Text = "Invalid username/password."
}
validateUser is simply a method I implement to validate the user. I
know the login process itself works OK. In other words, validateUser
method does return 1 if the username/password pair is found in the
database, and it does return 0 if the username/password pair is not
found.
But, the user is kicked back to Default.aspx immediately after he is
redirected to UserProfile.aspx.
This must have to do with the section in web.config, which says:
<!-- keep out anonymous users -->
<authorization>
<deny users="?"/>
</authorization>
Because if I comment out this section, the user can be successfully
redirected to UserProfile.aspx and stays on that page nicely.
So, apparently, my user login satus is not maintained in the
application.
I cannot google out topics on maintaining user login status. Please
give me a hint. Thanks a lot.