Setting authentication is most important part of asp.net web application project, there can a time where you don't want any user to access a particular folder. For example while creating a Gallery project we don't want any user to access the /pictures folder.
ASP.net supports 3 modes of authentication.
- Windows authentication
- Forms authentication
- Passport authentication
Windows authentication means that you build authentication with build in authentication of windows authentication system.
With form authentication we work with the database where all the roles of user are stored in database and every time we land on the page it will make connection to database and verify the database whether the user is allowed or not to access this page.
And with passport authentication you are authenticating the users by passport credentials, a system of username and password stored by Microsoft itself.
In this tutorial we will focus on forms authentication. In forms authentication model it requires configuration in the web-files in web.config file and then creating set of pages.
The part of web.config file which we will edit looks like this :-
If you see line 46, you will see that the line authentication mode="Windows" we need to change the value to "forms" and save the changes.
Locking down the website
Locking down the website means that whenever the user is navigated to a website then they are automatically redirected to the login page or the home page.
Let us assume we want to protect the page named "TheGeekyWay.aspx" stored in "TheGeekyWay" folder. Now using forms authentication we can block both TheGeekyWay.aspx page and TheGeekyWay folder.
Here is the hierarchy of project of this tutorial :-
Now if we want to Lockout the TheGeekyWay folder. In the web.config file, navigate to the end of system.web element, in the above web.config file its on the 74th line, so on the 75th line add the following code
This code will only allow people with admin roles and will deny any other user similarly we can block TheGeekyWay.aspx page by using the following code
Common mistakes people make while adding code to web.config
Sometimes we add deny code earlier than allow code, so no access is given to any of the user. So this must be kept in mind that deny code must always be used after allow code.